Fortinet discovers two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed to steal data, capture keystrokes, and gain system control. Learn about their malicious behavior and how to protect yourself

****KEY SUMMARY POINTs from the article**  **

*   **Malicious Packages Identified**: Zebo-0.1.0 and Cometlogger-0.1 are malicious Python packages discovered on PyPI.

*   **Sensitive Data Theft**: These packages steal user data through keylogging, screenshot capturing, and information exfiltration.

*   **Persistence Mechanisms**: They establish long-term control by creating startup scripts to re-execute on system reboot.

*   **Obfuscation Techniques**: Advanced obfuscation methods help the packages evade detection and security systems.

*   **Wide Impact**: These threats compromise developers and platforms reliant on PyPI, posing major privacy and security risks.

On November 24, 2024, Fortinet FortiGuard Lab’s AI-based detection system identified **Python malware** in two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, targeting unsuspecting users for their data.

These packages can steal sensitive information, capture screenshots, log keystrokes, and establish unauthorized control over infected systems, researchers noted in the **blog post** shared with Hackread.com.

****What is Zebo-0.1.0?****

Zebo-0.1.0 exhibits typical malware characteristics, including functions designed for surveillance, data exfiltration, and unauthorized control, and utilizes libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent. 

The script employs obfuscation to hide its true functionality, making it harder for users or security systems to understand its actions. This obfuscation can bypass security measures, allowing the malware to run undetected. 

Zebo-0.1.0 leverages pynput to log every keystroke made by the user and also captures screenshots of the desktop, potentially violating their privacy. Furthermore, the script exfiltrates sensitive information, such as keystrokes and screenshots, to a remote server, compromising user privacy.

To ensure persistence, the malware creates a Python script and a batch file in the Windows Startup folder, ensuring its re-execution upon system startup, making it difficult to remove and increasing the risk of long-term damage.

****What is Cometlogger-0.1?****

Cometlogger-0.1 maintains a long-term presence on the victim’s system and uses advanced techniques like obfuscation, keylogging, screen capturing, and data exfiltration to compromise user data. It dynamically requests a “webhook” from the user and embeds it into Python files, allowing for potential manipulation by unauthorized users. This can redirect sensitive data to malicious servers or facilitate command-and-control operations. 

The script also targets various platforms like Discord, Steam, Instagram, and Twitter, stealing tokens, passwords, and account information. Additionally, it employs anti-VM detection techniques to evade analysis and incorporates dynamic file modification capabilities, enabling the injection of malicious code.

Both packages are a major threat to user privacy and security. Zebo-0.1.0 actively collects sensitive data and transmits it to remote servers. Cometlogger-0.1, on the other hand, focuses on information theft and maintaining a persistent presence on the victim’s system. The affected systems include all those platforms where PyPI packages can be installed with a High severity level, and threatens individuals or institutions whoever has installed these **malicious packages**.

Data stolen by the malware (Via Fortinet FortiGuard Lab)

The Python Package Index (PyPI) has become an invaluable resource for developers, offering a vast repository of reusable code. However, this convenience comes with inherent risks as malicious actors are increasingly exploiting it by publishing malicious packages that, when installed, can compromise systems. Socket Security researchers last month **discovered** another malicious Python package called “Fabrice” on PyPI downloaded over 37,000 times since its inception in 2021, harvesting AWS credentials from developers for three years.

To protect against these threats, it is crucial to disconnect from the internet, isolate the infected system, use reputable antivirus software, and reformat the system if necessary.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**
5.  **NTLM Credential Theft in Python Apps Threaten Windows Security**

Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS  
Advisory ID: ZSL-2024-5886  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 24.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[24.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_xss4.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-6516  
\[3\] https://nvd.nist.gov/vuln/detail/CVE-2024-6516  
\[4\] https://packetstorm.news/files/id/183295/

**Changelog**

\[24.12.2024\] - Initial release  
\[25.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

Changes at CISA and promises of more public-private partnerships and deregulation are just a few ways the incoming administration could upend the feds' role in cybersecurity.

Abaca Press via Alamy Stock Photo

Before it was subsumed by political commentary, the Cybersecurity and Infrastructure Security Agency (CISA) was a Trump accomplishment — signed into existence in 2018 during his first administration. But that was before accusations of dirty politics and free speech shenanigans turned CISA into a conservative pariah.

