It’s not all over for Lockbit. In a surprising turn of events, the ransomware operation resurrected its dark web leak site, accompanied by a defiant message from its leader. Supply chain threats are back in focus with a dormant Python package receiving a malicious update, carrying the Nova Sentinel info-stealer. Meanwhile, the Pikabot loader has reappeared after a hiatus with significant updates and a fresh delivery campaign.

Shifting gear to security bug-related headlines: Adversaries found exploiting unpatched vulnerabilities in ConnectWise ScreenConnect software and Microsoft Outlook. Exploitation of the former leads to the deployment of ransomware, info-stealers, and backdoors.

Top Breaches Reported in the Last 24 Hours

Co-founder loses nearly $10 million

Jeff "Jihoz" Zirlin, one of the co-founders of the blockchain game Axie Infinity and the related Ronin Network, had almost $10 million (3,248 ETH coins) stolen. While the attack was limited to his personal accounts and unrelated to the operation of Ronin or Axie Infinity, it's unclear how the intruders gained access to his wallets. Analysts traced the stolen funds to activity on Tornado Cash, a mixer popularly used for cryptocurrency laundering.

Plane owner data exposed

The IntelBroker group allegedly compromised a Los Angeles International Airport, database, stealing the confidential data of private plane owners. The breach impacted 2.5 million records containing full names, CPA numbers, email addresses, company names, plane model numbers, and tail numbers. No customer or traveler data was affected. Criminals claimed to have exploited a bug in the airport's CRM system.

Passport services halted amid attack

The Malawi government suspended passport issuance for two weeks following a ransomware attack on the immigration service's computer network. President Lazarus Chakwera stated that hackers demanded a ransom, but the government refused to negotiate. No details on the attackers or data theft were provided. While seeking a temporary solution, the government also plans to implement additional security measures for long-term protection.

Employee data leak at gaming firm

Insomniac Games, a Sony subsidiary known for its popular video games, alerted data breach notification letters to employees whose personal information was stolen and leaked online following a Rhysida ransomware attack last year. The breach resulted in the theft of over 1.3 million files, including personal data belonging to current and former employees and independent contractors. Meanwhile, Sony continues to investigate the breach.

Top Malware Reported in the Last 24 Hours

PyPI package distributes Nova Sentinel

A dormant package named django-log-tracker on the PyPI repository was updated after nearly two years to distribute the Nova Sentinel info-stealer malware. The anomalous update was detected by the software security firm Phylum. The update involved fetching and executing an executable named ‘Updater_1.4.4_x64.exe’ from a remote server, embedding the malware.

LockBit resurfaces after takedown effort

LockBit has reestablished its leak site following a law enforcement takedown. In a lengthy statement attributed to its leader, LockBit accuses the FBI of exploiting a PHP vulnerability to breach its servers but vows not to retreat from the criminal underground. Law enforcement has not commented on the claims. Despite LockBit's comeback attempt, experts believe the takedown has permanently damaged its reputation and effectiveness in the cybercriminal world.

Pikabot acquires enhanced capabilities

The Pikabot malware loader has been updated. Initially distributed through malspam and malvertising campaigns, the new Pikabot campaign utilizes phishing emails containing obfuscated Javascript files in ZIP archives. Researchers have noted several enhancements, including simpler encryption algorithms, anti-debugging methods, and plaintext bot configuration at runtime, suggesting a new codebase aimed at evading detection and improving functionality over time.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Outlook flaw exploited

Microsoft Outlook disclosed a critical security flaw (CVE-2024-21413) abused by malicious actors. Rated CVSS 9.8, the vulnerability bypasses protected view settings, enabling malicious files to open in editing mode rather than protected mode. While Outlook uses the default browser for http:// or https:// links, certain protocols like "file://" lack warning dialogs, allowing attackers to access resources and exploit SMB protocol flaws, revealing NTLM credentials.

Crooks abuse ConnectWise bug

Hackers target unpatched ConnectWise ScreenConnect software, exploiting critical vulnerabilities (CVE-2024-1709 and CVE-2024-1708) to deploy ransomware, info-stealers, and backdoors. Sophos observed ransomware payloads deployed across various sectors, including a U.S. local government 911 service. The Shadowserver Foundation identified over 8,200 vulnerable ScreenConnect instances, prompting urgent patching.