Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.

Source: Allstar Picture Library Ltd. via Alamy Stock Photo

An active ransomware campaign against the Cleo managed file transfer tool is about to ramp up now that a proof-of-concept exploit for a zero-day flaw in the software has become publicly available. Defenders should brace for widespread deployment of the Cleopatra backdoor and other steps in the attack chain.

The flaw, which is the result of an insufficient patch for an arbitrary file write tracked as CVE-2024-50623, is being used for remote code execution (RCE) and impacts Cleo Harmony, Cleo VLTrader, and Cleo LexiCon products, according to the company's security advisory. The new issue does not yet have a CVE or CVSS severity score as of the time of this writing.

Active attacks against the zero-day appear to have begun on Dec. 3, and just days later cyberattackers had breached at least 10 Cleo clients, including those in the trucking, shipping, and food industries. Cleo currently has more than 4,000 customers, mostly mid-sized organizations.

The current ransomware campaign has been attributed to a group called "Termite," which is also believed to be connected to similar cyberattacks against Blue Yonder that ultimately impacted household brand names like Starbucks.

But that's just a taste of what's to come, according to Artic Wolf analysts, who predict that ransomware cyberattacks against vulnerable Cleo systems are about to escalate.

**Is a MOVEit-Style Deluge of Cyberattacks Imminent?**

Since 2023's ransomware success against MOVEit, a similar file transfer service, threat actors have become keenly aware of the broad access to sensitive enterprise data and systems these MFT solutions provide, researchers at Artic Wolf noted.

That's especially true in light of a public proof of exploit of the Cleo zero-day published on Dec. 11 by Watchtowr Labs, the researchers predicted. Like MOVEit, Cleo has the potential to offer attackers a mass-attack avenue.

And unfortunately for those impacted, patching this zero-day has been a bit confusing for Cleo customers, widening the door for attackers to pounce.

The original bug, CVE-2024-50623, was first "fixed" in the Oct. 30 release of an updated Cleo version, 5.8.0.21. However, customers continued to report compromises, "suggesting the existence of a separate means of compromise," a new backgrounder from Rapid7 on the Cleo zero-day explained.

Researchers at Huntress first reported on continued widespread active exploits of the supposedly patched vulnerability on Dec. 9. Cleo responded with a new version containing a new security patch (version 5.8.0.24). However, the new exploitable issue has not yet received a new CVE designation, raising questions from industry watchers like Rapid7.

"Cleo issued a new advisory as of December 10 that previously said versions up to 5.8.0.21 were vulnerable to an as-yet-unassigned CVE," a Rapid7 blog post noted. "That advisory was updated to indicate a patch is now available for all affected products — it's unclear exactly when the update occurred. There is still no CVE for the new issue."

Cleo has since added a note to its advisory page on the insufficient patching issue that a "CVE is pending."

**Cleopatra Backdoor: How to Tell if Cleo Has Been Compromised**

With the added patching confusion, it's up to cyber defense teams to understand what a Cleo compromise looks like and stop it before it takes hold.

The Artic Wolf team tracked the attack chain down to a malicious PowerShell stager that ultimately executes a new Java-based backdoor that their team appropriately called "Cleopatra."

"The Cleopatra backdoor supports in-memory file storage, and is designed for cross-platform support across Windows and Linux. It implements functionality designed to access data stored within Cleo MFT software specifically," the Artic Wolf report explained. "Although many IP addresses were used as C2 destinations, vulnerability scanning originated from only two IP addresses."

The Arctic Wolf researchers urge defenders to focus in on monitoring server assets for unusual activity, like PowerShell, in order to respond early in the attack chain.

"Additionally, devices should be continuously audited for potential weaknesses in internet-accessible services, and vulnerable services should be kept off the public Internet where possible to minimize the potential exposure in mass exploitation campaigns such as this one," the report added. "This can be accomplished by IP access control lists, or by keeping applications behind a VPN to reduce the potential attack surface."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Cleo MFT Zero-Day Exploits Are About Escalate, Analysts Warn

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically

Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

New DCOM Attack Exploits Windows Installer for Backdoor Access

Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

The Black Basta ransomware group is using advanced social engineering tactics and a multi-stage infection process to target organizations.