Now, CISA is facing an existential political clash with the incoming Trump administration, threatening to take much of the US federal government's involvement in cybersecurity along with it. The result could potentially increase cyber-risk, but also open up business, investment, and innovation opportunities. A lot of things can be true at once.

CISA's original mandate couldn't have seemed more apolitical: coordinate defending US infrastructure against cyberattacks, and then help share critical information among US enterprises to increase the nation's overall posture in the bargain. But then came the 2020 election, CISA's efforts to combat what the agency deemed "misinformation," and the subsequent conservative backlash.

**Trump and the Politics of CISA**

Chis Krebs, then the agency's director, was very publicly fired just weeks after the 2020 election for rejecting claims of fraud from the Trump administration, and has remained a high-profile political player ever since. Krebs is a regular on the cable news circuit, and in July 2023, he confirmed to CNN that he was interviewed by special counsel Jack Smith in the investigation into Trump and the 2020 election. In the runup to the 2024 election, Krebs appeared on outlets including Face the Nation to once again push back on Trump campaign claims of election fraud.

His replacement, Jen Easterly, took a more low-key approach. Her accessibility, deep military ties, and cybersecurity expertise — sprinkled with a dash of aspirational cool-girl charm — made her a hit among the cyber rank-and-file. She also mostly stayed away from politics, leading the fledgling agency through a crucial four years. But that effort, however disciplined and well intentioned, hardly spared Easterly or CISA from widespread conservative ire. In January 2024, Easterly was even targeted at home in a swatting incident.

"I think Jen Easterly had a tremendous challenge solidifying the role of a very young agency, and one mired in allegations from Republican politicians," cybersecurity expert Jake Williams tells Dark Reading. "Given those very real challenges, she did an outstanding job. I can only imagine what could have been with bipartisan support for CISA's many missions."

Following the 2024 election, Easterly said she will resign on Inauguration Day. But the agency is still at work, publishing a draft of an updated National Cyber Incident Response Plan for federal agencies and industry to work together during major cyber events, which is open for comments until January 2025.

That kind of coordination between CISA and the private sector was exactly what the agency was built to become under the Biden administration. It took a proactive role in developing cybersecurity standards, and offering cybersecurity grants to states to invest in their own cyber operations, led largely by the efforts of Easterly. During his administration, President Biden allocated billions to strengthen the US cybersecurity infrastructure, and signed a flurry of executive orders on everything from AI to zero trust in an effort to raise the country's level of cyber preparedness.

Some of the agency's notable accomplishments during the past four years included establishment of the joint cyber defense collaborative (JCDC) and the Known Exploited Vulnerabilities (KEV) program, according to Casey Ellis, Bugcrowd founder. Ellis also worked with CISA on the federal CEB vulnerability disclosure program, where CISA serves as a repository for researchers who discover flaws in government systems so they can be reported and mitigated more quickly.

There have been setbacks as well. While the KEV list has been credited with speeding up remediation, it can take months to make the list. Much of that new cyber infrastructure and rulemaking also came with regulation and compliance headaches that some criticized as a barrier to innovation, particularly by Congress. Others defended the agency's moves as necessary to drive security investment.

"Under Jen Easterly, CISA's proactive initiatives such as Secure by Design and faster reporting of attacks by companies were positive for both the sell and buy side of the cybersecurity industry," says Jason Soroko, senior fellow at Sectigo. "What could be seen as regulatory burden was actually a positive call to arms to do the right thing."

Accomplishments and accolades aside, Easterly and CISA haven't been able to convince key conservatives like Sen. Rand Paul, who is about to chair the Senate Homeland Security and Governmental Affairs Committee, which oversees CISA, that the agency is doing any good. After acknowledging he probably won't be able to eliminate CISA altogether, last month Paul vowed to inflict strict limits for actions he said the agency took to target conservative voices as part of its work in combatting foreign influence operations. At a minimum, CISA will likely be stripped of its mandate to investigate misinformation.

Williams also expects the agency will have a diminished role in overseeing election security, the very issue that catapulted the cyber agency into the national headlines in 2020.

**Cybersecurity Opportunities Under Trump 2.0**

A shrinking CISA footprint and the Trump administration's expressed distaste for regulation and interest in opening government operations to more public-private partnerships mean there are going to be potential opportunities in the next few months for the private sector that hadn't existed before.

