WEEKLY TOP TEN: February 26, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Malicious Python Packages Utilize New Side-Loading Techniques
PyPI is a list of available Python packages; many languages have a similar feature. Threat actors frequently target these repositories as a means of spreading malware, typically through typo-squatting attacks. Researchers have discovered a new set of malicious Python packages within PyPI using DLL side-loading to evade detection by signature-based security tools by injecting malicious code into a legitimate process. - SSH-Snake Abused in Cyberattacks
SSH-Snake is a network mapping tool focused on its namesake, SSH. This project uses the credentials provided to it to attempt to authenticate to every available device on the network using SSH as a sort of worm. It also reads history files, SSH keys, and configurations to find new credentials that it can use for other machines. This form of automatic network traversal is a very powerful tool for threat actors, allowing for maximum impact on a compromised network. - Critical Vulnerability in ScreenConnect Likely for Mass Exploitation
ConnectWise created ScreenConnect, a remote desktop/management application. Remote access software has become an extremely popular tool among threat actors as it provides an easy backdoor into compromised systems using legitimate software. A new critical vulnerability with a max CVSS score of 10/10 has been discovered in ScreenConnect. This vulnerability is an authentication bypass, allowing attackers to gain access to remote machines without the need for valid credentials. - Documents of Chinese Cybersecurity Contractor Leaked
Recently, a leak of information obtained from a private “cybersecurity” contractor for the Chinese government, I-Soon, was published on GitHub. This trove of information included targets of Chinese state surveillance and hacking operations, both domestic and foreign. It also contained tools used by I-Soon and employee information. - Cactus Ransomware Hits Schneider Electric
The Cactus ransomware gang has claimed that they have hit Schneider Electric and stolen 1.5 terabytes of data, a massive amount of information. Schneider responded, saying “certain data from Sustainability Business was obtained by the threat actor.” Cactus has publicly shared 25 megabytes of data as proof of compromise. - Global Takedown of the Infamous Lockbit Ransomware Gang Underway
Lockbit is perhaps one of the most notorious ransomware gangs in all of cyber history. As of February 20th, law enforcement agencies from across the globe have begun a takedown of the Lockbit gang and their affiliates. Lockbit functioned as a RaaS model (Ransomware-as-a-Service), allowing threat actors to use their strain of ransomware in exchange for a cut of the profit. Law enforcement has arrested two individuals in Poland and Ukraine and seized two hundred crypto wallets. The state department has set a bounty of $15 million for information about Lockbit affiliates. - Lucifer Botnet Ramps Up Attacks Against Apache Hadoop Servers
The Lucifer botnet is a collection of infected computers, typically used for DDoS and cryptocurrency mining. The malware responsible attempts to spread itself to further vulnerable devices using several well-known vulnerabilities, such as Eternal Blue. Recently, researchers have observed a sharp increase in the number of attempted infections against Apache Hadoop and Druid servers via honeypots. The researchers at Aqua Nautilus say this is likely the trial run of a new attack method, and even more attempts at exploitation may be seen in the future. - Russian Government Software Used to Distribute Malware
Researchers have discovered that a software installer, which is likely linked to the Russian government, has been modified to distribute Konni RAT malware. Very similar techniques were seen before when, in October 2023, Russian tax software was used to distribute this same payload. It has been theorized that this may be the work of North Korean APTs. - Knight Ransomware Source Code for Sale
Researchers have discovered posts on RAMP Forums claiming to be members of the Knight ransomware gang selling the latest version of their malware as the group disbands. RAMP Forums is a darknet site used by threat actors to trade and sell information. It was stated that this is the third iteration of this malware, written in C++ with improved encryption speed. The sale of this malware will likely lead to offshoot gangs with this encryptor as a base. - Change Healthcare Breach Disrupts Operations
Change Healthcare is one of the leading healthcare technology companies in the US. On the 21st, Change published a statement with limited details surrounding a known outside intrusion into their networks. They said they are taking their systems offline until the 24th to ensure the incident remains contained. This containment action has had a significant impact on several aspects of the healthcare industry, including dental, clinical, and pharmacy operations.