Daily Brief

Free Download Manager (FDM), a cross-platform download manager, was the target of a supply chain attack that caused some Linux users to be redirected to a malicious site when they tried to download the software. The malicious site installed a Bash information stealer and a backdoor on the users' computers, enabling a reverse shell from the attacker's server. FDM's site was compromised by a Ukrainian hacker group in 2020, but the vulnerability was inadvertently fixed during a routine site update in 2022. However, the malware remained undetected for three years. FDM has now released a script that can scan Linux systems for the presence of the info-stealing malware. The script will identify whether the malware is installed but will not remove it. Users will need to manually remove detected malware or use additional security tools. FDM recommends a system reinstallation as the best action for users affected by this security breach.

TransUnion, a credit reporting firm, repudiates claims of a data breach following the leak of data by a threat actor named USDoD. TransUnion's services are procured by millions of consumers and more than 65,000 businesses from 30 countries. Upon learning of the alleged breach, TransUnion engaged with external cybersecurity and forensic experts to carry out a thorough investigation. The experts found no evidence of a breach in TransUnion's systems, neither did they find any data exfiltrated from their environment. It was determined that the leaked data was likely obtained from another organization's systems because the data and formatting are inconsistent with TransUnion's data. USDoD had previously made claims of having sensitive data of about 59,000 people worldwide from TransUnion's systems. The threat actor, USDoD, who was previously a member of the infamous BreachForums, was also linked with the attempted sale of InfraGard's user database in December 2023 and was seized by US law enforcement in June. InfraGard is an FBI initiative designed for the sharing of intelligence between state, local law enforcement agencies, and private sector organizations.

A glitch in T-Mobile's official mobile application reportedly allowed customers to gain access to other users' account and billing data. Customers claim to have viewed personally identifiable information (PII), including names, phone numbers, account balances, and partial credit card details, of other people. The issue was raised on social media platforms Reddit and Twitter, with some customers noticing the problem two weeks prior to the influx of reports. The number of people impacted is disputed. While some reports suggest a wide-scale exposure, T-Mobile claims that less than 100 individuals were affected. According to a company spokesperson, the incident was not a result of a cyberattack or system breach, but rather a temporary glitch linked to a planned system update. The company has rectified the problem. T-Mobile has experienced a series of data breaches since 2018. In May, T-Mobile disclosed its second data breach of the year, after hundreds of customers' personal information was exposed between late February and March due to a system hack. Prior to that, in January, data belonging to 37 million customers was stolen via a compromised API.

The P2PInfect botnet worm has witnessed a significant surge in activity since late August 2023, featuring new and improved samples that underscore its continuous evolution. Cado Security researchers report that although the majority of the breaches have impacted systems in China, the U.S, Germany, Singapore, Hong Kong, the U.K, and Japan, the botnet activity is now global. Observations show a steady rise in the number of malware's initial access attempts; during the week of September 12-19, 2023, Cado noted a 600x increase in such attempts. The variants have increasingly sophisticated features such as a cron-based persistence mechanism, communication between the main and secondary payloads via a local server socket, an SSH key to block legitimate users from SSH login, and an auto-generated password change mechanism to lock users out. Despite attempts to fetch a miner payload, Cado hasn't observed any actual crypto-mining activity. The final objective of the botnet's operators remains unclear; however, they could be improving the miner component or seeking subscribers.

Free Download Manager (FDM), a popular download manager service, confirmed a security incident from 2020 that saw its site used to distribute malicious Linux software. The breach is thought to have been orchestrated by a Ukrainian hacker group that compromised a specific web page on the FDM site to distribute malware. A small subset of FDM users, specifically those attempting to download FDM for Linux from 2020 to 2022, were potentially exposed to the malicious software. The perpetrators used a vulnerability in a script on the FDM site to modify the download page and guide visitors to a false domain hosting the malicious .deb file. The issue remained undetected as the hackers had included an "exception list" of IP addresses, including those associated with Bing and Google, ensuring visitors from these sources were given the correct download link. The vulnerability was inadvertently resolved during a site update in 2022. FDM has now launched a shell script for users to verify the existence of the malware in their systems, but the users are required to reinstall the system if the backdoor and information stealer are found in their machines.