"I expect we'll see a more direct set of conversations around cyber offense and deterrence, especially as it relates to countering Russia, Iran, and in particular, China," Ellis predicts. "This could include changes to the structure of \[the National Security Agency\] and Cyber Command, and the inclusion of the private sector in defend-forward and disruption operations."

Beyond new opportunities to work with government, Ellis adds cybersecurity deregulation is on the way.

"In general, I think we can expect a more overt and domestically deregulated approach to cyberspace, reflecting the general policy approach of the Trump administration and a more open acknowledgement that Cold War 2 is already underway."

The new administration also likely signals a change in federal enforcement of Securities and Exchange Commission (SEC) regulations against chief information security officers (CISOs), like what security executives from SolarWinds and Uber experienced, according to expert John Bambenek.

"Regulatory enforcement on companies will lessen, for instance, \[and\] it is doubtful CISOs will see any government attempts to make them liable for breaches," Bambenek says. "I'm not sure any more antitrust action will commence against large tech companies either, which will fuel further consolidation of technology and security companies."

There is cautious optimism this more hands-off approach from the Trump administration will include maintaining a basic role for the federal government in cybersecurity. It's particularly necessary in terms of resources, according to Roselle Safran, the director of the White Office of the President security operations center under Barack Obama, and currently president of cybersecurity company KeyCaliber.

"While there are certainly plenty of other issues that appear to be top priorities for the next administration, it is my hope that cybersecurity will not be relegated to the back burner," Safran says. "It's important that there is recognition that cybersecurity needs significant and sustained resources."

Trump takes office against the backdrop of unprecedented numbers of cyberattacks, the rise of artificial intelligence, and cyber-military conflicts across the globe. Keeping politics out of the conversation is the best way for CISA to continue its work beyond the next election, experts advise. However, that might be an impossible challenge.

"I'm concerned about some of the negative sentiment around CISA impacting progress that has been made since 2018," Ellis adds. "However, I am cautiously optimistic that the priorities Trump had in mind when he formed the agency will see its overall defensive mission carry forward."

Trump 2.0 Portends Big Shift in Cybersecurity Policies

KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…

****KEY SUMMARY POINTS****

*   **Focus Shift to Nuclear Industry**: The Lazarus Group, linked to North Korea, has shifted its targets to the nuclear industry, marking a potential escalation from its earlier focus on defense, aerospace, and cryptocurrency.

*   **Fake Job Posting Tactics**: Their attacks, observed in January 2024, employ fake job postings (Operation DreamJob) to deliver malicious files disguised as job assessments, gaining access to victims’ systems.

*   **Advanced Malware Techniques**: The group uses sophisticated tools like Ranid Downloader and a novel plugin-based malware, “CookiePlus,” which operates in memory, making it harder for security systems to detect.

*   **Exploitation of Vulnerabilities**: Lazarus continues refining its tactics, exploiting vulnerabilities like Google Chrome zero-day and leveraging innovative malware like “RustyAttr” on macOS.

*   **Call for Caution**: The increasing sophistication and activity of the Lazarus Group underscore the need for heightened cybersecurity measures, particularly in sensitive industries.

Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of the notorious Lazarus hacking group, which, as we know it, has links to the North Korean government.

According to Securelist’s research, the Lazarus Group has shifted its focus to targeting individuals within the nuclear industry lately. This indicates an upcoming escalation in their operations, as they previously concentrated on sectors like defense, aerospace, and cryptocurrency. 

“We observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month,” the report read.   

Malicious files created on the victims’ hosts (Via Secure List)

The attacks observed by Kaspersky occurred in January 2024 and followed the pattern of using fake job postings, a tactic known as the DeathNote campaign or “Operation DreamJob.”

This involves creating fake job postings and enticing potential victims with tempting career opportunities. During the “interview” process, malicious files are subtly introduced, often disguised as legitimate assessment tests.

The attack starts with an initial file disguised as job assessments for prominent companies, which contains a ZIP archive with malicious executables or trojanized legitimate tools like VNC viewers.

Once executed, the trojan prompts the victim to enter an IP address provided by the attackers via separate communication channels like messenger apps. This grants the attackers unauthorized access to the compromised machine, enabling them to move laterally within the network and potentially steal sensitive data or disrupt critical operations.  

An XOR key is generated based on the IP address to decrypt the internal resources of the VNC executable and unzip the data. The unzipped data is then downloaded by Ranid Downloader, which fetches further malicious payloads like MISTPEN, RollMid, LPEClient, Charamel Loader, ServiceChanger, and CookiePlus. The payload type (DLL or shellcode) is determined by a flag within the data structure. The execution results of these plugins are encrypted and sent back to the C2 server.

A key innovation in these recent attacks is the introduction of “CookiePlus,” a novel plugin-based malware. This downloader operates primarily in memory, loading malicious payloads dynamically. This evasive technique makes it harder for traditional security solutions to detect and mitigate the threat.

The development of CookiePlus demonstrates the Lazarus Group’s continuous efforts to refine its tools and evade detection. By introducing new modular malware and adapting their tactics, they aim to maintain a persistent presence within targeted networks and achieve their objectives.

The group has been particularly active lately. In November Group-IB discovered the Lazarus group’s new trojan, “RustyAttr,” which hides malicious code in extended attributes on macOS systems and in October the group exploited a Google Chrome zero-day vulnerability to target cryptocurrency investors with a deceptive NFT game. This calls for continuous vigilance to safeguard your digital assets.

1.  Lazarus Exploits Chrome 0-Day with Fake NFT Game
2.  North Korean Hackers Team Up with Play Ransomware
3.  Lazarus’ Magecart attack steal card data from EU, US sites
4.  Lazarus Hits Blockchain Pros with Fake Video Conferencing
5.  Lazarus hackers suspected of targeting Indian space agency

Lazarus Group Targets Nuclear Industry with CookiePlus Malware

The number of Non-Human Identities (NHIs) in many organizations has exploded. Key trends, drivers, and market landscape in this fast-developing area are explored.

Don Tait, Senior Analyst, Omdia

December 23, 2024

4 Min Read

COMMENTARY

The growth in systems communicating over the internet without human involvement has been dramatic in recent years. The Internet of Things (IoT) is driving more machine-to-machine (M2M) communications without human intervention. There is also an explosion in application development underpinning the need for digital transformation, which is turbocharged by remote working and the ever-increasing adoption of e-commerce. This means that pieces of software code are interacting autonomously across networks as never before.   

There is a need to manage system identities in the sense of what they are and what they can and cannot do when they are online. For example, can they both send and receive data? Where can they send it? In what volumes and formats? Can they access data that resides elsewhere, make copies, and forward it on, even to recipients outside the organization? Just as importantly, has their identity changed since the last time they were online, e.g., with extra access rights or new software on board that was not there before? Non-human identities (NHI) are already estimated to outnumber human identities by a ratio of 50 to one (50:1). With more and more business processes being automated by artificial intelligence (AI)/generative AI (GenAI) and accessed by AI-enabled services, NHI growth is likely to accelerate even further, bringing yet more expansion in the threat landscape.

Related:Identity Orchestration Is Gaining Traction

**Why NHI Management is Required**

NHIs can be defined as digital identities tied to entities like applications, services, and machines within an enterprise technology stack. These include bots, API keys, service accounts, OAuth tokens, cloud services, and other credentials that allow machines or software to authenticate, access resources, and communicate within a system.

The need for effective NHI management (NHIM) arises from several key factors:

*   IT infrastructures are becoming more complex: Modern IT infrastructures are characterized by their complexity, featuring a myriad of interconnected systems, cloud services, and devices, including, in many cases, a host of IoT devices that operate autonomously. Managing the identities of non-human entities within such environments is essential for ensuring accountability, traceability, and security.
    
*   An increase in automation: Organizations are increasingly adopting automation to streamline processes, improve efficiency, and reduce manual intervention, with agentic AI only intensifying the trend. Non-human entities, including bots, scripts, and automated workflows, execute tasks autonomously, necessitating proper identity management to prevent unauthorized access and misuse.
    
*   An increase in cybersecurity threats: Cybercriminals often target NHIs, particularly those in the IoT area that operate without human intervention, seeking to exploit vulnerabilities for malicious purposes. Weak authentication mechanisms, misconfigured permissions, and inadequate monitoring can leave non-human entities susceptible to attacks, leading to data breaches, system compromises, and service disruptions.
    

Related:How CISOs Can Communicate With Their Boards Effectively

**A Nascent Market, Ripe for Acquisitions**

The NHI market is still developing, as demonstrated by the fact that most players are startups. This includes companies like: 

*   Aembit; Andromeda Security; Astrix; AxisNow; Clarity Security; Clutch Security; Corsha; Entro Security; Natoma; Oasis; P0 Security; SlashID; TrustFour; Unosecur; Veza; Whiteswan Security
    

Some of these vendors are focused more specifically on NHI security while others provide broader NHIM capabilities, often described as NHI governance. We plan to deliver a report comparing and contrasting the leading players in this space in 2025.

Omdia believes that since most of the players in the NHI market are startups, they are ripe for acquisition by the larger identity security platform vendors. Indeed, one or two startups have already been acquired, such as Authomize, which privileged access management (PAM) vendor Delinea purchased in January this year. Whilst in May 2024, CyberArk (the market leader in PAM) acquired Venafi for $1.5bn. Venafi was an exception amongst the NHI specialists, because it had been around much longer, thanks to its certificate lifecycle management (CLM) and key management background.

Related:Managing Threats When Most of the Security Team Is Out of the Office

**Conclusions**

The growth in devices communicating over the internet with no humans involved in the process has raised awareness of the need to manage these system’s identities. Omdia believes that over the coming years, NHI growth is likely to accelerate and further increase the threat landscape. Enterprises must be aware that trends such as the adoption of cloud, microservices, and DevOps have fueled the growth of NHIs in enterprise environments. Omdia also believes that opportunities for vendors in the identity security market are still huge, as machine identities already outnumber human identities by a ratio of 50:1. That figure is only likely to increase going forward.

Non-Human Identities Gain Momentum, Requires Both Management, Security

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through POST parameters, including REMOTE, IP1, IP2, IP3, IP4, and NAME, called by the syslogUpdate.php script.

Title: ABB Cylon Aspect 3.08.02 (syslogUpdate.php) Remote Code Execution  
Advisory ID: ZSL-2024-5885  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 23.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through POST parameters, including REMOTE, IP1, IP2, IP3, IP4, and NAME, called by the syslogUpdate.php script.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[23.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_rce16.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48839  
\[3\] https://nvd.nist.gov/vuln/detail/CVE-2024-48839  
\[4\] https://packetstorm.news/files/id/183294/

**Changelog**

\[23.12.2024\] - Initial release  
\[25.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (syslogUpdate.php) Remote Code Execution

Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale.

Source: Skorzewiak via Alamy Stock Photo

It's been more than a year since the conflict between Hamas and Israel began, and the cyber battle between the two entities rages on, involving a variety of perpetrators and using playbooks of other global conflicts.

Here are some of the top developments over the duration of this cyberwar and what we can expect to see in 2025.

**Beginning Stages**

Soon after Hamas launched its strikes against Israel, more than a dozen threat groups declared their intent to begin cyberattacks against Palestine, Israel, and their respective supporters. Some of these groups include Killnet, Anonymous Sudan, Team insane, Mysterious Team Bangladesh, and Indian Cyber Force.

In the initial days, the first cyberattack victims were the Jerusalem Post at the hands of Anonymous Sudan, and the Tel Aviv Sourasky Medical Center, which was attacked by Sylhet Gang, ultimately leading to operational disruption.

As the cyberattacks continued, Krypton network offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists interested in targeting Israeli organizations. But attacks flew from the other side as well when ThreatSec reportedly attacked AlfaNet, a Palestinian Internet service provider, causing the company's servers to shut down and gaining control of more than 5,000 servers in Gaza in the process.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Then, in its first post on X, Predatory Sparrow, a pro-Israeli hacktivist group, reappeared on the scene. 

The group said to its followers, "You think this is scary? We're back. We hope you're following the events in Gaza" — and included a link to a report on the US sending fighter planes and warships to support Israel.

**Cyberwar on a Global Scale**

Roughly a month after the conflict began, FBI Director Christopher Wray warned that the war in the Middle East raised the threat of cyberattacks against the US, citing an increase in attacks on US military bases overseas, anticipating both physical and cyberattacks.