****SUMMARY****

*   **Black Basta Campaign Resurgence:** Rapid7 researchers report a sophisticated social engineering campaign by the Black Basta ransomware group, refining tactics and targeting organizations globally.

*   **Enhanced Tactics:** Attackers use email bombing, impersonation via Microsoft Teams, and tools like QuickAssist and AnyDesk to gain remote access, bypass MFA, and execute malicious payloads.

*   **Malicious Tools:** Threat actors deploy tools like Zbot and DarkGate for credential harvesting, data exfiltration, and persistence before delivering Black Basta ransomware.

*   **Improved Payload Delivery:** Updated techniques include obfuscation with custom packers, DLL execution via rundll32.exe, and advanced evasion strategies.

*   **Mitigation Strategies:** Organizations should adopt stronger password policies, provide security training, and implement advanced defences to mitigate ransomware threats.

Cybersecurity researchers at Rapid7 have released a new report detailing its investigation of a sophisticated social engineering campaign launched by the infamous Black Basta ransomware group (aka UNC4393), threatening organizations worldwide. 

Researchers have observed a resurgence of activity in relation to Black Basta ransomware operators’ currently ongoing social engineering campaign, first reported in May 2024 and updated in August 2024.

The attackers have now refined their early stages procedures, including new malware payloads, improved delivery, and increased defence evasion, with lures sent via Microsoft Teams.

Reportedly, the campaign begins with email bombing in which a series of emails are sent to overwhelm potential victims, typically achieved by signing up users’ emails to multiple mailing lists simultaneously. Attackers impersonate IT support personnel offering assistance and tricking users into granting remote access to their systems. Microsoft Teams is used to establish initial contact whereas Azure/Entra tenant subdomains and custom domains are utilized as account domains.

Potential targets are tricked into installing/executing remote management tools like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Threat actors also use the OpenSSH client to establish a reverse shell, or, share a QR code with the user, probably to bypass MFA (multi-factor authentication) after stealing their credentials.

As soon as they gain access, the attackers deploy a range of malicious tools for credential harvesting, lateral movement, and data exfiltration.  A custom packer is used to obfuscate various payloads, including Zbot, and DarkGate, to steal sensitive information and establish persistence on the system. The ultimate goal, however, is to deploy the Black Basta ransomware itself, to encrypt critical data and demand a ransom payment. 

One of the malicious QR codes used by the attackes (Via Rapid7)

For your information, DarkGate is a powerful malicious shellcode that can perform a wide range of malicious actions, including stealing information, establishing persistence, and re-infecting compromised machines by establishing a backdoor.

Zloader/Zbot, conversely, is a sophisticated trojan that steals login credentials, credit card information, and personal data, downloads and executes additional malware payloads, establishes persistence on the infected system and communicates with command-and-control servers.

Compared to Rapid7’s previously detected attacks, researchers noted some similarities and some unique approaches in this campaign:

“Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader,” the blog post revealed.

To mitigate the risk of such attacks, organizations must improve their security measures, including implementing stronger password protection mechanisms, regular security awareness training for employees, and advanced security solutions.

1.  **Telecom Gian****t** **BT Group Hit by Black Basta Ransomware**
2.  **Russian Midnight Blizzard Hits MS Teams in Precision Attack**
3.  **Iranian Hackers Target Microsoft 365 with MFA Push Bombing**
4.  **Storm-0324 Exploits MS Teams Chats for Ransomware Attacks**
5.  **Vietnamese DarkGate Malware Targets META Accounts Worldwide**

Black Basta Ransomware Uses MS Teams, Email Bombing to Spread Malware

A Chinese threat actor infiltrated several IT and security companies in a bring-your-own VS code, with an eye to carrying out a supply-chain-based espionage attack.

Source: Araki Illustrations via Alamy Stock Photo

Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.

It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.

To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.

**Malware via Microsoft**

Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.

The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.

VS Code has also become a proven weapon of Chinese threat actors as of late, thanks to its Remote Tunnels feature. Remote Tunnels is designed to allow developers to access and work on code on remote machines. In a different light, though, it's a perfect malicious payload, enabling command execution and file editing on remote systems in the context of a seemingly innocuous Microsoft program. The attackers behind Operation Digital Eye intended to use VS Code to maintain persistent backdoor access to victims, using innocuous file and service names and storing it in the Temp folder to further blend in with victims' normal business operations.

