Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 29, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 29, 2024
While many malware campaigns operate on the principle of spray-and-pray, cybercriminals often launch highly targeted attacks. In one such instance, a new Python package called ‘lr-utils-lib’ has emerged on PyPI, designed to steal Google Cloud Platform credentials from a set of 64 macOS systems.
Meanwhile, threat actors continue to innovate on their cybercrime service offerings. A Spanish-speaking cybercrime group, GXC Team, now offers a phishing-as-a-service platform bundled with malicious Android apps that can be used to steal banking credentials and one-time passwords (OTPs).
In recent years, critical infrastructure security has become a hot-button issue. This is echoed in a fresh advisory by Acronis, warning of exploits for an already-patched flaw, CVE-2023-45249, aiming to bypass authentication in the Acronis Cyber Infrastructure platform.
Targeted attack via Python package
A targeted Python package, ‘lr-utils-lib,’ was uploaded to PyPI to steal Google Cloud Platform credentials from a specific set of 64 macOS systems. The malicious code is hidden in the setup file, allowing it to execute immediately upon installation. Successful infection leads to the exfiltration of Google Cloud credentials to a remote server, potentially enabling further attacks on cloud assets. The campaign also involves social engineering, with the package owner posing as the CEO of a legitimate company on LinkedIn.
Phishing kit bundled with Android malware
A Spanish-speaking cybercrime group, GXC Team, was found offering a phishing-as-a-service platform with malicious Android apps. The service targets users of over 66 institutions, primarily in Spain and other countries, and is priced between $150 and $900 a month. The Android malware intercepts one-time passwords (OTPs) and other messages to steal banking credentials. GXC Team also advertises AI-infused voice calling tools to generate voice calls instructing targets to provide 2FA codes or install malicious apps.
Malware disinfection operation launched
French authorities have launched an operation in collaboration with Europol to remove the PlugX malware from infected systems. The initiative, known as a "disinfection operation," started on July 18 and is expected to last for several months. So far, around a hundred victims in various countries have benefited from the cleanup efforts. The PlugX malware, also known as Korplug, is a remote access trojan widely used by China-nexus threat actors since 2008.
New Secure Boot bypass flaw
The new PKFail vulnerability allows attackers to bypass the Secure Boot process on millions of Intel and ARM microprocessor-based systems from multiple vendors, including Lenovo, HP, Asus, and SuperMicro, among others. The Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain. An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database.
Critical infrastructure software exploited
Acronis has issued a warning about a critical security flaw in Acronis Cyber Infrastructure (ACI) that allows attackers to bypass authentication using default credentials. The vulnerability, tracked as CVE-2023-45249, impacts various versions of the ACI platform. This flaw was patched nine months ago, but recent attacks have prompted Acronis to urge users to update to the latest available build immediately.
RaspAP privilege escalation exploit
A critical local privilege escalation vulnerability has been found in RaspAP, used to turn Raspberry Pi devices into access points. The flaw is tracked as CVE-2024-41637 and has a severity score of 9.9. The vulnerability affects RaspAP versions before 3.1.5. It arises from improper access controls, letting the www-data user write to restapi.service, executing critical commands with sudo privileges without a password. A PoC exploit has also been released by the researcher who discovered the flaw.