Ransomware/Malware Activity
Cybercriminals Use Stack Overflow to Promote Infostealing Malware
Researchers at Sonatype have discovered a new malicious PyPi package that is being pushed by nefarious Stack Overflow users as a solution to various coding problems. Stack Overflow is a widely online forum used by developers and hobbyists ranging in expertise on nearly every technology topic. The cybercriminals behind the campaign are abusing the trust many users place on the good faith answers to their coding and engineering problems. The malicious PyPi package named "pytoileur" was only recently uploaded by attackers on May 27, 2024. The package appears to be connected to a previous malware campaign named "Cool package" based on the package's description on PyPi's repository. The package includes a file "setup.py" which contains an encoded command that is padded with spaces, effectively hiding the suspicious exec() command unless word wrap is enabled on the victim's text editor. When run, the encoded command downloads an executable named "runtime.exe" from a remote server. The runtime.exe executable is information-stealing malware with the capability to harvest data from web browsers including browsing history, cookies, passwords, and stored credit card information. The malware can also steal data from documents on the victim machine that match a search on specific phrases. This campaign, among other recent campaigns involving open-source coding repositories and forums that Ankura CTIX has recently reported on, is a reminder to organizations and individuals to stay vigilant when downloading or executing libraries created by unknown entities. As of the writing of this publication, CTIX analysts note that the pytoileur package has been removed from PyPi's repository, and that the nefarious Stack Overflow comments have also been wiped from the site. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: Stack Overflow Users Push Malware
- The Hacker News: Cybercriminals Abuse Stack Overflow
Threat Actor Activity
North Korean Threat Actor Moonstone Sleet Emerges
A new North Korean hacking group, Moonstone Sleet, has been uncovered engaging in sophisticated cyber-attacks against software and defense companies. Utilizing custom ransomware variants and intricate scams, the group conducts operations seeking both financial gain and intelligence collection. Notably, Moonstone Sleet has shifted tactics from traditional North Korean hacking groups, deploying a ransomware variant called FakePenny and demanding ransoms as high as $6.6 million. This marks a significant escalation in the severity of ransom demands by North Korean threat actors. The group has successfully compromised companies within the defense technology sector, extracting valuable credentials and intellectual property before launching ransomware attacks. Attacks by the hacking group using FakePenny were also observed in incidents involving a drone technology firm and an aircraft parts manufacturer. On top of deploying a new ransomware strain, Moonstone Sleet has employed social engineering through a fabricated tank game, "DeTankWar," and created multiple fake companies to contact and target individuals and organizations in the IT, education, and software development sectors. These elaborate scams facilitate direct attacks and establish relationships that could provide further access to targets of interest or serve as revenue generation opportunities. The investigation into Moonstone Sleet reveals that the group is well funded, running operations in tangent with other North Korean threat actors like the Lazarus Group and Diamond Sleet. This particular unit has evolved over the years from the shadows of several other North Korean threat actors, still using shared malware and infrastructure from the previous groups it emerged from to deploy its own unique tools, becoming a curated threat actor whose purpose meets specific North Korean cyber objectives. This evolution and the use of ransomware suggest an intent to develop capabilities for disruptive operations in the future. The targeting of software development firms raises concerns about the potential for future supply chain attacks, posing a high risk to a broad range of organizations. These findings highlight the growing sophistication and ambition of North Korean cyber operations, underscoring the need for heightened vigilance and security measures within the global cybersecurity community. CTIX will continue reporting on the latest developments related to emerging threat actors and groups.
- The Hacker News: Moonstone Sleet Article
- The Record: Moonstone Sleet Article
- Bleeping Computer: Moonstone Sleet Article
Vulnerabilities
Check Point VPN Gateway Zero-Day Vulnerability Exploited
Threat actors have been observed exploiting a high-severity zero-day vulnerability in Check Point Remote Access VPN since April 30, 2024. The flaw, tracked as CVE-2024-24919 (CVSS score: 7.5/10), affects various Network Security gateway products, including CloudGuard Network and Quantum appliances. This vulnerability allows attackers to read sensitive information on internet-connected gateways with remote access VPN or mobile access enabled. It enables attackers to extract password hashes from local accounts, leading to potential lateral movement within networks. Check Point has released hotfixes to mitigate the issue. The vulnerability is critical due to its low-complexity, ease of exploitation, and lack of required user interaction or privileges. Exploitation attempts have focused on stale VPN local accounts with weak password-only authentication, allowing attackers to misuse Active Directory (AD) data and move laterally within victim networks. CTIX analysts strongly advise administrators to apply patches, remove vulnerable local accounts, rotate LDAP connection passwords, and monitor for signs of compromise.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.