👉 What’s going on in the cyber world today?

Malicious PyPI Package, Fabrice, AWS, Credentials, Winos 4.0, Malware, Gamers, Optimization Apps, SteelFox, Rhadamanthys, Copyright Scams, Driver Flaws, Cisco, Ultra-Reliable Wireless Backhaul, Patch, HPE, Aruba Access Points, Remote Code Execution, South Korea, Defense Ministry, DDoS, Nokia, Vendor, Breach, Code Theft, Ransomware, Mexico, Grupo Aeroportuario del Centro Norte, Brazil, Lojas Marisa, Disruption, Phoenix Footwear, Breach, Canada, TikTok, National Security, Australia, Department of Home Affairs, Security Memorandum, UK, National Cyber Security Centre, Malvertising, Cyber Risk Assessment, Europe, CrowdStrike, Adaptive Shield, Identity Protection.

Listen to the full podcast

🚨 Cyber Alerts

1. Malicious PyPI Package Steals AWS Keys

A malicious package named “fabrice” has been discovered on the Python Package Index (PyPI), where it has been stealthily exfiltrating AWS credentials from thousands of developers for over three years. The package, which typosquats the popular “fabric” library, has been downloaded over 37,100 times since its publication in March 2021. Designed to exploit the trust in the legitimate fabric library, “fabrice” deploys payloads that steal AWS access keys and create backdoors, based on the operating system it’s installed on.

2. Winos 4.0 Malware Targets Gamers via Apps

Winos 4.0, a sophisticated malware framework, is being distributed through game-related applications, such as installation tools, speed boosters, and optimization utilities. This malware, rebuilt from the Gh0st RAT framework, uses a multi-stage infection process to target users, particularly Chinese-speaking gamers, and establish control over compromised systems. Upon executing a malicious game optimization app, users unknowingly download a series of payloads, which set up a command-and-control (C&C) connection to enable further exploitation.

3. SteelFox & Rhadamanthys Use Copyright Scams

A sophisticated phishing campaign dubbed CopyRh(ight)adamantys has been exploiting copyright infringement scams to spread Rhadamanthys malware across multiple regions since July 2024. Check Point researchers reveal that cybercriminals behind the campaign impersonate prominent companies in the entertainment, media, and tech sectors to send tailored emails accusing recipients of copyright violations. These emails include links to password-protected archives, which contain a legitimate but vulnerable executable that loads the Rhadamanthys information stealer via DLL sideloading.

4. Cisco Patches Critical URWB Vulnerability

Cisco has released a security patch to address a critical vulnerability in its Ultra-Reliable Wireless Backhaul (URWB) Access Points, tracked as CVE-2024–20418. This flaw, with a severity score of 10.0, stems from a lack of input validation in the web-based management interface of the Cisco Unified Industrial Wireless Software. The vulnerability could allow unauthenticated remote attackers to execute arbitrary commands with root privileges on affected devices. Specifically, this affects the Catalyst IW9165D, IW9165E, and IW9167E Access Points and Wireless Clients operating in URWB mode.

5. Flaws in HPE Aruba Access Points Allows RCE

Multiple critical vulnerabilities have been discovered in HPE Aruba Access Points, affecting both Instant AOS-8 and AOS-10 versions. These vulnerabilities, including unauthenticated command injections and remote code execution flaws, allow attackers to gain unauthorized access and execute arbitrary commands on affected systems. CVE-2024–42509 and CVE-2024–47460, both command injection flaws, enable unauthenticated attackers to exploit the access points and gain privileged access, while other vulnerabilities like CVE-2024–47461 and CVE-2024–47462 require authentication but can still lead to full system compromise.

💥 Cyber Incidents

6. South Korean Defense Ministry Hit by DDoS

On November 5, 2024, the South Korean Defense Ministry’s website was targeted by a distributed denial-of-service (DDoS) attack, causing significant outages. The following day, the website of the South Korean Joint Chiefs of Staff (JCS) also experienced issues, leading to an investigation by Cyber Operations Command and other agencies into the potential for another DDoS attack.

