A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks.

Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker “Praying Mantis” or “TG2021.”

“TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers said. “The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”

images from Hacker News

The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository.

The security weaknesses were discovered and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the Homebrew Cask repository and Cloudflare’s CDNJS library. He was awarded a total of $3,000 as part of the bug bounty program.

The list of three vulnerabilities is as follows –

• Vulnerability in Legacy Document Deletion on PyPI – An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control.
• Vulnerability in Role Deletion on PyPI – An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher, which would allow an attacker to remove roles for projects not under their control.
• Vulnerability in GitHub Actions workflow for PyPI – An exploitable vulnerability in a GitHub Actions workflow for PyPI’s source repository could allow an attacker to obtain write permissions against the pypa/warehouse repository.

images from Hacker News

Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what’s a “highly modular” .NET-based information stealer and keylogger, charting the course for the threat actor’s continued evolution while simultaneously remaining under the radar.

Dubbed “Solarmarker,” the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. “At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week.

Infections consist of multiple moving parts, chief among them being a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran (likely a reference to Uranus).

While the former boasts of capabilities to steal personal data, credentials, and form submission values from the victim’s Firefox and Google Chrome browsers, the latter — a previously unreported payload — acts as a keylogger to capture the user’s keystrokes.

images from Hacker News

Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.

More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.

APT29, the moniker assigned to government operatives working for Russia’s Foreign Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April.

The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing differences in the tactics, techniques, and procedures (TTPs) employed by the adversary with that of known attacker profiles, counting APT29.

images from Hacker News

As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.

“Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks,” JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe said Thursday.

PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.

The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below –

• pytagora (uploaded by leonora123)
• pytagora2 (uploaded by leonora123)
• noblesse (uploaded by xin1111)
• genesisbot (uploaded by xin1111)
• are (uploaded by xin1111)
• suffer (uploaded by suffer)
• noblesse2 (uploaded by suffer)
• noblessev2 (uploaded by suffer)

images from Hacker News