Cyber Security News — Past 24 hours | 30.07.2021

Experts Uncover Several C&C Servers Linked to WellMess Malware

Cybersecurity researchers on Friday unmasked new command-and-control infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.
More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.

Stack Overflow Teams

The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 , Nobelium , SolarStorm , StellarParticle , Dark Halo , and Iron Ritual , citing differences in the tactics, techniques, and procedures employed by the adversary with that of known attacker profiles, counting APT29.

RiskIQ said it began its investigation into APT29’s attack infrastructure following a public disclosure about a new WellMess C2 server on June 11, leading to the discovery of a cluster of no fewer than 30 active C2 servers. One of the servers is believed to have been active as early as October 9, 2020, although it’s not clear how these servers are being used or who the targets are.
This is not the first time RiskIQ has identified the command-and-control footprint associated with the SolarWinds hackers.

Source —

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.

Stack Overflow Teams

PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.

The aforementioned packages could be abused to become an entry point for more sophisticated threats, enabling the attacker to execute remote code on the target machine, amass system information, plunder credit card information and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens to impersonate the victim.

Prevent Data Breaches

Last month, Sonatype and Vdoo disclosed typosquatted packages in PyPi that were found to download and execute a payload shell script that, in turn, retrieved a third-party cryptominer such as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on victim systems.
«The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks,» said JFrog CTO Asaf Karas.

Source —

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A cyber attack that derailed websites of Iran’s transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called «Meteor». «Despite a lack of specific indicators of compromise, we were able to recover most of the attack components,» SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, noted.

Stack Overflow Teams

On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei’s office.

Prevent Data Breaches

The wiper has been characterized as «a bizarre amalgam of custom code» that blends open-source components with ancient software that’s «rife with sanity checks, error checking, and redundancy in accomplishing its goals,» suggesting a fragmented approach and a lack of coordination across different teams involved in the development. « Behind the artistry of this epic troll lies an uncomfortable reality where a previously unknown threat actor is willing to leverage wiper malware against public railways systems,» Guerrero-Saade said. «The attacker is an intermediate level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed».

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT




First they begin with Us..

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


Ethereum Layer-2 Solution Optimism Loses 20 Million Tokens in Interlayer Snafu

Safety Tips for Cryptocurrency Users, ver. 001


Globalboost-Y(BSTY) deposit, withdrawals are stopped temporarily due to network instability

Monthly Digest — May 2022

Important security notice about your DoorDash account

Robonomics IO To The Rescue: Data Blockchainization With No Coding

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


First they begin with Us..

More from Medium

$EOS resource guide for Hindi Hive

All about AWS Community Builder Program

CISA Shields Up: Uptycs How-To Guide

Remote Browser Isolation — The Next Step in Endpoint Security?