Daily Brief

Cybersecurity experts uncovered a malicious Python package called pytoileur on the Python Package Index (PyPI), designed to steal cryptocurrency. The malicious package was downloaded 316 times and camouflages its malevolent activities within legitimate-looking functionality. PyPI had previously removed an older version of the package, but a new version was uploaded by the same author, PhilipsPY, with identical harmful capabilities. The package executes a Base64-encoded payload that retrieves a Windows binary, which then installs spyware and data stealer malware affecting web browsers and crypto services. An associated StackOverflow account "EstAYA G" was identified directing users to install the rogue package, potentially linking to the same threat actor. The abuse of such credible platforms like StackOverflow for distributing malware highlights significant risks for developers, especially novices. Similarities in package metadata and authorship link this campaign to previous malicious endeavors involving fake Python packages. Open-source ecosystems are pointed out as significant targets for cybercriminals attempting supply chain attacks via information-stealing malware.

The U.S. Justice Department, with international collaboration, has dismantled the 911 S5 proxy botnet and arrested its Chinese national administrator, YunHe Wang. Wang, alongside accomplices, operated malicious VPN apps used to infect millions of global Windows computers, integrating them into the botnet since 2011. The botnet, linked to over 19 million unique IP addresses, enabled cybercrimes including bomb threats, child exploitation, and substantial financial fraud. Researchers identified that the botnet was promoted through free VPN offers that installed proxy malware on users’ devices. Wang reportedly earned around $99 million from selling access to these IP addresses for illicit activities. The 911 S5 botnet was temporarily disrupted in mid-2022 due to a security breach but resurfaced later as "CloudRouter". The U.S. Treasury has sanctioned Wang and his associates, seizing assets like luxury cars, properties, and over 20 domains. Wang faces up to 65 years in prison if convicted on charges including computer and wire fraud, and money laundering.

Okta has issued a warning about credential stuffing attacks on its Customer Identity Cloud (CIC) feature since April. The attacks specifically target the Cross-Origin Resource Sharing (CORS) feature used in Okta’s identity management services. Threat actors utilize stolen usernames and passwords to access accounts using this vulnerability. Okta advises customers to disable unnecessary CORS URLs and proactively monitor log files for suspicious 'fcoa', 'scoa', and 'pwd_leak' events. If abnormalities are found, particularly in tenants where cross-origin authentication is not in use, it may indicate that the system is being targeted. The company has reached out to affected customers with specific guidance on how to secure their systems against such attacks. This notice comes amidst a series of warnings about increased credential stuffing activity linked to the same actors targeting other major tech companies.

Check Point has issued a warning regarding a zero-day vulnerability found in several of its Network Security gateway products. The identified vulnerability, tracked as CVE-2024-24919, affects CloudGuard Network, Quantum Maestro, and other related appliances, making them susceptible to unauthorized data access. Threat actors have exploited this vulnerability to target enterprise networks through VPN devices, primarily focusing on remote access exploitation. Check Point has traced recent security breaches back to exploitation attempts against outdated and insecure VPN accounts. Hotfixes for this high-severity vulnerability have been released for affected models to mitigate potential threats. This incident follows a broader trend of attacks aimed at network perimeter devices similar to those experienced by other major cybersecurity firms like Cisco and Fortinet. Check Point emphasized that attackers are leveraging such vulnerabilities to gain persistent access to enterprise networks and advised urgent updates to secure remote access points.

A new variant of AllaKore RAT, dubbed AllaSenha, is targeting Brazilian banks, focusing on stealing banking credentials. The malware uses Azure cloud as its command-and-control (C2) infrastructure, affecting major banks like Banco do Brasil and Itaú Unibanco. Initial infection is suspected to start from phishing emails with malicious links, leading to the download of a deceptive LNK file posing as a PDF. The LNK file executes a BAT payload and a series of complex actions involving Python scripts and DLLs to deploy the AllaSenha malware. AllaSenha exploits legitimate processes and overlays to capture two-factor authentication codes and execute unauthorized transactions. Analysis links the malware to a Portuguese-speaking developer, hinting at sophisticated, localized cybercriminal efforts in Latin America. The campaign highlights a broader trend of cybercrime focusing on financial theft in Latin America, impacting global entities through local operations.

