Malware Discovered in PyPI Python Packages
Four separate rogue packages (named aptx, bingchilling2, httops, and tkint3rs) have been found in the Python Package Index (PyPI). The detected threats have been linked to malicious activities like malware dropping, manipulation of the SSH authorized_keys file, and deletion of the netstat utility.
Around 450 people had downloaded the malicious packages before they were removed. Httops and tkint3rs are typosquats of https and tkinter, respectively, while aptx is an effort to mimic Qualcomm’s widely used audio codec of the same name.
According to Ax Sharma, a security researcher and writer, most of these packages had carefully selected names, to purposefully mislead users.
Examination of the malicious code that was included in the installation script revealed an obfuscated Meterpreter payload masquerading as the “pip” Python package installer. This payload may be used to get shell access to the compromised server.
Vulnerabilities in Wireless IIoT Devices Endangering Critical Infrastructures
Forty-eight security flaws have been discovered in wireless industrial internet of things (IIoT) devices from four manufacturers. The detected flaws are creating a sizable entry point for attackers targeting operational technology (OT) systems.
According to Otorio, an Israeli provider of industrial cybersecurity, attackers may use these flaws to gain access to targeted networks, potentially compromising essential services or halting production in the process.
According to security researcher Roni Gavrilov, if an external attacker links together some of the disclosed vulnerabilities, they may be able to directly access thousands of internal OT networks via the internet.
Three of the flaws (CVE-2022-3703, CVE-2022-41607, and CVE-2022-40981) are related to ETIC Telecom’s Remote Access Server (RAS) and might be exploited to take full control of affected devices.
The recommended countermeasures to potential exploitation of the 38 flaws include making sure the devices aren’t publicly accessible, hiding network IDs, turning off unnecessary cloud management services, and disabling vulnerable encryption methods.
New Ransomware Attacks on Healthcare Systems Launched by North Korean Hackers
According to a joint alert from the United States and South Korea’s cybersecurity and intelligence agencies, North Korean hackers backed by the government are using ransomware to attack hospitals and other important infrastructure in order to fund illegal activities.
The attacks, which hold victims’ data hostage until they pay ransom in the form of cryptocurrency, are meant to fund North Korea’s national-level objectives.
According to the authorities, that includes cyber operations targeting the governments of the United States and South Korea, and particularly the Department of Defense Information Networks and Defense Industrial Base member networks.
North Korean threat actors have been connected to espionage, financial theft, and cryptojacking operations for years. These activities include the widespread infection of hundreds of thousands of computers in over 150 countries by the WannaCry ransomware in 2017.
Following the release of CISA’s Decryptor Tool, a new variant of the ESXiArgs ransomware emerged.
In response to the decryptor issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help victims recover from ESXiArgs ransomware attacks, the threat actors behind the malware have launched a new, more dangerous variant.
A forum member claimed hearing about the new variation via a system administrator, and both parties agreed that files bigger than 128MB would have 50% of their contents encrypted, making recovery more difficult.
Also, the Bitcoin address is no longer included in the ransom notification. Instead, victims are told to message the attackers on Tox in order to receive the wallet details.
A write up by Censys explains that threat actors have probably realized that researchers were following their payments and, perhaps, knew before releasing the ransomware that the encryption mechanism in the initial version was straightforward to overcome.
Over 3,800 different hosts have been infected with the ransomware since the outbreak began in early February. Most of the infection cases have been reported from France, the United States, Germany, Canada, the United Kingdom, the Netherlands, Finland, Turkey, Poland, and Taiwan.
VMware has come up with a statement that there is no evidence to support the claim that a zero-day vulnerability in VMware software is being used in the ransomware’s spread.
This suggests that the threat actors behind the activity are perhaps exploiting a number of known vulnerabilities in ESXi, making it urgent for users to upgrade to the most recent version as soon as possible. There has been no confirmation that the attacks were carried out by any previously identified threat actors or groups.
Reddit suffers a security breach that exposes internal documents and source code.
The popular social news aggregation network Reddit recently announced that it had been the victim of a security issue that allowed unknown threat actors to obtain unauthorized access to internal documents, code, and certain business systems that have not been specified.
According to the company’s statement, on February 5, 2023, the organization’s employees were hit by a sophisticated and highly targeted phishing attack.
The attack included delivering “plausible-sounding instructions” to users, which when followed led them to a website that looked like Reddit’s intranet portal but was really designed to steal users’ passwords and two-factor authentication (2FA) tokens.
As per what has been explained, a single employee’s credentials were phished in this way, giving the attacker access to Reddit’s internal networks. The compromised employee reported the hack on their own.
In relation to the incident, Reddit said that there is no proof that its production systems were infiltrated or that users’ private information was leaked. Indications that the data acquired has been made public or distributed online are nonexistent. The company also said that the exposure only included limited information about the company’s contacts, employees (both current and former), and advertisers.