CyberSecurity Newsletter November 25th, 2024
In this week’s news: AI api’s deliver JarkaStealer, Yakuza Victim data leaked, Over 2000 Palo Alto’s hacked, Russian hackers breach US firm over Wi-Fi, Five Ransomware Groups responsible for 40% of attacks, Hot Topic breached, US water systems have multiple significant vulnerabilities, and Microsoft seizes over 240 domains used for phishing.
Two Python packages claiming to integrate with popular chatbots transmit an infostealer to potentially thousands of victims. Publishing open-source packages with malware hidden inside is a popular way to infect application developers and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer.":
https://www.darkreading.com/application-security/faux-chatgpt-claude-api-packages-jarkastealer
As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild. According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35):
https://thehackernews.com/2024/11/warning-over-2000-palo-alto-networks.html
Hot Topic Breach Confirmed, Millions of Credit Cards, Email Addresses Exposed. The stolen database contains 54 million unique email addresses and 'lightly encrypted' credit card information for 25 million users, which can be decrypted, according to Atlas Privacy:
https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system:
https://github.com/horizon3ai/CVE-2024-9465
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is significantly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue applies only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. This vulnerability does not impact cloud NGFW and Prisma Access:
https://github.com/watchtowrlabs/palo-alto-panos-cve-2024-0012
Five ransomware groups, including RansomHub and LockBit 3.0, accounted for 40% of all cyber-attacks in Q3 2024, highlighting the increasing complexity and competition within the ransomware ecosystem, according to research by Corvus Insurance. Overall, the Corvus’ Q3 2024 Cyber Threat Report, The Ransomware Ecosystem is Increasingly Distributed, noted that the ransomware threat level remained elevated:
https://www.infosecurity-magazine.com/news/five-ransomware-groups-40-of/
The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns orchestrated over a six-month period. These findings come from Microsoft, which said that multiple threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, posing as both recruiters and job seekers to generate illicit revenue for the sanction-hit nation:
https://thehackernews.com/2024/11/north-korean-hackers-steal-10m-with-ai.html
A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a part of Windows malware used by the Chinese 'Gelsemium' hacking group. ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor. At the same time, it also uses a modified open-source rootkit to evade detection. The researchers also discovered 'FireWood,' another Linux malware that appears linked to the 'Project Wood' Windows malware:
https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/
Despite a spate of recent cyberattacks raising the awareness of water-infrastructure vulnerabilities, nearly 100 large community water systems (CWS) continue to have serious security weaknesses in Internet-facing systems, putting the water supply of almost 27 million Americans at risk:
https://www.darkreading.com/vulnerabilities-threats/leaky-cybersecurity-holes-water-systems-risk
Federal prosecutors have charged five men with running an extensive phishing scheme that allegedly allowed them to compromise hundreds of companies nationwide, gain non-public information, and steal millions of dollars in cryptocurrency. The charges, detailed in court documents unsealed Wednesday, pertain to a crime group security researchers have dubbed Scattered Spider. Members were behind a massive breach on MGM last year that cost the casino and resort company $100 million.:
https://arstechnica.com/information-technology/2024/11/prosecutors-charge-5-in-phishing-scams-that-stole-millions-of-dollars/
Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called "nearest neighbour attack." The threat actor pivoted to the target after first compromising an organisation in a nearby building within the WiFi range. The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work:
https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/
Government agencies and non-governmental organisations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said. The activity cluster, the company added, overlaps with a threat group that Recorded Future's Insikt Group is tracking as TAG-100:
https://thehackernews.com/2024/11/google-exposes-glassbridge-pro-china.html
Japan's web of ruthless Yakuza organised crime syndicates continues to operate, threatening the country's citizens with everything from extortion to gangland murders. Local agencies within communities are set up to help those who get involved with gangsters — but unfortunately, one of them has been hacked, potentially leading to physical safety consequences for the victims.:
https://www.darkreading.com/cyberattacks-data-breaches/yakuza-victim-data-leaked-japanese-attack
The new SafePay ransomware gang has claimed responsibility for the attack on UK telematics biz Microlise, giving the company less than 24 hours to pay its extortion demands before leaking data. SafePay claims to have stolen 1.2 TB. Microlise, which offers vehicle tracking services and more to the likes of DHL and Serco – both of which were confirmed as collateral damage in Microlise's incident – told The Register that some of its data was stolen earlier this month.:
https://www.theregister.com/2024/11/22/safepay_microlise/
Microsoft is blocking the Windows 11 24H2 update on computers with some Ubisoft games, like Assassin's Creed, Star Wars Outlaws, and Avatar: Frontiers of Pandora, after changes in the operating system cause the games to crash, freeze, or have audio issues.:
https://www.bleepingcomputer.com/news/microsoft/microsoft-halts-windows-11-24h2-update-on-pcs-assassins-creed-star-wars-outlaws/
A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components. The malware that drops the driver is a variant of an AV Killer of no particular family. It comes with a hardcoded list of 142 names for security processes from various vendors:
https://www.bleepingcomputer.com/news/security/hackers-abuse-avast-anti-rootkit-driver-to-disable-defenses/
Microsoft has seized 240 fraudulent websites associated with “do-it-yourself” phishing kits used by cybercriminals globally to break into customer accounts. The action was enabled by a civil court order in the Eastern District of Virginia which allowed the malicious technical infrastructure to be directed to Microsoft. This permanently stops the use of these domains in phishing attacks in the future:
https://www.infosecurity-magazine.com/news/microsoft-seizes-websites-phish/
Microsoft obtained a court order allowing it to seize 240 websites it says are linked to an Egypt-based seller of do-it-yourself phishing kits used to break into the tech giant’s user accounts, the company said Thursday. The kit-maker, Abanoub Nady — known online as MRxC0DER — used the brand name ONNX to sell the services, the trademark name of which is owned by the Linux Foundation:
https://cyberscoop.com/microsoft-seizes-websites-tied-to-egypt-based-diy-phishing-kit-maker/