7. Nokia Investigates Third-Party Vendor Breach

Nokia is currently investigating a potential data breach after a hacker, known as IntelBroker, claimed to have stolen and is selling the company’s source code. The alleged breach occurred through a third-party vendor’s server, which the hacker accessed using default credentials. The stolen data reportedly includes SSH keys, source code, RSA keys, BitBucket logins, SMTP accounts, and other sensitive information. While Nokia has confirmed the investigation, it has stated that no evidence of its systems or data being directly impacted has been found so far.

8. Ransomware Attack Targets Mexico’s OMA

Grupo Aeroportuario del Centro Norte (OMA), based in Mexico, confirmed that it was the target of a ransomware attack on October 18, 2024. The attack resulted in the encryption of some of the company’s files and systems, leading to the exfiltration of sensitive data, including information related to commercial clients, suppliers, and employees. Despite the breach, OMA reported that it did not pay any ransom and emphasized that the incident had no significant impact on its operations, financial standing, or results.

9. Brazil’s Lojas Marisa Hit With Ransomware

Lojas Marisa, a prominent Brazilian retail company, recently experienced a ransomware attack that temporarily disrupted some of its systems. Upon discovering the breach, the company swiftly implemented its security protocols, isolating and suspending affected systems to prevent further damage and protect sensitive information. While the attack caused some operational disruptions, Lojas Marisa has not reported any significant financial losses or long-term impacts.

10. Phoenix Footwear Group Suffers Breach

Phoenix Footwear Group based in Calofornia recently reported a data breach following suspicious activity in its network on August 26, 2024. Upon discovery, the company took immediate steps to secure its systems and launched an investigation, which revealed unauthorized access to certain files containing personal information, including names and Social Security numbers.

📢 Cyber News

11. Canada Orders TikTok to Shut Down Operations

In a significant move, the Canadian government has ordered TikTok, owned by China’s ByteDance, to cease its operations in Canada, citing national security concerns. The decision, announced on November 6, 2024, follows a thorough review involving Canada’s security and intelligence agencies. While the government will not ban the app for Canadians or restrict content creation, it has urged users to consider cybersecurity risks, particularly regarding the management of personal data by foreign entities. The move also highlights ongoing concerns over the potential for the Chinese government to access user data.

12. Australia Forge Landmark MoU for Security

Australia’s Department of Home Affairs (DHA) and the Reserve Bank of Australia (RBA) have signed a groundbreaking Memorandum of Understanding (MoU) to strengthen the security of critical infrastructure across the country. The MoU formalizes collaboration between the two agencies in regulating entities under the Security of Critical Infrastructure Act 2018 (SOCI Act). Aimed at bolstering the resilience of critical infrastructure, particularly for critical payment systems, the agreement ensures transparency and reduces regulatory burdens.

13. NCSC Issues Tips to Combat Malvertising

The National Cyber Security Centre (NCSC) has released new guidelines aimed at helping brands combat the growing threat of malvertising. The UK-based security agency urges businesses to work closely with their digital advertising partners to ensure robust cybersecurity measures are in place, including comprehensive “know your customer” (KYC) checks, secure ad servers, and the use of industry-recognized standards such as ads.txt and buyers.json. These steps aim to reduce malicious activity in the advertising supply chain, enhance transparency, and protect users from potential harm.

14. New Risk Assessment Methods Proposed for EU

European transmission system operators (TSOs), with the support of the European Network of Transmission System Operators for Electricity (ENTSO-E) and the Distribution System Operators Entity, have proposed new methodologies for conducting cyber risk assessments at Union, regional, and member state levels. These methodologies, which are now open for public consultation, focus on assessing the potential consequences of cyberattacks targeting the operational security of the electricity grid, including disruptions to cross-border electricity flows.

15. CrowdStrike Acquires Adaptive Shield

CrowdStrike has announced its acquisition of Adaptive Shield, an Israeli startup specializing in SaaS security and identity protection. The deal will bolster CrowdStrike’s ability to offer unified protection across SaaS applications, identity management, and hybrid cloud environments. With the growing complexity of SaaS adoption and the associated risks of misconfigurations and identity-based attacks, the acquisition will enhance CrowdStrike’s security posture.

Copyright © 2024 CyberMaterial. All Rights Reserved.