Tunneling with VS Code isn't quite as simple as loading malware onto a victim's machine, though — it requires a GitHub account and connection with an Azure server. Researchers aren't sure whether the attackers used stolen GitHub and Azure credentials, or registered their own accounts.

What is clear is that they turned this potential roadblock into an advantage, leveraging public cloud infrastructure in Western Europe to make their otherwise suspicious traffic look more legitimate, and more likely to evade notice by security tools. VS Code and Azure network traffic tends to avoid close scrutiny, the researchers noted, and are commonly allowed by application controls and firewall rules. "Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit," they wrote.

**The Trouble in Attributing Chinese Attackers**

The actual malware used in Operation Digital Eye did less to clarify than to confuse who, exactly, was behind the attacks.

The most notable tool in the mix, "bK2o.exe," is a modified version of the open source credential stealing tool Mimikatz, designed for pass-the-hash attacks. Its aim is to snag a New Technology LAN Manager (NTLM) hash, in lieu of the targeted user's actual password, to enable the further execution of processes within the user's security context.

BK2o.exe is just one among many Mimikatz variants deployed by several Chinese advanced persistent threats (APTs). Related variants have been observed in Operations Soft Cell and Tainted Love, associated with groups like APT41 and APT10. Researchers from SentinelLabs concluded that there is likely a shared vendor supplying many groups at once, as evidenced by the recent case of iSoon.

Also common to these many groups, besides their malware, is the intent behind their cyberespionage. In the case of Digital Eye, "Southern Europe's role as a Mediterranean hub intersects with China's Belt and Road Initiative, particularly in infrastructure investments like Greece's Port of Piraeus," notes SentinelLabs principal threat researcher Tom Hegel. "Cyber operations in this area likely support China's efforts to safeguard these investments, gain leverage in energy transit routes, and monitor naval activities critical to global trade and security. Economically, Southern Europe offers access to critical industries such as energy, shipping, aerospace, and agriculture, as well as opportunities for scientific and technological espionage, particularly in aerospace and renewable energy. Politically, the region's challenges provide opportunities for influence, allowing China to exploit economic dependencies, shape public sentiment, and potentially weaken EU and NATO unity."

He concludes that "In targeting Southern Europe, China seeks not only to secure competitive advantages but also to deepen its influence in a region vital to global trade, energy flows, and Western alliances."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Sprawling 'Operation Digital Eye' Attack Targets European IT Orgs

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day. Stay proactive and secure your business.

A newly discovered Windows zero-day vulnerability exposes users across multiple Windows versions to credential theft. Discovered by 0patch researchers, this critical security flaw allows attackers to steal NTLM credentials through a deceptive yet simple method.

****What Makes This Vulnerability Dangerous?****

**Widespread Impact**

The vulnerability affects a wide range of Windows systems, including:

*   Windows Server 2022
*   Windows 11 (up to v24H2)
*   Windows 10 (multiple versions)
*   Windows 7 and Server 2008 R2

**Exploitation Mechanism**

Technical details of the vulnerability are withheld to minimize exploitation risk until Microsoft issues a fix to minimize any further risk of exploitation. 

The vulnerability enables attackers to steal a user’s NTLM credentials by luring them into opening a malicious file in Windows Explorer.

Attackers can trigger the vulnerability through minimal user interaction:

*   Opening a shared folder
*   Accessing a USB disk
*   Simply viewing a malicious file in Windows Explorer
*   Accessing the Downloads folder with a strategically placed file

****The Broader Context of Unpatched Vulnerabilities****

This isn’t an isolated incident. The same research team has previously identified multiple unresolved Windows vulnerabilities, including:

*   Windows Theme file issue
*   “Mark of the Web” vulnerability
*   “EventLogCrasher” vulnerability
*   Three NTLM-related vulnerabilities (PetitPotam, PrinterBug/SpoolSample, and DFSCoerce)

****0patch Micropatches****

0patch is offering a free micropatch for the latest NTLM zero-day to all users registered on its platform until Microsoft releases an official fix. The security micropatch has already been automatically deployed to PRO and Enterprise accounts, except in cases where configurations explicitly block automatic updates.

