Cybersecurity Wiretap #32: From Linux Bootkits to Infostealer Packages with a Focus on Software Supply Chain Risks (week of 11/25/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.Investigation into Helldown Ransomware by @CyfirmaR

  • fast-evolving cyber threat targeting critical industries globally. With advanced cross-platform capabilities, including Windows and Linux, it disrupts systems by encrypting files and exploiting vulnerabilities. Its modular design and anti-detection techniques signal active development.

https://www.cyfirma.com/research/investigation-into-helldown-ransomware/

2.RomCom exploits Firefox and Windows zero days in the wild by @ESETresearch

  • CVE-2024-9680: use-after-free bug in the animation timeline feature in Firefox
  • CVE‑2024‑49039, that allows code to run outside of Firefox’s sandbox
  • successful exploitation attempts delivered the RomCom backdoor, in a widespread campaign

https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

3.Bootkitty: Analyzing the first UEFI bootkit for Linux by @ESETresearch

  • targeting Linux, specifically, a few Ubuntu versions. designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or notb
  • ootkit.efi contains many artifacts suggesting this is more like a PoC than the work of an active threat actor

https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux

4.Malicious PyPI crypto pay package aiocpa implants infostealer code by @ReversingLabs

  • malicious code in a legitimate looking package, aiocpa, that was engineered to compromise crypto currency wallets
  • malicious actors behind aiocpa were not impersonating or typosquatting legitimate looking packages, they published their own crypto client tool in order to steadily attract a user base that would later be compromised through a malicious version update

https://www.reversinglabs.com/blog/malicious-pypi-crypto-pay-package-aiocpa-implants-infostealer-code

5.Know Thy Enemy: A Novel November Case on Persistent Remote Access by @HuntressLabs

  • attackers gained persistent remote access to a network through Remote Desktop Protocol (RDP) brute-force attacks and credential theft
  • employed MeshAgent, a legitimate remote access tool, disguising it as a Windows Network Virtual Adapter to evade detection
  • enabled WDigest to store credentials in plaintext, facilitating further access

https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access

Thank you for reading.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.