A fake proof-of-concept exploit for a recently disclosed WinRAR software vulnerability has been released on the platform GitHub, with the intent to infect users who download the code with Venom RAT malware. The faux proof-of-concept was initially based on a public script that exploited a SQL injection vulnerability in another application named GeoServer. The rogue proof-of-concept was committed on August 21, 2023, four days after the WinRAR vulnerability was announced publicly. The proof-of-concept downloaded from the now-inoperative GitHub repository points to a remote server to execute a variant of Venom RAT that lists running processes and receives commands from an actor-controlled server. An examination of the attack's infrastructure revealed that the threat actor created the domain linked to by the proof-of-concept at least ten days prior to the public disclosure of the flaw, in order to take advantage of its critical nature. This is an example of hackers opportunistically targeting other malicious actors who seek to exploit the latest vulnerabilities.

Gold Melody, a cybercrime group known as an initial access broker (IAB) since 2017, has been selling access to compromised organizations to other hackers to launch ransomware attacks. The group is financially motivated, exploiting vulnerabilities in unpatched internet-facing servers for initial access, and prefers opportunistic attacks for financial benefits than state-sponsored threat activities. Gold Melody exploits security flaws in servers like JBoss Messaging, Citrix ADC, Oracle WebLogic, GitLab, Citrix ShareFile Storage Zones Controller, Atlassian Confluence, ForgeRock AM, and Apache Log4j. It has broadened its scope to target retail, healthcare, energy, financial, and high-tech organizations in North America, Northern Europe, and Western Asia starting mid-2020. The cybercrime group has been associated with five intrusions between July 2020 and July 2022, exploiting different sets of flaws in Oracle E-Business Suite, Apache Struts, Sitecore XP, and Flexera FlexNet for initial access. However, all these attacks were ultimately unsuccessful. Relying heavily on exploiting vulnerabilities in unpatched internet-facing servers, Gold Melody's activities underline the significance of robust patch management. Selling the access to other threat actors for monetization primarily through ransomware deployment, Gold Melody is a financially motivated IAB.

China's Ministry of State Security (MSS) has accused the U.S. of carrying out a decade-long cyber espionage campaign against Huawei involving data theft and the implanting of backdoors since 2009. MSS alleges that the U.S. National Security Agency's (NSA) Computer Network Operations has repeatedly attacked China's vital data resources, and claims the unit hacked Huawei's servers in 2009. The MSS also says the U.S. has carried out tens of thousands of malicious network attacks on domestic Chinese entities, including Northwestern Polytechnical University, to steal important data. The National Computer Virus Emergency Response Centre in China is reported to have identified NSA-developed spyware called Second Date running on thousands of network devices worldwide, capable of monitoring and hijacking network traffic and injecting malicious software. The MSS also accuses the U.S. of forcing tech companies like X-Mode Social and Anomaly Six to install backdoors in their software and hardware for the purpose of cyber espionage and data theft. The Chinese organization argues that the U.S. is portraying itself as a victim of cyber-attacks while inciting and forcing other nations to join its 'clean network' program to keep out Chinese companies from the international network market. China and the U.S. have been exchanging allegations regarding large-scale cyber-espionage activities, with both countries being in the middle of an escalating geopolitical confrontation.

A Sysadmin and his partner have pleaded guilty to being part of an international group that sold pirated Avaya business telephone system software licenses worth $88m for significantly below the wholesale price. The couple, Brad and Dusti Pearce, admitted one count of conspiracy to commit wire fraud and face a maximum penalty of 20 years in prison each. After agreeing to a plea deal, the Pearces must also forfeit at least $4m, gold, silver, collectible coins, cryptocurrency, a vehicle, and "make full restitution to their victims," the US Department of Justice said. The pirated software licenses were used to unlock features of the popular Avaya telephone system, used by companies around the globe. The couple funnelled their illicit gains through PayPal to multiple bank accounts, reshuffling the money to numerous accounts and buying large quantities of gold bullion and other valuable items. Some parts of the case are still being investigated by the FBI.

The CyberThreat 2023 conference will be held on 20-21 November, hosted by the UK's National Cyber Security Centre (NCSC) and the SANS Institute at The Novotel London West in Hammersmith, London. The event aims to provide attendees with current and relevant insight from industry experts in various areas of cyber security. Attendees will gain knowledge from keynote presentations by experts in offensive, defensive, and forensic cyber security practices and tactics, including the newly appointed CTO at the NCSC, Ollie Whitehouse. Representatives from cyber security firms such as CrowdStrike, Palo Alto Networks, Google Cloud Mandiant, Microsoft, Accenture, BAE Systems Digital Intelligence, Darktrace, EclecticIQ, VMRay, and PwC will be sharing their knowledge and experiences at the event. In addition to the presentations, the conference will offer networking opportunities, technical challenges, and an in-person Capture The Flag (CTF) competition. The conference can also be attended virtually for those unable to travel to London.

Two Indian nationals, Arushobike Mitra and Garbita Mitra, living in the U.S, have been sentenced to 41-month prison terms for their roles in robocall scams that swindled $1.2m from the elderly. They had earlier pleaded guilty to one count of conspiracy to commit wire fraud prior to receiving their sentences in Newark federal court, and have been ordered to pay restitution of $835,324, as well as undergo three years of supervised release. The accused were part of a larger network, primarily based in India, that used automated robocalls to contact and scam U.S. residents, many of whom were elderly. These robocallers impersonated government or law enforcement officials and utilized intimidation tactics to coerce and deceive their victims into sending large sums of money. They would also pretend to be tech support agents to gain remote access to victims’ computers and bank accounts. The Mitras functioned as "money mules," collecting and transporting cash shipments in Florida and New Jersey, and also opened bank accounts to receive fraudulent payments. 48 victims were identified as having fallen for this scam, remitting amounts between $9,500 and $50,000 each. Despite a decline in the number of robocalls, financial losses from these scams are still expected to be in the region of 2022's $65 billion total, according to a report by call blocking firm Robokiller.

Modern web applications rely upon dozens of third-party components, frameworks and open-source tools, creating a chain of dependencies that can also be highly vulnerable to cyberattacks. No matter the level of security or testing done on their own code, companies may have vulnerabilities in third-party components they use. Third-party software, libraries, and IoT devices can provide attackers access to privileged systems, enabling a range of malicious activities from Magecart and web skimming attacks to ransomware and espionage. The SolarWinds attack in December 2020 was a high-profile example of a supply chain attack, where attackers used updates to infiltrate systems. The recent Log4j vulnerability exposed millions of computers worldwide to potential attacks, indicating the urgency for a proactive, continuous monitoring solution for web application supply chains to prevent future compromises. Web security company Reflectiz provides one such solution, which identified the Log4J vulnerability and aids companies in ongoing risk mitigation, epitomizing the pivotal role of third-party cybersecurity firms in helping organizations secure their web application supply chains.

Cybersecurity researchers have identified 14 malicious packages within the npm package registry designed to retrieve Kubernetes configurations and SSH keys from compromised machines. These packages impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools. However, they run obfuscated code upon installation to gather and siphon sensitive files from the target machine. System metadata including username, IP address, and hostname are also collected by the modules, which then transmit this information to a previously unknown domain. The packages are part of an ongoing trend of threat actors targeting open-source registries, like npm and PyPI, with cryptojackers, infostealers, and other malicious programs to compromise the software supply chain. A case this month highlighted one npm module that remained benign for over eight months before being updated to include malicious JavaScript capable of exfiltrating Ethereum private keys. Another example involved a deceptive package hiding a cryptocurrency miner. Such campaigns have expanded to target the Javascript (npm), Python (PyPI) and Ruby (RubyGems) ecosystems, with Apple macOS users specifically targeted in this case. The ultimate aim of these campaigns is still unknown.

Four security vulnerabilities were found in versions of Nagios XI network monitor software 5.11.1 and below, with patches released in September 2023. Three of the vulnerabilities pertain to SQL Injections that enable users of varying privileges to access database fields. The data collected from these vulnerabilities could be employed to escalate privileges within the product, thereby accessing sensitive data like password hashes and API tokens. The fourth vulnerability is a cross-site scripting (XSS) flaw present in the Custom Logo component, potentially allowing hackers to read sensitive data, including login page passwords. Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute random SQL commands and insert arbitrary JavaScript while reading and modifying page data. This isn't the first time Nagios XI has had security issues. In 2021, Skylight Cyber and Claroty discovered about two dozen flaws that could potentially facilitate remote code execution and infrastructure hijacking.

Finnish authorities, alongside partners from Germany and Lithuania and organisations including Europol and Eurojust, have shut down dark web marketplace PIILOPUOTI, which has been facilitating illegal drug trade since May 2022. The services of Romanian cybersecurity firm Bitdefender were enlisted in the operation. The arrested parties smuggled drugs into Finland from abroad for sale on PIILOPUOTI, but it is currently unclear if arrests have been made. Alaxandru Catalin Cosoi, senior investigator at Bitdefender, applauded the operation, stating it was an excellent example of the effectiveness of public and private sector cooperation in disruption of criminal activities online. This crackdown is part of an increased commitment from international law enforcement agencies to dismantle illegal dark web marketplaces, as illustrated with the closure of Genesis Market and Lolek bulletproof hosting, as well as the arrest of 288 vendors operating on the Monopoly market in May 2023.