Read time: under 6 minutes

Welcome back, Invaders

10 SIM-swappers apprehended. French museums, including the Grand Palais, are under ransomware attack. Booking.com was fined $413 million in Spain for market abuse. Apache OFBiz has a serious zero-day vulnerability that allows remote code execution. An ISP was infiltrated by StormBamboo to disseminate malware.

Today’s Insights

• 10 people connected to a SIM-swapping arrested

• French Museums Hit by Ransomware

• Booking Fined $413 Million in Spain

• Malware "LianSpy" Is Aimed at Android Devices

• A critical vulnerability in Apache OFBiz (0day)

• StormBamboo Compromises ISP

^{Cyber Criminal Chronicles}

New npm Malware Alert: Last week, security researchers identified fifty malicious npm packages. These packages have been flagged for their harmful behavior and potential risks to developers' systems. For further details, including specific vulnerabilities and mitigation strategies, visit GitHub's security advisory portal: GitHub Security Advisories.

Malware Campaign Exploits TryCloudflare: eSentire has detailed a malware campaign using TryCloudflare’s demo tunnels for malicious purposes, including distributing XWorm, AsyncRat, VenomRat, and PureLogs Stealer. For additional insights, see Proofpoint's similar report on how the campaign leverages these tunnels. eSentire Report

Project Disrupt Arrests: 10 people connected to a SIM-swapping ring have been detained by Canadian authorities; they are said to have stolen over CAD $1 million from over 1,500 victims by taking over phone numbers and emptying bank accounts. Two of the suspects were remained at large, while the most were located in Toronto.

Tech Support Scammer Sentenced: US authorities have convicted Indian national Vinoth Ponmaran to seven years in jail for orchestrating a significant tech support scam. His organization generated over $6 million by deceiving over 6,500 victims—mostly older people in the US and Canada—with phony IT service costs and deceptive pop-up windows. Details of the Sentence

^{Security Breach Trends}

French Museums Hit by Ransomware: Attacks using ransomware have targeted a number of French museums, including the Louvre and the Grand Palais, during the Paris 2024 Summer Olympics. Due to the high-profile worldwide event, these attacks have sparked serious worries about the protection of sensitive data and possible interruptions to cultural organizations. Leparisien

BangBros Data Leak: Over 37,000 users' personal information was made public by pornographic film producer BangBros as a result of an insecure Elasticsearch database. User identities, IP addresses, user agents, geolocation, and voting records on model sites are among the data that has been compromised. Report on CyberNews

Date Hot Brunettes Data Leak: Data from the now-defunct dating site Date Hot Brunettes has been leaked and is available on Have I Been Pwned (HIBP). The breach includes over 1.5 million email addresses, IP addresses, usernames, user bios, and MD5 password hashes. Check HIBP

^{Tech Trends & Privacy Protocols}

ROMHacking and Game Informer Shut Down: The website that provided ancient game fixes, ROMHacking, is no longer active. This comes after one of the longest-running gaming magazines in the US, Game Informer, shut down recently, making it a difficult week for the gaming community. ROM-Hacking Informer about Games

Booking Fined $413 Million in Spain: Booking.com was fined $413 million by Spain's data protection agency for abusing its market dominance and placing unjust restrictions on Spanish hotels that prevented them from working with regional travel firms. Details are available here.

^{Policy & Governance Perspectives}

Russia Is Thinking of Expanding Its Google Ban: Russia's recent slowing of YouTube traffic might be a portent of things to come—a wider ban on all Google services? The head of the State Duma's IT Committee, Alexander Khinshtein, blamed Google's service discontinuation in Russia for the slowdown. Users' responses to the incident, which resulted in a 70% decrease in video loading speed, have been divided. Some have speculated that Google services may be completely banned. RuNews24

DARPA Launches TRACTOR Program: Translating All C to Rust, or TRACTOR, is a DARPA initiative that converts old C source code to the Rust programming language. The goal of this project is to automatically convert C code used in DOD old applications to safer, more readable Rust code, modernizing the code. Continue Reading

^{Threat Intelligence Reports}

Malware "LianSpy" Is Aimed at Android Devices: LianSpy is a recently discovered spyware that targets Android smartphones and uses root access to capture private information. Its command and control (C2) server is the Yandex Disk cloud service, which allows attackers to take control of infected devices remotely and execute commands. Kaspersky Report

New Android Banking Trojan: BlankBot is a brand-new Android banking virus that was discovered in July, according to Intel471. It currently solely targets Turkish banks and has remote control, keylogging, and screen recording functionalities. Intel471 Repor

Rhadamanthys Infostealer Targeting Israeli Entities: Maor Dayan, a security researcher, has examined Rhadamanthys, an infostealer that was recently used in assaults against Israeli institutions. The thorough investigation clarifies the advanced methods this malware employs. Read More

^{Vulnerability Disclosure Digest}

Google fixes a critical kernel vulnerability in Android: A serious security vulnerability in the Android kernel that allows for remote code execution and had been regularly used in targeted attacks has been fixed by Google and is known as CVE-2024-36971. According to the company, there might still be limited, focused exploitation of the vulnerability.