Check Point issued emergency hotfixes due to a zero-day vulnerability in their VPN software that allowed attackers remote access to fire come walls and corporate networks. The vulnerability, tracked as CVE-2024-24919, was identified as a high-severity issue enabling unauthorized reading of information on certain Check Point Security Gateways. Affected products include several versions of CloudGuard Network, Quantum Security Gateways, and other related appliances. Following the initial warning about increased attacks targeting VPN devices, the precise cause was pinpointed and addressed with the release of security updates. Updates are available through the Security Gateway portal, requiring about 10 minutes to install with a necessary reboot, improving defense against weak authentication attempts. Check Point also provided a remote access validation script and instructions for updating AD passwords to enhance security for those unable to immediately apply the hotfixes. Additionally, manual downloads and installations are required for end-of-life product versions, with comprehensive guidance available on Check Point’s FAQ page.

North Korea-linked cybercrime group, identified as "Moonstone Sleet" by Microsoft, has been active since August 2023, employing sophisticated methods to launch malware and ransomware attacks. The group uses trojanized versions of commonly used applications like PuTTY and SumatraPDF, distributed through platforms such as LinkedIn, Telegram, and freelancing websites, to infiltrate targets and lay groundwork for further attacks. Moonstone Sleet has developed a new ransomware called FakePenny, demanding ransoms as high as $6.6 million, a significant increase from previous North Korean ransom demands. The group has targeted various sectors, including defense technology companies, stealing credentials and intellectual property before deploying ransomware to encrypt files and extract hefty ransoms. Tactics include creating fake companies and applying for legitimate software development positions to establish initial footholds in organizations, focusing especially on firms in the software development and higher education sectors. Microsoft's report highlights the evolving tactics of North Korean cyber actors like Moonstone Sleet, shifting from previous activities to more diversified and financially driven cyber operations. The use of remote IT workers by North Korea to infiltrate and carry out jobs in the US and other Western countries has been part of a broader strategy to bypass international sanctions and generate revenue for the nation's military objectives. Microsoft also uncovered a linked campaign involving a deceptive video game developed by Moonstone Sleet, used as a lure to engage potential targets in conversations about investment and development.

The U.S. Department of Justice sentenced 31-year-old Malachi Mullings of Georgia to 10 years in prison for laundering over $4.5 million. Mullings was involved in business email compromise (BEC) and romance scams, deceitfully obtaining money from enterprises and elderly individuals. He used a fictitious company, The Mullings Group LLC, to open 20 bank accounts for funneling the illicit funds. The criminal activities spanned from at least 2019 to July 2021, targeting a healthcare benefit program and private companies. Mullings and his cohorts used the laundered money to purchase luxury goods, including a Ferrari bought with proceeds from a romance scam. In a related note, a Russian citizen, Evgeniy Doroshenko, was indicted in the U.S. for selling initial access to hacked corporate networks on cybercrime forums. Doroshenko remains at large, with charges against him carrying a potential 25-year prison sentence and significant fines.

Wing Security study highlights that 63% of businesses risk data breaches with inadequate offboarding procedures, leaving former employees with access. Key improper offboarding outcomes include insider threats, intellectual property theft, legal consequences, and massive financial implications. Amidst tech industry mass layoffs, rapid offboarding processes often fail, complicating the removal of access to an average of 29 SaaS applications per employee. Compliance violations are a significant concern; improper practices may lead to fines and reputational damage, particularly under stringent industry regulations. Automation in SaaS Security Posture Management (SSPM) is advocated as an effective solution to ensure comprehensive and timely revocation of access rights. Continual monitoring and automation can drastically reduce the administrative burden and mitigate the risks associated with manual offboarding errors. Case examples include a former mobile payment company employee who potentially compromised 8 million users' data highlighting the severe outcomes of inadequate processes.

Microsoft has identified a new North Korean hacker group named Moonstone Sleet, involved in cyberattacks across various sectors including software, education, and defense. Moonstone Sleet utilizes tactics like setting up fake companies and opportunities, using trojanized legitimate tools, and deploying a unique form of ransomware. The group shows operational similarities to the notorious Lazarus Group but has established its identity with distinct infrastructure and cyber tactics. Their methods include embedding malware within Python packages, using modified versions of PuTTY, and deploying malicious npm packages through fake job postings. Recent operations have involved a deceptive game called DeTankWar, distributed via email to mask malware propagation activities. Moonstone Sleet also impersonates legitimate blockchain companies and software development firms to entrap targets. One of their ransomware campaigns targeted a defense company, resulting in a $6.6 million ransom demand in Bitcoin. Microsoft's revelation about Moonstone Sleet aligns with broader concerns about North Korean groups targeting international technology and infrastructure for financial and strategic gains.

