• Criminals are adding hundreds of malicious packages to npm
• The packages try to fetch a stage-two payload to infect the machines
• The crooks went to lengths to hide where they host the malware

Software developers, especially those working with cryptocurrencies, are once again facing a supply chain attack via open source code repositories.

Cybersecurity researchers from Phylum have warned a threat actor has uploaded hundreds of malicious packages to the open source package repository npm. The packages are typosquatted versions of Puppeteer and Bignum.js. Developers who are in need of these packages for their products, might end up downloading the wrong version by mistake, since they all come with similar names.

If used, the package will connect to a hidden server, fetch the malicious second-stage payload, and infect the developers’ computers. “The binary shipped to the machine is a packed Vercel package,” the researchers explained.

Hiding the IP address

Furthermore, the attackers wanted to execute something else during package installation, but since the file wasn’t included in the package, the researchers couldn’t analyze it. “An apparent oversight by the malicious package author,” they say.

What makes this campaign stand out from other similar typosquatting supply chain campaigns is the lengths the crooks went to hide the servers they controlled.

“Out of necessity, malware authors have had to endeavor to find more novel ways to hide intent and to obfuscate remote servers under their control,” the researchers said. “This is, once again, a persistent reminder that supply chain attacks are alive and well.”

The IP cannot be seen in the first-stage code. Instead, the code will first access an Ethereum smart contract, where the IP is stored. This ended up being a double-edged sword, since the blockchain is permanent and immutable, and thus allowed the researchers to observe all of the IP addresses the crooks ever used.

Since the targets are developers working with cryptocurrency, the goal was most likely to steal their seed phrases, and gain access to their wallets.

Software developers, particularly those working in the Web3 space, are often targets of such attacks. Therefore, double-checking the names of all downloaded packages is a must.

Via Ars Technica

You might also like

• Hackers target DocuSign with new phishing threat — watch out, you could be signing your data away
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• The company is currently investigating the attack
• The hacker claims to have stolen 40 GB of compressed data
• Schneider Electric's Jira system was breached

Schneider Electric has confirmed suffering its second cyberattack and data leak in recent months.

Earlier this week, a threat actor alias Greppy added a new post on X, claiming to have breached the corporation:

“Hey Schneider Electric, how was your week? Did someone accidentally steal your data and you noticed, shut down the services and restarted without finding them? Now you shut down again but the criminals seem to have taken more juicy data,” the tweet reads.

Hiding the IP address

This prompted BleepingComputer to reach out to the company with further questions.

"Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment," the firm told the publication. "Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric's products and services remain unaffected."

Greppy also posted the loot on a dark web site, saying they accessed the company’s Atlassian Jira system.

“This breach has compromised critical data, including projects, issues, and plugins, along with 400,000 rows of user data, totaling more than 40GB compressed data,” the ad reads. “To secure the deletion of this data and prevent its public release, we require a payment of $125,000 USD in Baguettes,” the hackers said.

Obviously, the attacker doesn’t want hundreds of thousands of baguettes - it’s a joke, since Schneider Electric is a French business. Instead, they just want the victim company to acknowledge the breach within 48 hours. Since the company did just that, let’s see if Greppy keeps their word.

Schneider Electric is a multinational corporation specializing in energy management and automation solutions. It builds technologies and services that increase efficiency and sustainability across various sectors, including buildings, data centers, and infrastructure.

Via BleepingComputer

You might also like

• Cactus ransomware hackers say they stole terabytes of Schneider Electric data
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• City of Columbus, Ohio, confirms suffering ransomware attack
• Around 500,000 citizens thought to have had private data stolen
• Rhysida criminal group claims responsibility for attack

The City of Columbus has confirmed suffering a ransomware attack in which sensitive information on hundreds of thousands of residents was stolen.

In a breach notification letter sent to affected individuals, Ohio’s capital said it experienced a “cybersecurity incident” on July 18 2024 which apparently saw a “foreign threat actor” try to disrupt the city’s IT infrastructure, deploy ransomware, and later solicit a ransom payment.

While the city responded by containing the attack, isolating the threat actors, and bringing in third-party experts to assess the situation, the crooks managed to get away with sensitive information.