The FBI once more issued warnings, this time regarding cybercriminals masquerading as fundraisers and charities, reaching out to individuals via email, social media, phone calls, and crowdfunding websites, all to convince victims that their cryptocurrency funds would go to Israeli or Palestinian victims. A Netcraft report traced $1.6 million of crypto to these fake accounts, a grand show of their influence.

By the end of 2023, Israeli company CyTaka hired a network of cyber hackers from around the world to counter anti-Israel online activity, while cyberattackers known as Gaza Cybergang used a variation of the Pierogi++ backdoor malware against both Palestinian and Israeli targets.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**A Year in Review**

This past year began with Turkish hacktivists projecting political, violent messages about the conflict between Israel and Gaza at a highly frequented movie theater in Tel Aviv. 

In July, an Israeli army chief reported thwarting some 3 billion cyberattacks since the conflict began. Cyberattacks against the Israeli Defense Forces (IDF) included targeting operation systems necessary for the military's functioning, though details were not provided on the nature of the attacks.

Then in October, security firm ESET reported a "security incident" affecting its partner company in Israel. It cited a malicious email campaign that was blocked and ultimately denied any true compromise over its systems. 

Just last month, "Wirte," an advanced persistent threat (APT) supporting Hamas and its agenda, was reported to be conducting espionage against governments in the Middle East and wiper attacks against Israel. The APT uses phishing attacks containing documents, legitimate resources, and malware, sometimes using the IronWind loader, which employs a multistage infection chain to drop its malicious payload.

**Next on the Horizon**

Observers and industry experts expect more of the same in 2025. The conflict has intensified cyber threats, with state-sponsored actors and hacktivist groups continuing to exploit global tensions.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

"We can expect an escalation in sophisticated phishing campaigns, disinformation efforts, and attacks on critical infrastructure," said Stephen Kowski, field CTO at SlashNext Email Security+, in an emailed statement to Dark Reading. "Organizations should prioritize real-time threat intelligence and advanced AI-powered detection systems to stay ahead of evolving tactics."

In addition, he recommended that organizations prepare themselves with robust employee training and implement multilayered security measures to mitigate against future attacks.

"\[This\] will be crucial in defending against the anticipated surge in social engineering and targeted malware attacks," Kowski added.

John Bambenek, president of Bambenek Consulting, offered a different take. "At this point, with the loses endured by Hamas, they are more focused on survival and have significantly reduced capabilities even in the cyber realm," Bambenek said in an emailed statement to Dark Reading.

In 2025, he believes attention should be focused on Iran, a country that has been a major power player in this conflict.

"If recent reports are true and Israel is considering military strikes in the short term against Iran, that likely could easily escalate into a 'weapons-free' mindset with cyberattacks," he said. "Recent research by Team82 indicates the Iranian government has already decided to field test and preplace capability to launch ICS/OT attacks broadly, should such an escalation occur and those attacks likely will include the US and Europe."

Middle East Cyberwar Rages On, With No End in Sight

In Russia’s war against Ukraine, electronic warfare, including signal-jamming, anti-drone weapons, and innovative protections for critical military systems, has become a key piece of the conflict.

The Invisible Russia-Ukraine Battlefield

Italy's data protection authority has fined ChatGPT maker OpenAI a fine of €15 million ($15.66 million) over how the generative artificial intelligence application handles personal data.
The fine comes nearly a year after the Garante found that ChatGPT processed users' information to train its service in violation of the European Union's General Data Protection Regulation (GDPR).
The authority

Italy Fines OpenAI €15 Million for ChatGPT GDPR Data Privacy Violations

While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.

Source: metamorworks via Shutterstock

With US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on the list of networking vendors with the most vulnerabilities currently being exploited by cyberattackers.

Not by a long shot.

The Chinese firm, whose products are popular among consumers and small businesses, currently has two security issues gracing the Known Exploited Vulnerabilities (KEV) list curated by the Cybersecurity and Infrastructure Security Agency (CISA), compared with 74 for Cisco Systems, 23 for Ivanti, and 20 for D-Link.

Yet US government officials' concern is less about known vulnerabilities, and more about unknown risks, including its routers' popularity in the United States — where it accounts for about two-thirds of the market — and the degree to which the company is beholden to China's government.

