Read time: under 5 minutes

Welcome back, Invaders

Cybersecurity is heating up with new developments. On the same day that Palo Alto Networks revealed Bling Libra’s shift from selling hacked data to extorting companies and targeting cloud environments, a new zero-day broker popped up on Twitter. This broker, a Russian company posing as a UK entity, might attract UK law enforcement scrutiny. Meanwhile, Pidgin has pulled a malicious plugin, "ss-otr," that promised encrypted conversations but was actually logging keystrokes and screenshots. In response, Pidgin now mandates open-source code for all listed plugins. Coincidence? We think not. Lastly, the hacker known as "USDoD" has been unmasked as Brazilian Luan B.G., with links to cybercrime activities dating back to 2017.

Today’s Insights

• Major Hacks & Leaks

• Cyberwarfare

• Privacy Concerns

• Policy & Governance

• Cybercrime & Malware

• Vulnerabilities

^{Cyber Criminal Chronicles}

Bling Libra: ShinyHunters’ New Tactics: Palo Alto Networks has released a profile on Bling Libra, the threat actor behind the notorious ShinyHunters. The group has recently shifted from selling hacked data to privately extorting companies and focusing on cloud environments. This change marks a significant evolution in their tactics. Read more.

New Zero-Day Broker Pops Up: There's a new exploit broker advertising on Twitter about buying zero-days. As several security researchers have pointed out, the threat actor is a Russian company with ties to Russia's propaganda machine, using a UK company as a front. This could prompt UK law enforcement to take a closer look!

Malicious Pidgin Plugin Removed: The Pidgin instant messaging service has removed a malicious plugin named "ss-otr" from its addons index. The plugin, which claimed to offer encrypted off-the-record conversations, was active for over a month and contained malware that logged keystrokes and took screenshots of users' screens. In response, Pidgin now requires all plugins to open-source their code to be listed on the official plugin repository. Report

Hacker "USDoD" Identified as Brazilian Man: A Brazilian tech news outlet has identified the hacker known as "USDoD" as a 33-year-old man named Luan B.G. from Minas Gerais, Brazil. Reporters at TecMundo claim that a leaked CrowdStrike report links Luan to the hacker identity, detailing his involvement in cybercrime since 2017 after joining a local hacktivist group. The report also connects him to various hacker email addresses and cybercrime transactions, corroborating details from interviews USDoD has given over the years. DataBreaches.net.

Russian Money Launderer Detained: Argentinian police have detained a Russian national in Buenos Aires on suspicion of laundering money for North Korean hackers. The arrest is linked to the Harmony Bridge hack, where over $100 million was stolen in June 2022. Officials traced funds from the hack to a Telegram channel operated by the suspect, which facilitated cryptocurrency exchanges across different blockchains. Additional coverage in La Nación.

Skimmer Campaign Hits 100+ Websites: Malwarebytes has identified an ongoing e-skimmer campaign that has compromised over a hundred websites. This widespread attack targets online stores, potentially stealing sensitive payment information from unsuspecting customers.

^{Security Breach Trends}

Critical Vulnerability in LiteSpeed Cache Exploited: A critical severity vulnerability in the LiteSpeed Cache WordPress plugin has been swiftly exploited by hackers, just a day after technical details were made public. Wordfence’s Chloe Chamberland had previously warned of this scenario, predicting that the vulnerability would be actively exploited soon. This marks the second attack on LiteSpeed Cache this year; in May, hackers exploited a cross-site scripting flaw (CVE-2023-40000) to create rogue administrator accounts and take over sites. WPScan reported over 1.2 million probes from a single malicious IP address targeting this vulnerability. Users are advised to upgrade to version 6.4.1 immediately or uninstall the plugin. Read more.

^{Tech Trends & Privacy Protocols}

Pavel Durov Detained in France: Telegram CEO and founder Pavel Durov has been detained by French authorities after his private plane landed at an airport near Paris. The detention is part of an investigation into Telegram’s alleged lack of content moderation. The messaging service has been criticized for hosting illegal content, including stolen personal data, stolen cards, revenge porn, CSAM, and malware. coverage by TF1 and BFM.

Germany's Secret Piracy Blocklist Exposed: A 17-year-old student from Germany has revealed that the country's largest ISPs are operating a secret blocklist. Established through a voluntary agreement between ISPs and rightsholders in 2021, this blocklist currently restricts access to 275 domains and subdomains, mostly related to streaming live sports or hosting pirated content. The student, known only as Damian, has created a special website where Germans can query or contribute to the blocklist. TorrentFreak.

Meta Disrupts Iranian State-Sponsored Threat Actor: Meta Platforms has disrupted the operations of an Iranian state-sponsored threat actor that used WhatsApp accounts to target individuals in Israel, Palestine, Iran, the U.K., and the U.S. This actor, originating from Iran, focused on political and diplomatic targets. For more details, read the full report on FB News.

Bypass Paywalls Clean: browser extension has been removed from GitHub following a DMCA takedown notice filed by the News Media Alliance. This extension was popular for allowing users to bypass paywalls on over 2,200 news websites. The takedown notice also resulted in the removal of thousands of forks (copies) of the extension hosted on GitHub. The action was based on the extension's violation of anti-circumvention laws, which protect digital content access restrictions. This development highlights ongoing tensions between content creators and tools that allow users to access content without paying or adhering to subscription models. TorrentFreak article.