Half a million affected

“The information involved in the incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver’s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City,” the City of Columbus said in the letter.

At the same time, the institution filed a report with the Office of the Maine Attorney General in which it stated that 500,000 of the city’s residents were affected, out of a total of roughly 910,000 citizens.

Despite the theft, the organization claims there is no evidence the data was misused on the dark web. However, there seems to be more to this story than that.

The threat actor behind the attack seems to be Rhysida, after the eastern European group claimed responsibility in August 2024, claiming it stole 6.5 TB from the city, including “databases, internal logins and passwords of employees, a full dump of servers with emergency services applications of the city and … access from city video cameras.".

The gang asked for 30 bitcoin, which was roughly $1.9 million at the time of the attack. It is likely it did not receive the payment, since security researchers found an archive containing Ohio residents’ sensitive data, posted on the dark web.

Via TechCrunch

More from TechRadar Pro

• Data breached at LA Housing Authority after ransomware attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Hackers found abusing DocuSign to send phishing emails
• The signed documents are used to request payment
• DocuSign says it has implemented additional safeguards

Cybercriminals are abusing DocuSign’s Envelopes API to trick businesses into signing fake invoices, which are later used to steal money from the victims.

DocuSign is an esign software platform that businesses can use to sign, send, and manage documents digitally - with “send” here being the keyword.

New findings by cybersecurity researchers Wallarm highlight how crooks would create fake invoices, and use DocuSign to send them to the victims for “signing”. Since they are using the platform, the emails are sent directly from DocuSign’s domain, appearing legitimate and moving past any email protection services the victims may have set up.

Bypassing the billing department

In the invoices, the crooks impersonate major brands, such as Norton, or PayPal. The funds requested are also in a realistic range, lending further credence to the campaign.

Businesses that don’t spot the ruse end up signing the documents, which might seem odd at first, since they don’t really lose money, or sensitive data, that way.

However, the attackers can leverage the signed documents to authorize payments outside of normal company procedures since, at the end of the day, the signatures in the invoices are legitimate. That way, they are effectively bypassing the billing departments and stealing money from their victims.

The attacks are not manual, since the distribution seems to be going in relatively high volumes, the researchers further explained. By using the 'Envelopes: create' function, attackers can generate and send a large volume of these fraudulent invoices to numerous potential victims simultaneously.

Wallarm added that the attacks have been going on for a while now. DocuSign acknowledged it, as well. Responding to a request for comment from BleepingComputer, the company said it worked to prevent misuse: “We are aware of the reports and take them very seriously,” it told the publication. “While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, DocuSign has a number of technical systems and teams in place to help prevent misuse of our services.”

Commenting on the news, Erich Kron, security awareness advocate at KnowBe4, said that the campaign likely wouldn't be very successful, and gave a few tips on how to spot similar attacks:

"Because this is coming through an API exploit, they’re probably won’t be many signs that would be easy to spot as in a spoofed email. The easiest way to spot this is if it is asking you to renew a service that you don’t currently have, such as a specific brand of antivirus, it should stand out as a fake. Even if you do happen to have that brand of antivirus, it is always best to renew through the vendor website, or through the app itself," Kron explained.

"It is critical for people to be cautious when receiving unexpected invoices or other communications through email, text messages, or even phone calls as bad actors may sometimes combine tactics to further confuse potential victims or try to improve the believability of the scams."

You might also like

• Hackers target DocuSign with new phishing threat — watch out, you could be signing your data away
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Serbian hacker IntelBroker claims to have stolen Nokia source code
• Nokia is “is aware of reports” and is taking the allegation “seriously”
• IntelBroker has a history of high-profile attacks

Nokia has revealed it is investigating a security possible breach involving a third-party vendor after notoruious hacker claimed to have stolen source code from the company.

“Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," the company said in a statement

However, the ongoing investigation is yet to reveal any evidence that Nokia’s systems or data have been compromised.

Nokia breach?

Posting to an online forum, the hacker, known as IntelBroker, said, "Today, I am selling a large collection of Nokia source code, which we got from a 3rd party contractor that directly worked with Nokia to help aid their development of some internal tools."

