My current least favorite thing about the churn of social media that I’ve seen over the past week is waves of stories, posts and videos saying that every U.S. citizen’s Social Security number has been stolen or potentially viewed by a threat actor. 

The claim comes from a class action lawsuit filed on Aug. 1 against a data broker called National Public Data, claiming they failed to keep U.S. citizens’ Social Security numbers secure. A threat actor going by USDoD claimed in April that it had accessed a database that included information on every person in the U.S., Canada and the U.K.  

The lawsuit states that a breach at National Public Data resulted in the exposure of more than 3 billion personal records (a number that obviously surpasses the current population of the U.S.), including every Social Security number. That sounds scary, and many people took the statement as fact, running to create warnings that your Social Security number had definitely been breached and you needed to “TAKE ACTION NOW!” 

Except, the claim in the lawsuit is still unsubstantiated. This is not to say there was never a breach or that *some* public records weren’t stolen or accessed, but almost certainly not literally every single Social Security number. 

For starters, I used a tool from security firm Pentester that allows users to search for if their Social Security number, birthday, or other sensitive information may be in the NPD Breach. I searched for everyone in my immediate family, parents, and stepparents, and nothing turned up. I suppose it’s possible that for some reason just my family was exempted from the breach, but that seems unlikely. 

Reporters at TechCrunch have also viewed the allegedly stolen data, and determined much of the information was incomplete or incorrect, though some of it was legitimate. 

It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price. Which is why I’m disappointed that so many people took off and ran with the claim that every American was affected by this breach. 

There are always steps we can be taking to better protect our personal information, so I don’t want to make it seem like we’re all totally safe and to just go about your business as usual. And if you do use the linked tool above and find that your information may be affected by the NPD breach, it could be a good idea to freeze your credit or keep a close eye on your bank account(s).  

But all the LinkedIn posts and viral videos claiming that every American’s had their Social Security number stolen only leads to more FUD. And it plays right into attackers’ hands: By spreading that FUD, it makes users more likely to fall for other scams that are trying to capitalize on the breach by sending phony scams around identity protection or offering new information on the allegedly stolen data.  

The one big thing 

Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Our analysis of infrastructure used in the campaign reveals additional links to the UAT-5394 infrastructure and new tactics, techniques and procedures (TTPs) of the threat actor. This cluster of activity has some overlaps in TTPs and infrastructure patterns with the North Korean state-sponsored group “Kimsuky,” however, we do not have substantial technical evidence to link this campaign with the APT. 

Why do I care? 

Either UAT-5394 is actually Kimsuky (or a sub-group within Kimsuky) and they are replacing QuasarRAT with MoonPeak. (We have observed UAT-5394 actively setting up and operating QuasarRAT C2 servers before they eventually adopted the use of XenoRAT and MoonPeak.) Or UAT-5394 is another group within the North Korean APT machinery that borrows their TTPs and infrastructure patterns from Kimsuky. Any actor potentially associated with North Korea is worth watching, as these groups are constantly trying to steal money, intellectual property or data on behalf of the state. So, any new developments in how state-sponsored actors work together is relevant to defenders and users alike. 

So now what? 

Talos released a new Snort rule set that detects the new malware disclosed this week. The timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlights that UAT-5394 continues to add and enhance more tooling into their arsenal. And the rapid pace of establishing new supporting infrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop points and C2 servers, so this is activity we’ll be continuing to monitor and update readers on. 

Top security headlines of the week 

A North Korean state-sponsored actor recently exploited a zero-day vulnerability that Microsoft patched earlier this month. Security researchers say that actors connected to the Lazarus Group, the most prolific and well-known North Korean APT, actively exploited CVE-2024-38193. This is a use-after-free issue in AFD.sys, a binary file in what's essentially the kernel entry point for the Winsock API. The actors then installed the FudModule malware, which was first discovered in 2022. FudModule is more stealthy than other malware, finding additional and new ways to hide from detection. Microsoft disclosed and patched CVE-2024-38193 earlier this month as part of its regular Patch Tuesday update cycle. At the time, it was listed as a zero-day, meaning adversaries had exploited the issue in the wild before a patch was available. This was one of the six zero-days included in Microsoft Patch Tuesday this month. An attacker who exploits the vulnerability could obtain nearly full access to Windows and usually run untrusted code. (Ars Technica, PC World) 

The FBI and other U.S. federal agencies publicly stated that Iran is behind recent cyber attacks targeting both major U.S. presidential campaigns. A public statement warned that state-sponsored actors from Iran were trying to “stoke discord and undermine confidence in our democratic institutions.” Threat actors successfully breached an email account belonging to a staffer on former U.S. President Donald Trump’s campaign and leaked that information, though many major news outlets declined to publish any reports on the information because of the way in which it was obtained. “The [intelligence community] is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties,” U.S. intelligence officials said in the statement. The presidential campaigns from the Democratic and Republican parties both said they received spear-phishing emails seemingly connected to the efforts. (Associated Press, BBC) 

Nearly all Google Pixel devices since 2017 have been vulnerable to an exploit that exists in an otherwise dormant app. Security researchers disclosed the vulnerability last week in Showcase.apk, a software package that exists on all Pixel phones and can be used to turn the devices into store demos for Verizon. Though details on the exact type of vulnerability are still unclear, a report from iVerify stated that the way the software operates fundamentally changes the way the Android operating system works, leaving Pixel devices susceptible to man-in-the-middle attacks or the installation of spyware. Google has since removed the software package from all devices, as it is no longer in use. A Google representative told Recorded Future that it had not seen any information indicating the software had been exploited, and that the hypothetical exploit requires the attacker to have physical access to the device and knowing the user’s device passcode. The app is not present on the Pixel 9, the newest line of phones Google unveiled this week. (Wired, The Record) 

Can’t get enough Talos? 

• How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions 
• Talos Takes Ep. #194: A 1-on-1 with Talos VP Matt Watchinski 
• MoonPeak malware from North Korean actors unveils new details on attacker infrastructure 
• Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 
• Multiple flaws in Microsoft macOS apps unpatched despite potential risks 
• Multiple Microsoft Apps for macOS Vulnerable to Library Injection Attacks 

Upcoming events where you can find Talos 

BSides Krakow (Sept. 14)  

Krakow, Poland 

LABScon (Sept. 18 - 21) 

Scottsdale, Arizona

VB2024 (Oct. 2 - 4)

Dublin, Ireland

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668
MD5: 49d35332a1c6fefae1d31a581a66ab46
Typical Filename: 49d35332a1c6fefae1d31a581a66ab46.virus
Claimed Product: N/A
Detection Name: W32.Auto:70ff63.in03.Talos

SHA 256: db697b450d015ee948bb50d895acca3e27058b6d546d93212791b9f5ff31c0a3
MD5: 391b3770ab60f9e535fbf3db70c89b04
Typical Filename: vt-upload-o0OJb
Claimed Product: N/A
Detection Name: W32.Auto.db697b.181952.in01

SHA 256: a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0
MD5: b4440eea7367c3fb04a89225df4022a6
Typical Filename: Pdfixers.exe
Claimed Product: Pdfixers
Detection Name: W32.Superfluss:PUPgenPUP.27gq.1201

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent