Daily Brief

PyPI temporarily suspended new user sign-ups due to a surge of malicious package uploads in a typosquatting attack. Over 500 deceptive packages targeted popular libraries, aiming to distribute malware to developers. The malware stole cryptocurrency wallets, browser data, and credentials, and implemented persistence mechanisms. Checkmarx, Mend.io, and Phylum independently reported on the software supply chain threat involving typosquatted versions of legitimate packages. The attackers automated the upload process and disguised each package under different user accounts, complicating identification efforts. Malicious payloads only activated on Windows systems and aimed to achieve long-term access with persistence techniques. This incident underscores the increasing risks associated with software supply chain security and the importance of diligent third-party component scrutiny by developers. This marks the second time PyPI has suspended new registrations due to malicious activity, with prior incidents occurring in May 2023 and December 2023.

A vulnerability in the wall command of Linux systems could be exploited to deceive users into revealing their administrator passwords. Tagged CVE-2024-28085 and named WallEscape, the issue has existed in the util-linux package for over a decade. The vulnerability relies on improper filtering of escape sequences, allowing the creation of fake SUDO prompts. Focused attack scenarios arise in environments with multiple Linux users logged in simultaneously, like educational institutions. Exploitation is condition-dependent, feasible on systems with 'mesg' utility active and wall with setgid permissions, such as Ubuntu 22.04 and Debian 12.5. Proof-of-Concept (PoC) code has been released, demonstrating the potential for fake prompts and clipboard manipulation. Mitigation includes updating Linux utilities to version 2.40 or removing setgid permissions from the wall command. Attack risk is limited due to the requirement for local system access and affects multi-user Linux systems within organizations.

American retailer Hot Topic was targeted by credential stuffing attacks in November, compromising customer personal and partial payment information. The company, which operates over 630 stores, faced two significant automated login attempt waves using stolen credentials. Cybercriminals employed username and password pairs from an unknown third-party source to access Hot Topic Rewards accounts. The compromised data includes names, email addresses, phone numbers, birthdates, mailing addresses, and the last four digits of payment card numbers. Hot Topic's investigation could not conclusively determine which accounts were accessed by unauthorized parties during the attacks. In response to the attacks, the company has implemented bot protection software and mandated affected customers to reset their passwords. Prior to these incidents, Hot Topic had experienced five other credential stuffing attacks throughout the previous year.

The Python Package Index (PyPI) has temporarily stopped new user registrations and project creation due to a malware campaign. Threat actors uploaded around 365 malicious packages disguising as legitimate ones, targeting developers and enabling potential supply-chain attacks. The malware present in the 'setup.py' file of these packages executes upon installation and tries to download additional malicious payloads from a remote server. The info-stealer malware seeks to extract sensitive data such as login credentials, cookies, and cryptocurrency wallet information from web browsers. Check Point Research identified over 500 malicious packages and noted that each was uploaded from a unique maintainer account, suggesting the use of automation in the attack. PyPI had previously taken similar actions on May 20, last year, to prevent the proliferation of malicious packages in the repository. This incident highlights the serious risks associated with open-source repositories and the necessity for developers and maintainers to thoroughly check the security of components in their projects.

Sam Bankman-Fried, former CEO of FTX, has been sentenced to 25 years in prison. Convicted of fraud and money laundering, he faced a possible 110 years but prosecutors sought 40-50 years. FTX, once a top crypto exchange, misused customer funds, leading to an $8 billion deficit when it collapsed. Despite claims of solvency, current FTX CEO states customers will not fully recover funds, countering SBF's assertions. Judge Kaplan rejected defense arguments due to the speculative nature of full restitution for victims. SBF found guilty of perjury and witness tampering, with Judge Kaplan criticizing his misleading testimony. The court declined restitution due to case complexity, opting for the U.S. to compensate victims with forfeited assets. Given SBF's notoriety and vulnerabilities, including autism, a medium-security facility recommendation near San Francisco has been made.

JetBrains TeamCity has recently repaired 26 security issues, but the company has refrained from releasing any details about the vulnerabilities. The reluctance to share vulnerability specifics follows a dispute with Rapid7, which had published exploitation details of earlier patched vulnerabilities, leading to real-world attacks. The release notes for TeamCity version 2024.03 lack the usual information such as CVE IDs, severity ratings, and descriptions, which is atypical for security advisories. Elliot Wilkes, CTO at Advanced Cyber Defence Systems, suggests JetBrains' opaque approach might be due to the recent ransomware exploits and an obligation not to disclose during ongoing response operations. TeamCity has introduced semi-automatic download of critical security updates for on-premise users, paralleling the automatic updates available for cloud users. With TeamCity managing CI/CD pipelines, improving security is critical to prevent supply chain attacks, an increasingly common and devastating form of cybercrime as evidenced by incidents like SolarWinds, MOVEit MFT, and 3CX.

Kaspersky detects a Linux variant of DinodasRAT targeting entities in China, Taiwan, Turkey, and Uzbekistan. Originally known as XDealer, this C++ malware harvests sensitive data from compromised systems. A Windows version of DinodasRAT was used in an espionage campaign against a Guyanese government entity. Earth Krahang, linked to China, has incorporated DinodasRAT in recent government-targeted attacks. The malware maintains persistence using startup scripts and communicates with C2 servers for commands. DinodasRAT can manage files, alter processes, execute shell commands, and self-update or uninstall. The malware evades detection tools and encrypts communications with the Tiny Encryption Algorithm (TEA). DinodasRAT is primarily used for sustained access to Linux servers, enabling expansive control for data theft and espionage.

Finland's police pins the 2020 cyberattack on the Parliament to Chinese hacking group APT31. Ongoing investigation is complex due to the sophisticated criminal infrastructure employed. The breach occurred between fall 2020 and early 2021, believed to be a cyber espionage operation. APT31 is a state-backed entity active since 2010, also known under several other names. The U.S. and U.K. have recently charged seven APT31 operatives, imposing sanctions and highlighting their cyber espionage campaigns. U.S. previously condemned APT31 for exploiting Microsoft Exchange servers, which China denies and accuses the Five Eyes alliance of spreading disinformation. Chinese officials call for an end to cybersecurity politicization and denounce unfounded accusations while vowing to protect national interests.

Cisco issued an alert on password-spraying attacks aimed at Remote Access VPN (RAVPN) services on their Secure Firewall devices. Password-spraying techniques involve using the same password to access multiple user accounts during unauthorized attempts. Indicators of Compromise (IoCs) and mitigation steps have been provided by Cisco to help organizations recognize and defend against these incidents. Security researcher Aaron Martin associates these attacks with the 'Brutus' malware botnet, involving 20,000 IP addresses across various global infrastructures. The botnet has targeted VPN appliances from multiple vendors and has expanded to web apps using Active Directory, using rotating IPs and specific usernames not found in public data breaches. There's concern over how the attackers obtained the usernames, suggesting a potential undisclosed breach or zero-day exploit. Some IP addresses linked to the Brutus botnet's activities have past associations with APT29, a Russian-linked espionage group.

Nvidia's ChatRTX AI application received updates to patch two serious security vulnerabilities. The flaws, identified as CVE‑2024‑0082 and CVE‑2024‑0083, allowed for privilege escalation and remote code execution. These vulnerabilities affected all versions of ChatRTX up to version 0.2, which runs on local Nvidia GPU hardware. CVE‑2024‑0083, with a medium severity rating, could lead to denial of service attacks, data theft, and RCE. CVE‑2024‑0082, considered a high-level threat, enabled data theft, data tampering, and privilege escalation. Although these issues are serious, with CVE‑2024‑0083 allowing for RCE and CVE‑2024‑0082 for privilege escalation, no known exploitations have been reported as of yet. Users are advised to update their ChatRTX app to version 0.2, with Nvidia noting a confusing overlap in version numbers between the affected and updated versions. To ensure safety, a full reinstallation of ChatRTX might be recommended due to the version number confusion.

