Daily Brief

A malicious version of the npm library package `@0xengine/xmlrpc` has been caught stealing SSH keys, system metadata, and deploying cryptocurrency mining malware. First published on October 2, 2023, the malware was added in update version 1.3.4 a day later and has been downloaded 1,790 times thus far. Discovered by Checkmarx, the malware harvests data every 12 hours and exfiltrates it using services like Dropbox and file.io. The malware spreads through direct npm installations or as a dependency in a deceiving GitHub repository named yawpp, possibly affecting users setting up the tool. Installed malware ensures persistence via `systemd`, deploys XMRig, a cryptocurrency miner, and checks for user activity to terminate or suspend mining processes. It has infected 68 systems actively mining cryptocurrency and is designed to evade detection by monitoring for system utilities and shutting down if activity is detected. Researchers warn this emphasizes the need for continuous vigilance in software supply chain security, citing an increasing trend in malicious packages impersonating legitimate software.

Major UK healthcare provider, Wirral University Teaching Hospital, suffered a cyberattack causing significant system outages. The attack prompted the postponement of appointments and scheduled medical procedures, impacting patient care services. The cyberattack led to the shutdown of IT systems, forcing hospital operations to revert to manual processes. Emergency services remain operational, but the hospital experienced increased waiting times and urged the public to seek emergency care only if necessary. A staff email highlighted severe disruptions, noting the inability to access electronic records and results, complicating treatment delivery. There is currently no indication of when IT systems will be fully restored, or when the hospital will return to normal operations. No ransomware groups have publicly claimed responsibility for the incident, and further details about the attack's nature are still pending.

Cybercriminals have exploited the Godot Engine, a popular open-source game development platform, to distribute a new malware named GodLoader, affecting over 17,000 systems since June 2024. GodLoader uses Godot's scripting capabilities to execute malicious GDScript code, making it harder for antivirus tools to detect; nearly all antivirus engines on VirusTotal fail to recognize it. The malware propagates through the Stargazers Ghost Network, utilizing about 200 GitHub repositories and over 225 fake accounts to appear legitimate, targeting developers, gamers, and general users. Attack timelines include multiple waves detected on specific dates: September 12, September 14, September 29, and October 3, 2024, leveraging Godot Engine executables to deploy loader malware. The loader malware downloads and executes severe threats like RedLine Stealer and XMRig cryptocurrency miner, adding mechanisms to bypass sandbox detection and exclude malicious files from Microsoft Defender Antivirus scans. GodLoader primarily targets Windows, but adaptations to affect macOS and Linux systems are straightforward, indicating a highly adaptable attack tool. Check Point highlights the necessity of downloading software only from trusted sources to avoid such sophisticated attacks that leverage legitimate platforms for malware distribution.

A new phishing campaign is exploiting fears of job loss, tricking victims into downloading malware by posing as UK Employment Tribunal notices. Victims receive an email falsely informing them of their employment termination, which includes a malicious link disguised as a legal document. The phishing attacks specifically target sectors like aerospace, insurance, state government, consumer electronics, travel, and education. The malicious links direct to a fraudulent Microsoft site, functioning only on Windows devices, and bypass Mac or iPhone users with a specific error message. The scam involves a RAR file containing a harmful Visual Basic script, which, once executed, downloads further malware including banking trojans. Cloudflare, who identified and analyzed the campaign, attributes it to a financially motivated actor, though the exact perpetrator remains unattributed. Expert warns that threat actors may shift platforms, potentially using social media or professional networks to conduct similar attacks in the future.

T-Mobile recently detected unauthorized attempts to access its network, originating from a connected wireline provider. The company's security measures successfully prevented any disruption of services or compromise of sensitive customer data. Chief Security Officer Jeff Simon highlighted that this type of intrusion attempt had not been observed previously. T-Mobile disconnected from the wireline provider's network following the incident to prevent further risk. Although the intrusion was not explicitly linked to any known group, the timing aligns with reported activities of a China-linked espionage group targeting U.S. telecoms. The company's network design, monitoring systems, and cybersecurity partnerships were credited for the effective defensive response. T-Mobile has reported the incident to U.S. government authorities, following the discovery of the attackers probing network routers.

China-linked APT group Salt Typhoon has targeted over 20 global organizations across various sectors, including technology, consulting, and government. The cybersecurity firm Trend Micro identified the group's use of a new malware called GhostSpider, alongside several other backdoors. Salt Typhoon has been actively compromising devices in telecommunications and government service providers in the US and other regions since 2020. Their attacks have extended to suppliers of these organizations, potentially compromising a broader network by implanting malware like the Demodex rootkit. The group exploits several vulnerabilities in public-facing servers to gain initial access, then uses legitimate tools for network intrusion and espionage. Trend Micro continues to investigate but currently lacks concrete evidence to link recent US telco attacks directly to Salt Typhoon. The group employs "living-off-the-land" tactics, using legitimate system tools to move laterally undetected across victim networks.

Microsoft re-released the November 2024 security updates for Exchange Server after initial versions halted email deliveries involving custom mail flow rules. The update withdrawal occurred following complaints from administrators about disrupted email functions in organizations using transport or DLP rules. The revised update, November 2024 SUv2, addresses and resolves the mail delivery interruptions experienced in specific environments. Recommendations for administrators vary: those who initially installed the problematic update manually or via Windows Update are advised to install the November 2024 SUv2 regardless of their rules usage. To prevent automatic updates during the U.S. Thanksgiving holidays, Microsoft has postponed the SUv2 rollout on its Windows Update service until December 2024. The updated November 2024 SUv2 also includes enhancements for detecting non-RFC compliant P2 FROM headers, increasing protection against a high-severity vulnerability (CVE-2024-49040) that could allow attackers to forge legitimate email senders. Microsoft emphasizes the importance of running the Exchange Health Checker script post-update to ensure configuration optimizations and detect any potential performance issues.

Hackers have utilized the Godot game engine and newly-created GodLoader malware to infect more than 17,000 devices within a three-month span. The malware exploits Godot’s GDScript capabilities to deploy malicious code via .pck files, avoiding detection by conventional antivirus tools. Once infected, the systems are vulnerable to credential theft and can have further harmful payloads installed, such as the XMRig crypto miner. The malware distribution network utilized by the attackers, termed the Stargazers Ghost Network, operates using over 3,000 GitHub accounts to promote infected repositories as legitimate. Check Point Research identified multiple attack waves over a focused period, prominently targeting developers and gamers through manipulated downloads of infected tools and games. Although primarily targeting Windows systems, proof-of-concept code also demonstrated potential threats to Linux and macOS systems. The threat actor known as Stargazer Goblin had been promoting this malware service since June 2023, with activities likely starting from as early as August 2022, amassing significant illicit profits.

T-Mobile US detected attempts by the Chinese espionage group Salt Typhoon to infiltrate their systems, but successfully prevented any breach. The same group has allegedly compromised multiple other US telecom firms, accessing sensitive information, including communications wiretap data used by law enforcement. Other major telecoms possibly affected include Verizon, AT&T, and Lumen Technologies, none of whom have commented on the claims. T-Mobile's security measures, enhanced following a $31.5 million settlement to improve cybersecurity, effectively protected customer data. Chief Security Officer Jeff Simon confirmed that no sensitive customer data such as call records or texts were accessed during these attempts. Simon reported these protection measures at a recent meeting with White House officials, discussing ongoing Chinese cyber-espionage. T-Mobile previously faced numerous security breaches since 2018, highlighting the significance of this successful defense against the latest attacks.

Threat actors are actively exploiting a critical authentication bug in ProjectSend, identified as CVE-2024-11680, to manipulate server configurations and gain unauthorized access. The flaw allows attackers to create unauthorized accounts, upload malicious webshells, and inject hostile JavaScript through specially crafted HTTP requests. Despite a fix released on May 16, 2023, the majority of ProjectSend servers remain unpatched, with 99% still vulnerable, exposing thousands of instances to potential security risks. Roughly 4,000 ProjectSend instances, primarily used by organizations for secure file-sharing, are publicly accessible and vulnerable, according to recent scans. Active exploit attempts have increased since September 2024 following the public release of exploit tools in Metasploit and Nuclei, which involved changes in system settings and the uploading of webshells for persistent access. GreyNoise has identified 121 IPs involved in this exploitation pattern, suggesting widespread malicious activities. Security experts urge immediate updates to ProjectSend version r1750 to mitigate risks and prevent exploits of CVE-2024-11680.

Zello has issued a password reset notice to users with accounts created before November 2, 2024, indicating a potential security incident. The warning affects all user accounts, among Zello's 140 million user base, that were established prior to the stated date. Zello’s communication services are widely used by first responders, transport services, hospitality industries, and private individuals. Despite multiple inquiries from BleepingComputer, Zello has not provided additional details about the nature or scope of the incident. The advisory to change passwords also extends to other services where the same passwords may have been reused, hinting at the risk of credential stuffing or direct access to user passwords. Customers have only received the password reset prompt as the sole communication regarding this issue, with no further explanation provided. This is not Zello's first security mishap; a similar incident in 2020 involved compromised customer emails and hashed passwords.

The "MITRE Engenuity ATT&CK Evaluations: Enterprise" offers critical insights for cybersecurity leaders to select effective security solutions. These evaluations simulate real-world threats to assess how cybersecurity products perform in detecting and responding to attacks. The latest webinar, hosted by Cynet, reviews the 2024 MITRE ATT&CK Evaluation results, highlighting achievements such as Cynet's historic 100% Visibility and Analytic Coverage. The evaluations are based on the globally recognized MITRE ATT&CK framework, which categorizes adversary tactics, techniques, and procedures (TTPs) systematically. Unlike other assessments that may rank or score, MITRE ATT&CK Evaluations provide transparent results, helping organizations identify the best solutions for their specific needs. The upcoming 2024 evaluations will test vendor solutions against adaptable ransomware-as-a-service variants and state-sponsored tactics by North Korea, enhancing defensive capabilities against these threats. Participation from 31 vendors in the 2023 evaluations offers a comprehensive overview of the cybersecurity landscape and available technological solutions.

More than 600,000 files containing sensitive personal data were left unprotected on an internet-accessible database by SL Data Services. The exposed files included comprehensive background checks, criminal records, and detailed personal information such as addresses and social media profiles. Security expert Jeremiah Fowler discovered the non-encrypted and non-password protected Amazon S3 bucket in October and repeatedly attempted to alert the company. Nearly all documents viewed were tagged as "background checks," revealing extensive personal details ideal for phishing or social engineering attacks. The database was eventually secured by SL Data Services, but not before the potential risk of misuse of the information could affect thousands. SL Data Services operates multiple websites and offers a variety of data services, including real estate and criminal records, potentially compounding the breach's impact. The incident highlights the ongoing risks associated with inadequate data security measures in the handling of sensitive personal information.

Researchers from ESET uncovered 'Bootkitty,' the first UEFI bootkit targeting Linux, specifically on certain Ubuntu versions. Bootkitty infects the boot process, enabling it to execute before the Linux OS and evade detection by OS-level security tools. This malware can manipulate the bootloader and kernel's integrity checks, also bypassing signature verification to load malicious components. Despite its potential, Bootkitty is currently a proof-of-concept with limitations due to hardcoded values and compatibility issues, making it unviable for broad attacks. The discovery highlights a shift in the landscape of UEFI bootkit threats, previously focused on Windows, now moving towards Linux systems as they become more prevalent in enterprises. Although it contains unused functions and is prone to crashing systems, Bootkitty represents a significant evolution in the cyber threat environment. The ESET team came across the malware after a suspicious file was uploaded to VirusTotal and no live system infections have been identified via telemetry. Indicators of compromise associated with Bootkitty have been provided for further analysis and defense preparation by security professionals.

Chinese hackers, identified as "Salt Typhoon," initially compromised T-Mobile's routers to investigate lateral movement options within the network. The attackers aimed to access sensitive customer data, including call records and text messages, especially from government officials. T-Mobile's cybersecurity defenses, including proactive monitoring and robust network segmentation, successfully blocked the intrusion. The breach was detected by T-Mobile after observing suspicious commands commonly used in reconnaissance phases of cyberattacks. Although the breach began via a compromised wireline provider’s network, T-Mobile severed connections promptly, preventing further damage. The company has not detected any ongoing unauthorized activity and has informed government and industry partners about the incident. The broader series of breaches affecting telecoms like AT&T and Verizon also involved theft of customer and law enforcement data, highlighting a systemic risk in telecom security.