Although no evidence has been found to back up IntelBroker’s claims, Nokia stresses that it’s taking the allegation seriously and continues to monitor the situation closely.

The hacker claims to have obtained proprietary Nokia software, SSH keys, RSA keys, BitBucket logins, SMTP accounts, webhooks and hardcoded credentials.

IntelBroker is reportedly a Serbian hacker who has been active since October 2022, and has a history of high-profile attacks. More than 80 separate leaks have been posted to online forums by IntelBroker to date, with targets including companies and organizations such as AMD, Apple, Europol and HPE.

Emerging studies are also indicating many companies, from SMBs to multinational enterprises, are failing to comply with basic cybersecurity principles.

Furthermore, employees are increasingly frustrated with a lack of suitable tools and policies, leaving them to turn to public AI tools which pose a risk to company security.

TechRadar Pro has asked Nokia for further details, but the company did not immediately respond.

Via Bleeping Computer

You might also like

• AMD reportedly hacked again — criminals offer data for sale online
• Check out the best endpoint protection software
• Cover your tracks by installing the best VPN

• A phishing attack leads to the download of a large file
• The Linux VM comes preloaded with malware, granting crooks all kinds of advantages
• Securonix advises caution when handing inbound emails

A creative new phishing technique has been spotted that looks to trick victims into downloading and installing a virtual Linux machine on their Windows endpoints. The virtual machine comes preloaded with a backdoor, granting the crooks unabated access to the compromised devices.

A report from cybersecurity researchers Securonix dubbed the campaign ‘CRON#TRAP’. It starts with a fake “OneAmerica” survey which distributes the VM installation file (285 MB), and a fake error popup image.

If the victims fall for the trick and trigger the installer, it will run in the background, while showing the fake error message in the front. That way, the victims will think that the survey was unavailable at the time. In the background, though, a fully legit version of a Linux VM, called TinyCore, will be installed via QEMU, a legitimate, open-source virtualization tool that allows for emulating various hardware and processor architectures.

Tricking the AV

Since QEMU is legitimate, no antivirus programs flag it as malicious. Furthermore, they will not flag anything that happens in the virtual machine, since it is walled in and operates as a sandbox. “This emulated Linux environment enables the attacker to operate outside the visibility of traditional antivirus solutions,” the researchers explained.

However, since the VM comes with a backdoor, crooks can use it for a number of things, including network testing and initial reconnaissance, tool installation and preparation, payload manipulation and execution, configuration persistence and privilege escalation, SSH key manipulation for remote access, file and environment management, system and user enumeration, and potential exfiltration or command control channels.

The backdoor was said to contain a tool called Chisel, which is a network tunneling program, pre-configured to set up a secure communications channel with the C2 server.

Since the campaign starts with a simple phishing email, Securonix advises care when handling inbound emails.

Via BleepingComputer

You might also like

• Cactus ransomware hackers say they stole terabytes of Schneider Electric data
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

One of the most popular password managers out there, LastPass, is warning its customers not to fall for the latest scam campaign aimed directly at them.

In a blog post, the company explained scammers are targeting users via the Chrome Web Store. In the reviews section for LastPass’ Chrome add-on, the scammers are adding new content that directs the visitors to fake customer support.

Therefore, when victims who are having issues with the add-on visit the page, they might think that other users are helping them reach customer support directly. In reality, dialing the number shared there starts a conversation with the fraudsters, who will try to navigate the victims to a malicious website, and download malware.

Fake customer support

"Individuals calling this fake support number will be greeted by an individual asking what product they are having issues with and then a series of questions regarding whether they are attempting to access LastPass via a computer or a mobile device and what operating system they are using," explained LastPass.

"They will then be directed to the site dghelp[.]top while the threat actor remains on the line and attempts to get the potential victim to engage with the site, exposing their data."

Investigating further, BleepingComputer found the campaign’s goal is to get people to download ConnectWise ScreenConnect, a piece of remote support and access software that grants the attackers full access to the target computer. The publication also found that the phone number associated with this campaign was used in other similar campaigns, where crooks impersonated Amazon, Adobe, Facebook, YouTube TV, and many, many others. In other words, this is a well-organized team that has been impersonating major corporations and defrauding people for a while now.