A critical vulnerability in Apache OFBiz (0day): An open-source ERP system called Apache OFBiz has a significant zero-day vulnerability that can be exploited by remote attackers to run any code. This vulnerability, which has a CVSS score of 9.8, affects versions older than 18.12.15. According to SonicWall, the override view functionality is the problem since it exposes important endpoints to unauthorized attackers, who can then take advantage of it with well constructed requests. SonicWall

Finding Vulnerabilities in the Atlassian Plugin: 53 vulnerabilities have been found by Cyllective researchers in a variety of plugins that are available in the Atlassian store. Five of these vulnerabilities have had their details made public. The remaining vulnerabilities are still being fixed. Attlasian Report

Find KnowBe4 Vulnerabilities: Two vulnerabilities in the updating mechanism of KnowBe4's Windows client apps have been found by PenTest Partners. These vulnerabilities could provide system-accessible attackers the ability to elevate privileges and use the app to carry out harmful code. The vulnerabilities were downgraded at first, but once PenTest Partners got in touch with KnowBe4's CEO, they were given priority for a remedy. - PentestPartners Report

Rockwell Automation ControlLogix Vulnerability: Claroty/Team82 researchers found a severe security bypass problem in Rockwell Automation ControlLogix 1756 PLCs. The trusted slot feature restricts communication from untrusted channels in the local chassis, yet this vulnerability bypasses it using the CIP protocol. By bouncing between local backplane slots in a 1756 chassis, attackers can bypass security and send elevated commands to the PLC CPU. To exploit, the gadget needs network access. Attackers can get around PLC security barriers meant to protect the CPU from untrusted cards, compromising its security. - Claroty's Full Disclosure

Email Server Misconfiguration Warning on Shared Hosting: Security experts have found a serious email server issue with several multi-tenant shared hosting systems. Misconfigured SPF and DKIM can allow threat actors to imitate other hosted domains. This problem is described in the Carnegie Mellon University CERT/CC security bulletin. SPF and DKIM settings on shared hosting email servers are incorrect. makes it possible for attackers to pretend to be other domain names on the system. This vulnerability was used by EchoSpoofing to target Microsoft and Proofpoint clients. At least two additional providers of shared hosting have attested to this problem. - Labs Guard Report

New Linux Kernel Vulnerability: Graz University of Technology researchers found SLUBStick, a Linux kernel cross-cache attack. This technique exploits a limited heap vulnerability to gain arbitrary memory read-and-write access with 99% success. It overcomes contemporary kernel safeguards like SMEP, SMAP, and KASLR for privilege escalation or container escape. The exploit affects Linux kernels 5.9 and 6.2. SLUBStick details will be revealed during the Usenix Security Symposium. Complete Research Paper

^{Advanced Cyber Threats}

Moonstone Sleet Targets Windows Systems via Malicious npm Packages: The North Korea-linked threat actor, Moonstone Sleet, has been identified distributing malicious npm packages aimed at infecting Windows systems. Datadog Security Labs uncovered two compromised packages, harthat-api and harthat-hash, which were published on July 7, 2024. These packages are designed to exploit vulnerabilities and deploy malware on targeted systems. - Datadoghq Research

Hunters International Ransomware Group's SharpRhino RAT Attack: With the use of a brand-new C# remote access trojan (RAT) called SharpRhino, the Hunters International ransomware organization has become a serious danger to business networks. Targeting IT personnel especially, this sophisticated ransomware poses a significant threat to the security of organizations. To counter this new threat, more awareness and strong security are crucial. See the entire report for more details. - Quorum Cyber researchers

DPRK Hackers Take Advantage of VPN Update Error: The National Cyber Security Center (NCSC) of South Korea has released a warning on North Korean state-sponsored hackers taking advantage of holes in a VPN's software update system. Targeted networks have been compromised and malware has been installed via this exploitation. It is recommended that organizations evaluate their VPN security procedures and make sure that all software updates are handled safely. - NCSC Report

StormBamboo Compromises ISP: A Chinese APT group known as StormBamboo (Evasive Panda) has compromised an internet service provider’s infrastructure to deploy malware. This attack, which occurred earlier this year, affected both macOS and Windows users. According to Volexity, StormBamboo modified the ISP's DNS servers to redirect users' software update requests to malicious servers, which then installed the malware. The attack specifically targeted software that used cleartext HTTP connections and lacked digital signature validation. Victims were infected with backdoors and, in some cases, malicious browser extensions. - Volexity Research Report

LilacSquid APT Intrusion: An incident response report documenting a breach by the LilacSquid APT has been made public by security firm HackersEye. A Mesh agent was installed on the compromised system as a result of the attack taking advantage of a weakness in the Check Point firewall of the firm. - HackersEye LilacSquid IR Report

Fighting Ursa's Latest Phishing Campaign: Russian cyber-espionage group Fighting Ursa (APT28) targets EU diplomats with diplomatic automobile ads as phishing lures. Recent advertisements targeted diplomats interested in Romania with Audi Q7 Quattro ads. Cloaked Ursa (APT29), another Russian organization, attacked Ukrainian officials with a BMW ad in 2023. Fighting Ursa has adapted successful techniques and exploited known vulnerabilities for 20 months after their original exposure, according to Palo Alto Networks.

Thanks for reading.

Until next time!

Lucas Invaders-labs

p.s. If you liked this newsletter, consider share it with your friends and colleagues here.