^{Policy & Governance Perspectives}

FTC Bans Fake Reviews and Manipulative Practices: The US Federal Trade Commission has implemented a new rule banning the use of fake or paid reviews to manipulate product sales and deceive consumers. This rule also prohibits operating fake review sites, using negative reviews against competitors, and suppressing bad reviews through threats. Companies found violating these rules will face legal action. For more details, you can view the FTC’s announcement on the final rule.

Singapore Launches OT Cybersecurity Masterplan: The Singapore government has unveiled its Operational Technology (OT) Cybersecurity Masterplan to enhance the security of industrial control systems across the country. The plan aims to bolster the protection of companies managing OT environments. For more information, you can view the Operational Technology Cybersecurity Masterplan 2024.

Russia Proposes Tax on Foreign Software: The Russian government is developing a law to impose a special tax on large corporations using foreign software. This tax will not affect SMBs or government organizations. The bill is set to be introduced in the Duma in September and seems at odds with earlier claims about the shift to domestic software. For more details, see the coverage on TASS.

Recent Cybersecurity Developments: Law enforcement agencies have arrested individuals involved in crypto and extortion scams. A cloud-based hacktool has been linked to a surge in spam SMS attacks. Additionally, North Korean threat actors are exploiting a newly discovered Windows zero-day vulnerability, highlighting a serious escalation. For more details, read the full update here.

^{Threat Intelligence Reports}

Zscaler Analyzes New Copybara Android Trojan Variant: Zscaler ThreatLabz has examined a new version of the Copybara Android trojan, a malware family first seen in November 2021. This variant is distributed through voice phishing (vishing) attacks, where victims are instructed via phone to install the malware. For more details, read the full analysis here.

Arkose Labs Unveils Greasy Opal's Threat in Cybersecurity: Arkose Labs has released a technical breakdown of Greasy Opal, a business specializing in cyber attack enablement. Operating since 2009 from the Czech Republic, Greasy Opal offers products and solutions to various customers, including cybercriminals and CAPTCHA-solving services. Its capability to quickly develop effective machine-learning models for CAPTCHA challenges presents a significant cybersecurity threat. For more details, view the full paper here.

Ransomware Group Shifts Tactics to Credential Harvesting: A recent cybersecurity research article reveals a ransomware group altering its strategy by engaging in browser credential harvesting, a significant deviation from its usual ransomware tactics. This unexpected shift has caught the attention of security experts, who are investigating the motivations behind this new approach. For more details, read the full article here.

^{Vulnerability Disclosure Digest}

SonicWall Fixes Critical SonicOS Vulnerability: SonicWall has addressed an improper access control vulnerability in SonicOS, which could have allowed unauthorized access to firewall resources or caused device crashes. For more details on the fix, you can view the full security update here. Additional information is available from ScreamingGoat.

Zoho Addresses RCE Vulnerability in ManageEngine OpManager: Zoho has issued a security update to fix a remote code execution (RCE) vulnerability in the user interface of its ManageEngine OpManager component. For more details on the update, visit the security advisory. Additional insights are available from ScreamingGoat.

DEVCORE Analyzes MSKSSRV Vulnerabilities: DEVCORE researchers have released a detailed write-up on vulnerabilities found in the Microsoft Kernel Streaming Service (MSKSSRV). This is the first installment in a multi-part series examining various CVEs related to these issues. For more information, check out the write-up.

Honeywell BEDQ API Exposure: Traceable researchers have discovered an unprotected API in Honeywell BEDQ, an internal system used by Honeywell employees and partners. The vulnerability allowed them to gain "complete control over the entire system." For more details, see the blog post.

NTLM Credential Theft from Python Apps: Horizon3 has released a report detailing vulnerabilities in three Python applications that can be exploited for NTLM credential thefts. For more information, you can read the full report.

SolarWinds Addresses Default Credentials Vulnerability: SolarWinds has issued a security patch to remove default credentials from its Web Help Desk app, addressing the vulnerability tracked as CVE-2024-28987. This follows a previous bug, CVE-2024-28986, which has been actively exploited. For more details, see the security advisory and the exploitation alert.

^{Advanced Cyber Threats}

Meta Takes Down APT42 Accounts: Meta has removed a group of WhatsApp accounts used by Iranian state hackers from APT42 to target victims abroad. Posing as technical support for US tech companies like AOL, Google, Yahoo, and Microsoft, these accounts were discovered after user reports. For more details, see Meta's announcement.

US Runs Tinder Ads: The US military launched ads on Tinder targeting Middle Eastern residents, warning them against joining armed groups against the US and its allies. The ads featured images of F-16 and A-10 aircraft. Tinder removed the ads following inquiries from the Washington Post. The Pentagon declined to comment on the campaign. For more information, see the Washington Post article.

Russian Attacks: RT-Solar, the security division of Russian telco Rostelecom, has published a report detailing two attacks on Russian industrial plants carried out by pro-Ukrainian groups. The report provides insights into the nature and impact of these attacks. For further details, view the RT-Solar report.

Thanks for reading.

Until next time!

Lucas Invaders-labs

p.s. If you liked this newsletter, consider share it with your friends and colleagues here.