A Phishing-as-a-Service (PhaaS) network named Darcula is exploiting over 20,000 fake domains to conduct large-scale attacks in 100+ countries. Darcula evades SMS firewalls by utilizing iMessage and RCS, effectively targeting established postal services, including the USPS, and other organizations. The service is advertised on Telegram with about 200 customizable templates that mimic legitimate brands, aiding cybercriminals in setting up convincing fake sites. The phishing sites, registered under domains resembling the spoofed brands, implement advanced features and anti-detection techniques to resist takedown efforts. Smishing messages often prompt victims to respond, enabling links to become clickable in iMessage, which avoids Apple's safety measures against unknown senders. Google recently tightened RCS security by prohibiting its use on rooted Android devices as a countermeasure against spam and abuse. The article notes a concerning trend of phishing attacks exploiting Apple’s password reset feature and the abuse of eSIM transfers to hijack online services. The broader implication is the lowering of entry barriers for cybercriminals, allowing even those with limited skills to carry out sophisticated attacks.

Traditional penetration testing (pen testing) may introduce risks and increase costs due to its inability to keep up with rapid development cycles. Penetration Testing as a Service (PTaaS) offers a semi-automated, continuous monitoring solution that aligns with agile DevOps practices. PTaaS enhances cybersecurity by combining dynamic application security testing (DAST) with the expertise of ethical hackers. Hidden costs of classic pen testing, when factoring in team time and resources, can significantly exceed the initial quote, potentially doubling the expense. PTaaS delivers cost savings by reducing false positives, requiring less time for set-up, offering on-demand real-time testing, and eliminating delays in vulnerability remediation. Regular pen testing often leads to a one-time security snapshot, whereas PTaaS allows for continuous security validation and improvements, with better insights into security posture. By enabling better collaboration between DevOps and SecOps teams, PTaaS improves return on investment (ROI) and strengthens application and data security. Outpost24 promotes its PTaaS solution as a means to protect an organization's applications and data in real-time while controlling costs and enhancing security collaboration.

The U.S. is close to implementing new cyberattack reporting rules for critical infrastructure operators as per the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Critical infrastructure sectors must report substantial cyber incidents within 72 hours and ransom payments within 24 hours to the US Cybersecurity and Infrastructure Agency (CISA). The reporting is designed to help rapidly deploy resources to victims, analyze cross-sector trends, and share information to improve defenses. Reports will be anonymized before sharing with industry sectors to protect privacy and encourage compliance. Small Business Administration-recognized small businesses may be exempt from the reporting requirements. A new website for reporting cyber incidents is being set up by CISA, with final rules and detailed guidelines forthcoming. Industry concerns include the potential strain on resources and the complexity of compliance with the new cybersecurity reporting requirements. CISA's final rule is expected to be published within 18 months after the close of the 60-day public comment period starting April 4, with the intent to enhance national cybersecurity defenses.

Cybersecurity is an ever-evolving field; organizations must constantly update their defenses against sophisticated threats. Threat actors are finding innovative ways to exploit vulnerabilities and bypass both traditional and advanced cyber defenses. The upcoming webinar aims to address application security blind spots and presents best practices for more robust security postures. Industry experts will discuss continuous monitoring, multi-engine malware scanning, file disarming, defense-in-depth strategies, and threat intelligence. The webinar will feature insights from Buu Lam of F5 DevCentral, George Prichici and Adam Rocker of OPSWAT, moderated by James Azar, CISO & Moderator for THN. Despite the prevalence of cyber threats, a significant number of companies do not perform comprehensive malware scans or disarm files to remove threats. The event encourages registration for actionable strategies to fortify web application security and adapt to the threat landscape in 2024.

Canonical, the parent company of Ubuntu, has tightened app submission reviews on the Snap Store following a surge in fraudulent crypto-wallet apps. Snap name registrations will now undergo manual review, a temporary policy shift to combat the recent influx of malicious activities. A fake "Exodus" wallet app scam resulted in a user losing nine Bitcoins, approximately $490,000 in value, highlighting the severity of the issue. Continuous efforts by scam publishers have led to multiple fake wallets appearing on the Snap Store, with new fake accounts emerging even after removal of earlier ones. Despite being confined within a sandbox, fraudulent apps deceive users by presenting a legitimate appearance and using social engineering to obtain user credentials. Canonical's policy changes are in line with similar updates by Flathub and are part of ongoing efforts to address security risks posed by deceptive cryptocurrency apps. In addition to security actions, Canonical has extended the support period for Ubuntu Pro users, providing critical security updates for up to 12 years for certain releases.