“The impact on enterprises using outdated and legacy infrastructure is more significant than the simple impact on operating costs, said Jim Routh,” Chief Trust Officer at cybersecurity company Saviynt. “In this case, the obsolete authentication application (NTLM) from MS enables threat actors to steal Windows credentials potentially compromising customer experience.”

****Focusing on the proactive approach****

Automated patch management, like the protection provided to PRO and Enterprise accounts through 0patch, is a great start, but organizations need to do more. Implementing strong server-hardening strategies can add multiple layers of defence by setting consistent security configurations across all systems.

This proactive approach goes beyond simply reacting to vulnerabilities, helping businesses stay protected against threats like the recent NTLM zero-day vulnerability.

1.  Hackers Use Excel Files for Remcos RAT Variant on Windows
2.  Godot Engine Exploited for Malware on Windows, macOS, Linux
3.  Windows SmartScreen Flaw Enabling Data Theft in Stealer Attack
4.  Windows Vulnerable to Command Injection via “BatBadBut” Flaw
5.  Russian Hackers Exploit Firefox and Windows 0-Days for Backdoor

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

Another day, another supply chain attack!

****KEY POINTS****

*   **Cybersecurity researchers at ReversingLabs found that hackers used malicious code to combine the Ultralytics AI library to mine cryptocurrency.**

*   **Hackers exploited the library’s build system and injected XMRig mining software into updates 8.3.41 and 8.3.42.**

*   **The attack used GitHub Actions Script Injection and fake pull requests to gain access to the system.**

*   **With over 60 million downloads, the compromised library posed a risk, though the damage was limited to mining.**

*   **Developers and users must verify software updates and sources to avoid similar incidents.**

The latest research from ReversingLabs (RL) shared with Hackread.com, reveals that a popular AI library called _“_Ultralytics_“_ has been secretly mining cryptocurrency for someone else. This follows the recent discovery of the malicious aiocpa Python package, which was spreading an infostealer.  

On December 4th, an update (version 8.3.41) for Ultralytics hit the Python Package Index (PyPI), a repository for Python software. However, something else also hit the repository: Hackers had infiltrated the project’s build environment, which prepares the software for release. 

The content in the GitHub repository did not match the content of the matching PyPI package, as malicious actors compromised the build environment and injected malicious code after the code review process was completed.

The tampered code downloaded a program called XMRig, a cryptocurrency miner. The worst part, according to RL’s report, is that even a supposed “fix” (version 8.3.42) released the next day was also infected.

That’s because the project’s maintainers failed to locate the compromise, resulting in version 8.3.42, intended to address the incident and serve as a safe upgrade, containing the same malicious code. A clean version, 8.3.43, was released on the same day, resolving this supply chain attack.

In case you are wondering how the hackers got in, it all started with exploiting a GitHub Actions Script Injection to enter the build environment of a trusted npm package, @solana/web3.js. This injection allowed a malicious actor to create a fork of any repository using ultralytics/actions and craft a pull request from a branch with injection payload code in its title.

Next, two maliciously crafted pull requests, #18018 and #18020, were designed to enable backdoor access to the compromised environment. The user account behind this pull request, openimbot, and the remote connection established after the execution of the malicious payload were initiated from Hong Kong, based on information provided by ultralytics maintainers. By creating fake pull requests with cleverly crafted titles, actors tricked the system into running their malicious code.

A GitHub comment explaining what happened and limited details about the user involved in the hack (Screenshots via RL)

****Impact: 60 million downloads and 30,000 GitHub stars****

This attack had the potential to impact millions considering that Ultralytics boasts over 60 million downloads and 30,000 GitHub stars, indicating its widespread use. Thankfully, the damage seems limited to cryptocurrency mining.

However, this incident shows how vulnerable software supply chains can be. Malicious actors could have easily injected more dangerous code, like backdoors or remote access tools. This means, developers must be cautious at all stages to protect AI projects. 

It also shows the importance of software security, emphasizing the need for developers to double-check code changes from untrusted sources, and users to download software from trusted sources and keep it updated.

1.  **ChatGPT Sandbox Flaws Enabling Python Execution**
2.  **PyPI Exploited to Infiltrate Systems Through Python Packages**
3.  **PythonAnywhere** **Cloud Platform Abused to Host Ransomware**
4.  **Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking**
5.  **VMCONNECT: Malicious PyPI Package Mimicking Python Tools**

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.
This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on

Tag

#backdoor