As usual, the best way to defend against these attacks is to use common sense and double-check every piece of information found online.

More from TechRadar Pro

• Data breached at LA Housing Authority after ransomware attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

The Housing Authority of the City of Los Angeles (HACLA) has suffered its second ransomware attack in as many years.

Threat actors known as Cactus added HACLA to its data leak website, claiming to have stolen 891 GB of files from the organization.

The archives reportedly include, "personal Identifiable Information, actual database backups, financial documents, executives\employees personal data, customer personal information, corporate confidential data and correspondence.”

No details

A small sample was posted as proof of the claims, and soon after, HACLA confirmed the news to BleepingComputer, saying it was currently investigating the incident.

"We've been affected by an attack on our IT network. As soon as we became aware of this, we hired external forensic IT specialists to help us investigate and respond appropriately," a HACLA spokesperson told the publication.

"Our systems remain operational, we're taking expert advice, and we remain committed to delivering important services for low income and vulnerable people in Los Angeles."

The company did not share additional details, therefore we don’t know exactly when the breach happened, how the crooks gained access to the network, or if the information about stolen data is accurate. Furthermore, we don’t know who is affected by the breach, and if the stolen data belonged to employees, business partners, or end users.

HACLA is a public agency that provides affordable housing options and supportive services to low-income residents in Los Angeles, as well as families, seniors, and individuals with disabilities who need this type of assistance. It manages public housing, Section 8 vouchers, and various housing programs aimed at addressing homelessness and promoting community stability.

Cactus is a known ransomware group that first emerged almost two years ago. So far, it has breached more than 250 companies, but has been keeping a relatively low profile lately.

Via BleepingComputer

More from TechRadar Pro

• Data breached at LA Housing Authority after ransomware attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Getting scammed by a chatbot is unfortunately no longer in the domain of science fiction, after researchers from the University of Illinois Urbana-Champaign (UIUC) demonstrated how it could be done.

Recently, Richard Fang, Dylan Bowman, and Daniel Kang from UIUC published a new paper in which they described how they abused OpenAI’s latest AI model, called ChatGPT-4o, to fully automate some of the most common scams around.

Now, OpenAI’s latest model offers a voice-enabled AI agent, which gave the researchers the idea of trying to pull off a fully automated voice scam. They found ChatGPT-4o does have some safeguards which prevent the tool from being abused this way, but with a few “jailbreaks”, they managed to imitate an IRS agent.

Advanced reasoning

Success rates for these scams varied, the researchers found. Credential theft from Gmail worked 60% of the time, while others like crypto transfers had about 40% success. These scams were also relatively cheap to conduct, costing about $0.75 to $2.51 per successful attempt.

Speaking to BleepingComputer, OpenAI explained its latest model, which is currently in preview, supports “advanced reasoning” and was built to better spot these kinds of abuses: "We're constantly making ChatGPT better at stopping deliberate attempts to trick it, without losing its helpfulness or creativity,” the company’s spokesperson told the publication.

“Our latest o1 reasoning model is our most capable and safest yet, significantly outperforming previous models in resisting deliberate attempts to generate unsafe content."

OpenAI praised the researchers, saying these kinds of papers help ChatGPT get better.

According to the US government, voice scams are considered fairly common. The premise is simple: an attacker would call the victim on the phone and, while pretending to help solve a problem, actually scam them out of money or sensitive information.

In many cases, the attack first starts with a browser popup showing a fake virus warning, from a fake antivirus company. The popup urges the victim to call the provided phone number and “clean” their device. If the victim calls the number, the scammer picks up and guides them through the process, which concludes with the loss of data, or funds.

More from TechRadar Pro

• ChatGPT could be worse than cryptocurrency when it comes to scams
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Hackers were spotted abusing a high severity vulnerability in Microsoft SharePoint to gain access to corporate IT infrastructure.

A report from cybersecurity researchers Rapid7 revealed how unnamed cybercriminals leveraged a flaw tracked as CVE-2024-38094 to establish initial access on the target’s network.