BreachForums, a notorious online marketplace, has resurfaced two weeks after a major FBI-led seizure of its domains and infrastructure. A user named ShinyHunters has listed for sale a 1.3 TB database on the new site, claiming it contains personal data of 560 million Ticketmaster customers. The data for sale reportedly includes customers' full names, addresses, emails, phone numbers, ticket sales, event information, and partial credit card details. Following the seizure, new accounts are now required to access content on the site, raising suspicion among cybersecurity experts about a possible honeypot operation. The individual(s) behind the ShinyHunters persona may not be the original hacker known by that name, and their acquisition of the domain post-seizure remains uncertain. The FBI is currently reviewing the site’s backend data following the operation; the outcomes and implications of this investigation are still pending. The reestablishment of BreachForums raises concerns about the ongoing challenges in permanently dismantling cybercriminal networks.

Sav-Rx, a prescription drug management service, detected an IT network intrusion on October 8, which likely occurred on October 3. The breach impacted 2.8 million individuals, compromising names, birth dates, social security numbers, and other sensitive data. Sav-Rx restored IT systems by the next business day, maintaining prescription shipment schedules. Extensive third-party security reviews concluded on April 30, revealing personal data had been accessed or acquired. Affected parties were notified months after the initial discovery, following comprehensive investigations and regulatory discussions. Sav-Rx confirmed that exposed data was "destroyed" and not misused, providing two years of free credit and identity monitoring to victims. Enhanced security measures were implemented post-breach, including better firewalls, antivirus, and multi-factor authentication. Delays and management decisions during the breach notification process have drawn criticism regarding the timeliness and transparency of the response.

First American Financial Corporation experienced a cyberattack in December, which was disclosed publicly five months later, affecting 44,000 individuals. The breach was identified through an investigation triggered by abnormal activity, leading the company to take various systems offline to contain the incident. Compromised data includes sensitive personal information, though specific details of the accessed data have not been detailed publicly. First American, a major player in the U.S. title insurance market, grappled with this cybersecurity issue just a month after settling with New York State for a prior data breach by paying a $1 million penalty. As a response to the breach, the company is offering credit monitoring and identity protection services at no cost to potentially affected individuals. The incident has raised concerns about the robustness of First American's cybersecurity measures, especially since it involves large volumes of sensitive financial data. Concurrently, another title insurance provider, Fidelity National Financial, also experienced a significant cybersecurity incident around the same time, highlighting broader industry vulnerabilities.

Over 90 malicious Android apps were found on Google Play, collectively downloaded more than 5.5 million times. Anatsa, a banking trojan also known as Teabot, has been actively targeting financial applications across Europe, the US, the UK, and Asia, aiming to steal banking credentials. Recently, Anatsina had distributed through two decoy apps, "PDF Reader & File Manager" and "QR Reader & File Manager," accounting for 70,000 installations. Anatsa uses a sophisticated multi-stage payload loading mechanism to evade detection which includes anti-analysis checks. Google Play's review mechanisms were bypassed, exposing a significant risk of malicious dropper apps that install malware on devices. Five main malware families identified include Joker, Facestealer, Anatsa, Coper, and a variety of adware, with the latter two posing more severe risks due to their capabilities in committing on-device fraud and data theft. The two specific Anatsa dropper apps recently discovered by Zscaler have been removed from Google Play after their investigation.

The U.S. Treasury has imposed sanctions on three Chinese nationals and three Thailand-based companies for operating the 911 S5 botnet, a massive proxy network. The 911 S5 service initially attracted users with free VPN offers, which installed malware turning their devices into botnet nodes. At its peak, the botnet controlled about 120,000 residential proxies worldwide, facilitating cybercrimes by masking illegal activities behind victims' IP addresses. The botnet was temporarily disrupted in 2022 but resurfaced as "CloudRouter" following a security breach that briefly dismantled its infrastructure. The botnet compromised around 19 million IP addresses used in large-scale fraud, including false applications for U.S. COVID-19 relief funds, resulting in billions in losses. Additionally, compromised IPs from the botnet were utilized to issue bomb threats across the U.S. in July 2022. The sanctioned individuals facilitated the operations and financial transactions of the botnet, significantly contributing to various cyber-enabled crimes. The sanctions prohibit any transactions with the designated parties by U.S. persons and lock any U.S.-based assets, increasing isolation and hindering their operations.