While no researcher has called out a specific backdoor or zero-day vulnerability in TP-Link routers, restricting products from a country that is a political and economic rival is not unreasonable, says Thomas Pace, CEO of extended Internet of Things (IoT) security firm NetRise and a former head of cybersecurity for the US Department of Energy.

"The value to me \[of a ban\] is almost more around economic policy value than pure technical cybersecurity value," he says. "To me, there is value in saying you shouldn't buy these things because of X, Y, and Z reasons \[and to make it\] more difficult for small businesses, or whoever, to get their hands on devices from these companies."

Related:BlackBerry to Sell Cylance to Arctic Wolf

**TP-Link — Not a Vulnerability Stand-Out**

In April 2024, one of two TP-Link vulnerabilities attracted the most vulnerability scanning by threat actors, according to an analysis by cloud and application-security firm F5. The issue, a command injection vulnerability for TP-Link's Archer AX21 router (CVE-2023-1389), allows an unauthenticated attacker to easily compromise a device via a simple POST request.

TP-Link ranks low on the list of networking vendors with known exploited vulnerabilities. Source: Author from CISA data

In another incident, security firm Check Point Software Technologies discovered that TP-Link devices were also compromised with an implant known as Camaro Dragon. The implanted components were discovered in modified TP-Link firmware images, and not the original software shipped by the company, says Itay Cohen, research lead at Check Point Research.

Yet Cohen stresses that the implants were written in a firmware-agnostic manner and not specific to any particular product or vendor.

"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," he says. "Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."

Related:Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution

The threat posed by such vulnerabilities and implants are real, but the data from the KEV catalog shows that other manufacturers are just as likely to have their vulnerabilities exploited — and there are more of them. The lesson is that vulnerabilities in embedded devices are not unique to any one manufacturer or country of origin, says Sonu Shankar, chief product officer at Phosphorus Cybersecurity, an extended IoT cybersecurity provider.

"Nation-state actors frequently exploit weaknesses in devices from companies worldwide, including those sold by American manufacturers," he says. "Devices lacking basic security hygiene — such as the use of strong passwords, timely firmware patching, or proper configurations — can become easy targets for cyberattacks."

TP-Link stressed this fact in a statement sent to Dark Reading.

"Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard," a company spokesperson said. "We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks."

Related:Test Your Cyber Skills With the SANS Holiday Hack Challenge

**China's Government Oversight Is Pervasive**

But those assertions may be minimizing the influence of the Chinese government on the company's operations: Most Western companies do not understand the degree to which Chinese officials monitor China's business sectors — and cybersecurity firms — as a component of government policy and national strategy, NetRise's Pace says.

"It's a totally different business culture," he says. "There is a member of the PRC in every company — that's not even like an opinion, it's just how it is. And if you think they're not there to exert their influence, then you're just an unbelievably naive person, because that's exactly what they do, \[including\] for the purposes of intelligence gathering."

Threat intelligence analysts have flagged the Chinese government national strategy documents and evidence showing their increasing efforts to compromise rival nations' infrastructure — such as the attacks by Volt Typhoon and Salt Typhoon.

"In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C2 infrastructures, and to gain a foothold in certain targeted networks," Check Point stated in its analysis, but added that the "discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk."

China's networking products are not alone in being targeted by the US government, which also banned the products of antivirus firm Kaspersky because of national security concerns, given that it's a Russian company.

**The Global Cyber Reality of Home Routers: Buyer Beware**

Companies and consumers should do their due diligence, keep their devices up to date with the latest security patches, and consider whether the manufacturer of their critical hardware may have secondary motives, says Phosphorus Cybersecurity's Shankar.

"The vast majority of successful attacks on IoT are enabled by preventable issues like static, unchanged default passwords, or unpatched firmware, leaving systems exposed," he says. "For business operators and consumer end-users, the key takeaway is clear: adopting basic security hygiene is a critical defense against both opportunistic and sophisticated attacks. Don’t leave the front door open."

For companies worried about the origin of their networking devices or the security their supply chain, finding a trusted third party to manage the devices is a reasonable option. In reality, though, almost every device should be monitored and not trusted, says NetRise's Pace.

"It's a crazy world that exists when it comes to device security," he says. "You're accepting this device that you know nothing about — and that you really can't know anything about — unlike Windows \[or another operating system\] ... where you can also install three agents and a firewall in front of it to mitigate the risk of the software."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#intel