This is a remote code execution (RCE) flaw in SharePoint, Microsoft’s web-based platform for collaboration and document management, with a severity score of 7.2, and was fixed in mid-July 2024 as part of a Patch Tuesday cumulative update.

Advanced reasoning

The vulnerability allowed the crooks to access the network, where they dwelled for two weeks.

During that time, they used a Fast Reverse Proxy to establish an outbound connection, ran Active Directory (AD) enumeration tools, and engaged in credential dumping via multiple tools such as NTDSUtil and Mimikatz.

Finally, they installed a Chinese antivirus solution to degrade, or disable, security tools on systems.

“This involved the service account installing the Horoung Antivirus (AV) software, which was not an authorized software in the environment,” the researchers said in the blog post.

“For context, Horoung Antivirus is a popular AV software in China that can be installed from Microsoft Store. Most notably, the installation of Horoung caused a conflict with active security products on the system. This resulted in a crash of these services. Stopping the system’s current security solutions allowed the attacker freedom to pursue follow-on objectives thus relating this malicious activity to Impairing Defenses.”

In the meantime, the US Cybersecurity and Infrastructure Security Agency (CISA) added the RCE flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a tight deadline to address the flaw, or stop using SharePoint entirely.

Via BleepingComputer

More from TechRadar Pro

• Microsoft SharePoint has a worrying security flaw, experts warn
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Okta has fixed a concerning security vulnerability which could have allowed cybercriminals to log into people’s accounts simply by creating a long username.

In a security advisory, the identity management firm said it inadvertently introduced a bug in its product in July 2024 which allowed people with usernames longer than 52 characters to log in without providing the right password.

“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication,” the security advisory reads.

Multiple conditions

Having a username of 52 characters or longer is just one of the conditions, the company noted, as users would also need to have Okta AD/LDAP delegated authentication, not apply MFA, and would need to have been previously authenticated, creating a cache of the authentication.

“The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic,” the advisory concluded.

So far, there is no evidence that the vulnerability was abused by anyone, and while it may sound like a stretch, exploiting it might actually be quite easy, as users could have their email addresses and their organization’s website domain as their username, making guessing the username a simple thing.

As a result, Okta is now warning its users to go through the logs for any suspicious logins.

More from TechRadar Pro

• Okta warns users to be aware of damaging cyberattacks targeting customers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Hackers have been compromising online shops, redirecting people to copycat websites, and stealing both their data and their money there, experts have warned.

The scam, dubbed ‘Phish ‘n’ Ships’ by the Satori Threat Intelligence team from HUMAN which uncovered it, stole tens of millions of dollars until it was finally discovered and stopped.

Phish ‘n’ Ships most likely started in 2019. The crooks would break into legitimate online stores in different ways - leveraging n-day vulnerabilities, server misconfigurations, easy-to-guess passwords, or in other ways. Once they gain access, they would upload multiple scripts which would allow them to upload fake product listings.

Disrupting the campaign

The listings would come with SEO-friendly metadata, to make sure they are easy to find through search engines. The fake products, usually for hard-to-find items such as the Nintendo power glove oven mitt, would lead the victims away from the legitimate stores, and through a series of redirects, which end on a copycat website imitating the original, legitimate store.

There, the victims go through a checkout process, giving away not just sensitive information, but also money, to the attackers.

Satori says that “thousands” of legitimate websites were compromised this way, and “hundreds of thousands” of people victimized. The damages are being counted in tens of millions of dollars.

To make matters worse, the crooks were withdrawing the money with no problem, for years. However, Satori’s researchers managed to notify almost all of the victimized websites, and with the help of Google, removed all malicious listings from search engine results.

Finally, the payment processors who were facilitating the cashouts were also notified, and the accounts were banned.

While this means the campaign is disrupted, the researchers believe it’s not completely destroyed. Since no arrests were made, they believe it is only a matter of time before the crooks start rebuilding the network all over again. As we approach the holiday season, it is essential consumers remain vigilant and only shop on reputable websites.

Via BleepingComputer

More from TechRadar Pro

• How ecommerce retailers can ensure consumer safety in 2024
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now