Experts Uncover Several C&C Servers Linked to WellMess Malware
Cybersecurity researchers on Friday unmasked new command-and-control infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.
More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.
Stack Overflow Teams
The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 , Nobelium , SolarStorm , StellarParticle , Dark Halo , and Iron Ritual , citing differences in the tactics, techniques, and procedures employed by the adversary with that of known attacker profiles, counting APT29.
RiskIQ said it began its investigation into APT29’s attack infrastructure following a public disclosure about a new WellMess C2 server on June 11, leading to the discovery of a cluster of no fewer than 30 active C2 servers. One of the servers is believed to have been active as early as October 9, 2020, although it’s not clear how these servers are being used or who the targets are.
This is not the first time RiskIQ has identified the command-and-control footprint associated with the SolarWinds hackers.
Source — https://thehackernews.com/2021/07/experts-uncover-several-c-servers.html
Several Malicious Typosquatted Python Libraries Found On PyPI Repository
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.
Stack Overflow Teams
PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.
The aforementioned packages could be abused to become an entry point for more sophisticated threats, enabling the attacker to execute remote code on the target machine, amass system information, plunder credit card information and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens to impersonate the victim.
Prevent Data Breaches
Last month, Sonatype and Vdoo disclosed typosquatted packages in PyPi that were found to download and execute a payload shell script that, in turn, retrieved a third-party cryptominer such as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on victim systems.
«The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks,» said JFrog CTO Asaf Karas.
Source — https://thehackernews.com/2021/07/several-malicious-typosquatted-python.html
A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System
A cyber attack that derailed websites of Iran’s transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called «Meteor». «Despite a lack of specific indicators of compromise, we were able to recover most of the attack components,» SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, noted.
Stack Overflow Teams
On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei’s office.
Prevent Data Breaches
The wiper has been characterized as «a bizarre amalgam of custom code» that blends open-source components with ancient software that’s «rife with sanity checks, error checking, and redundancy in accomplishing its goals,» suggesting a fragmented approach and a lack of coordination across different teams involved in the development. « Behind the artistry of this epic troll lies an uncomfortable reality where a previously unknown threat actor is willing to leverage wiper malware against public railways systems,» Guerrero-Saade said. «The attacker is an intermediate level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed».
Source — https://thehackernews.com/2021/07/a-new-wiper-malware-was-behind-recent.html
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT