Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 29, 2024

Lazarus unveils new tactics. In one of the campaigns, it infiltrated the PyPI repository with malicious packages that dropped the information-stealing Comebacker malware. The other campaign involved the abuse of a zero-day driver bug in Microsoft AppLocker, allowing kernel-level access to adversaries for disabling security software. Continuing on the PyPI mayhem, a malicious repo confusion campaign—that began last year—has now affected over 100,000 GitHub repositories, risking valuable developer data.

What more? Threat hunters unearthed a new malware targeting telecom networks adjacent to GPRS roaming exchanges. Dubbed GTPDOOR, it appears to be the work of LightBasin (UNC1945), known for attacks against the telecom sector.

Top Breaches Reported in the Last 24 Hours

European discount retailer phished

Pepco Group's Hungarian business was hit by a sophisticated phishing attack, resulting in a loss of approximately €15.5 million (~ $16.8 million). While efforts to recover the funds are underway, the incident does not involve customer, supplier, or colleague data. Experts suggest the attack resembles the BEC scam tactic. The group is thoroughly reviewing systems and processes to bolster security.

**Irish Ministry denies extortion attempt **

Ireland's Department of Foreign Affairs (DFA) refutes claims of a cyber breach by the new extortion group Mogilevich that listed the DFA as a target for data sale. The group allegedly is in possession of 7GB of compromised documents but provided no evidence. DFA collaborates with Ireland's NCSC to investigate, finding no breach.

German university under attack

Hochschule Kempten, a German university, faced a cyberattack that prompted a shutdown of its IT systems. Attackers breached parts of the infrastructure despite stringent security measures, leading to email unavailability. Efforts to mitigate the attack are ongoing, with the full extent yet to be determined.

Top Malware Reported in the Last 24 Hours

Massive attacks campaign on GitHub

Security researchers uncovered a significant campaign of repository confusion attacks on GitHub, impacting over 100,000 repositories and potentially millions more. This sophisticated cyberattack targets developers by tricking them into downloading and using malicious repositories disguised as legitimate ones. Attackers clone popular repositories, inject them with malware, and upload them on GitHub with identical names.

Malicious Python packages target developers

The North Korean state-backed hacking group Lazarus uploaded four packages to the PyPI repository to infect developer systems with malware. The packages, including pycryptoenv and pycryptoconf, mimicked legitimate Python packages to exploit users' typos during installation. These packages, collectively downloaded over 3,000 times, contained XOR-encoded DLL files disguised as test scripts, ultimately deploying a malware called Comebacker.

Novel Linux malware threatens telecom networks

Security researchers uncovered GTPDOOR, a Linux malware infiltrating telecom networks adjacent to GPRS roaming exchanges. The backdoor disguises itself as a syslog and establishes a raw socket for UDP messages, enabling threat actors to send GTP-C Echo Request messages for executing commands and receiving results. Its uniqueness lies in leveraging the GPRS Tunnelling Protocol for C2. The backdoor has been linked to LightBasin (UNC1945).

Top Vulnerabilities Reported in the Last 24 Hours

APT abuses zero-day in MS AppLocker driver

Avast researchers uncovered Lazarus APT exploiting a zero-day vulnerability (CVE-2024-21338) in Microsoft's appid.sys AppLocker driver. The flaw resides in the appid.sys driver's IOCTL dispatcher, central to AppLocker, allowing arbitrary code execution. Attackers can gain kernel-level access, and disable security software. For instance, they use the FudModule rootkit to suspend PPL-protected processes such as Microsoft Defender.

Related Threat Briefings