Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Supply Chain Attack. Show all posts
Web SDK vulnerability
AppsFlyer SDK hack crypto wallet hijacking cryptocurrency theft malware Cyber Security Supply Chain Attack Web SDK vulnerability

AppsFlyer Web SDK Breach Used to Divert Cryptocurrency in Supply Chain Attack

 

 

The Web SDK of AppsFlyer was briefly compromised earlier this week, allowing attackers to inject malicious code as part of a supply chain attack aimed at stealing cryptocurrency.

The malicious payload was capable of intercepting cryptocurrency wallet addresses entered by users on affected websites. It would then swap these addresses with ones controlled by the attackers, redirecting funds without the user’s knowledge.

AppsFlyer’s SDK is widely integrated across thousands of platforms for marketing analytics, including tracking user engagement and retention. The company reports that over 15,000 businesses rely on its SDK across more than 100,000 mobile and web applications, making it a prominent “mobile measurement partner” (MMP) solution for campaign attribution and in-app activity tracking.

The issue was initially identified by researchers at Profero, who "confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK." However, AppsFlyer has only acknowledged a domain availability issue that appeared on its status page on March 10, 2026.

Profero detected the malicious activity on March 9, when the compromised SDK, hosted on its official domain ‘websdk.appsflyer.com,’ began distributing harmful code. Multiple users also flagged the suspicious behavior.

“While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users,” Profero explains.

The injected JavaScript was engineered to keep the SDK functioning normally while secretly executing malicious actions. It dynamically decoded hidden instructions and intercepted browser network requests.

Once active, the malware monitored web pages for cryptocurrency wallet inputs. Upon detecting a wallet address, it replaced it with an attacker-controlled one and simultaneously transmitted the original address along with related data to external servers.

The attack targeted several major cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON, potentially affecting a broad range of digital transactions.

Researchers estimate the exposure window lasted from March 9 at 22:45 UTC to March 11, although it remains unclear whether the compromise extended beyond this timeframe.

In response to inquiries, AppsFlyer confirmed that unauthorized code had been delivered through its SDK.

"AppsFlyer detected and contained a domain registrar incident on March 10 that temporarily exposed the AppsFlyer Web SDK running on a segment of customer websites to unauthorized code.

"The mobile SDK was not affected, and our investigation to date has not identified evidence that customer data on AppsFlyer systems was accessed. We take this incident very seriously and have been actively communicating with customers," AppsFlyer told BleepingComputer.

The company added that the issue has now been resolved and that affected customers were directly notified with updates.

"The mobile SDK has remained safe to use throughout the process, and the web SDK is safe to use."

AppsFlyer stated that the investigation is still ongoing in collaboration with external forensic specialists, with further details expected once the analysis is complete.

Due to uncertainties surrounding the extent and root cause of the breach, security experts recommend that organizations using the SDK examine telemetry logs for unusual API activity linked to websdk.appsflyer.com, revert to verified safe SDK versions, and assess any potential compromise.

This incident follows another cybersecurity concern earlier in the year, when the hacking group ShinyHunters alleged exploiting the SDK in a supply chain attack targeting Match Group, reportedly exposing over 10 million user records from platforms like Hinge, Match.com, and OkCupid.
Read more »
Supply Chain Attack
AI Tool GlassWorm malware Open VSX Supply Chain Attack

GlassWorm Abuses 72 Open VSX Extensions in Bold Supply-Chain Assault

 

GlassWorm has resurfaced with a more aggressive supply‑chain campaign, this time weaponizing the Open VSX registry at scale to target developers. Security researchers say the latest wave represents a significant escalation in both scope and stealth compared to earlier activity. 

Since January 31, 2026, at least 72 new malicious Open VSX extensions have been identified, all masquerading as popular tools like linters, formatters, code runners, and AI‑powered coding assistants. These look and behave like legitimate utilities at first glance, making it easy for busy developers to trust and install them. Behind the scenes, however, they embed hidden logic designed to pull in additional malware once inside a development environment.

The attackers now abuse trusted Open VSX features such as extensionPack and extensionDependencies to spread their payloads transitively. An extension can appear harmless on installation but later pull in a malicious dependency via an update or a bundled pack. This approach allows the threat actor to minimize obviously suspicious code in each listing while still maintaining a broad infection path.

Once executed, GlassWorm behaves as a multi‑stage infostealer and remote access tool targeting developer systems. It focuses on harvesting credentials for npm, GitHub, Git, and other services, then uses those stolen tokens to compromise additional repositories and publish more infected extensions. This creates a self‑reinforcing loop that can quickly expand across ecosystems if not promptly contained. 

Beyond credentials, GlassWorm aggressively targets financial data by going after more than 49 different cryptocurrency wallet browser extensions, including popular wallets like MetaMask, Coinbase, and Phantom. Stolen cookies and session tokens can enable account takeover, while drained wallets provide immediate monetization for the attackers. In later stages, the malware deploys a hidden VNC component and SOCKS proxy, effectively converting developer machines into nodes within a criminal infrastructure. 

For developers and organizations, this campaign underscores how extension ecosystems have become high‑value attack surfaces. Teams should enforce strict extension allowlists, monitor unusual repository activity, and rotate credentials if any suspicious Open VSX extensions were recently installed. Security tooling that inspects extension metadata, dependency chains, and post‑install behavior is now essential to counter evolving threats like GlassWorm.
Read more »
Supply Chain Attack
Crypto Exchange Cyber Attacks dYdX PyPI Package Supply Chain Attack

Malicious dYdX Packages Drain User Wallets in Supply Chain Attack

 

Malicious open-source packages targeting the dYdX cryptocurrency exchange have enabled attackers to drain user wallets, exposing once again how fragile software supply chains can be in the crypto ecosystem. Researchers found that legitimate-looking libraries on popular repositories were quietly stealing seed phrases and other sensitive data from both developers and end users, turning everyday development workflows into vectors for wallet compromise. The incident shows that even reputable projects using standard tooling are not immune when upstream dependencies are poisoned.

The attack focused on npm and PyPI packages associated with dYdX’s v4 trading stack, specifically the JavaScript package @dydxprotocol/v4-client-js and the Python package dydx-v4-client in certain versions. These libraries are widely used to build trading bots, automated strategies, and backend services that interact with the exchange and therefore routinely handle mnemonics and private keys needed to sign transactions. By compromising such central components, attackers gained access not just to individual wallets but to any application that pulled in the tainted releases.

Inside the malicious npm package, attackers added a surreptitious function that executed whenever a wallet seed phrase was processed, quietly exfiltrating it along with a fingerprint of the device running the code. The fingerprinting allowed the threat actors to correlate stolen credentials across multiple compromises and track victims over time. Stolen data was sent to a typosquatted domain crafted to resemble legitimate dYdX infrastructure, increasing the chances that network defenders would overlook the outbound connections.

The PyPI package carried similar credential-stealing behavior but escalated the threat by bundling a remote access Trojan capable of executing arbitrary Python code on infected systems. Running as a background daemon, this RAT regularly contacted a command‑and‑control server, fetched attacker-supplied code, and executed it in an isolated subprocess using a hard-coded authorization token. With this access, adversaries could steal keys and source code, plant persistent backdoors, and broadly surveil developer environments beyond just wallet data.

This is not the first time dYdX has faced targeted abuse of its ecosystem, following prior incidents involving malicious npm uploads and website hijacking campaigns aimed at draining user funds. For the broader industry, the episode underlines how high‑value crypto platforms and their developer tooling have become prime targets for supply-chain attacks. Developers are urged to rigorously audit dependencies, verify package integrity and publishers, and avoid using real wallet credentials in testing environments, while users should quickly review any apps or bots that rely on the affected dYdX client libraries.
Read more »
Trusted Update Abuse
Antivirus Update Breach command and control servers Compromised Code Signing Cybersecurity Infrastructure Endpoint security eScan Malware Incident malware Supply Chain Attack Trusted Update Abuse

eScan Antivirus Faces Scrutiny After Compromised Update Distribution


MicroWorld Technologies has acknowledged that there was a breach of its update distribution infrastructure due to a compromise of a server that is used to deliver eScan antivirus updates to end users, which was then used to send an unauthorized file to end users. 

It was reported that the incident took place within a narrow two-hour window on January 20, 2026, in a regional update cluster. It affected only a small fraction of customers who had downloaded updates during that period, and was confined to that cluster. 

Following the analysis of the file, it was confirmed that it was malicious, and this demonstrates how even tightly controlled security ecosystems can be compromised when trust mechanisms are attacked. 

Despite MicroWorld reporting that the affected systems were swiftly isolated, rebuilt from clean baselines, and secured through credential rotation and customer remediation within hours of the incident, the episode took place against the backdrop of escalating cyber risks that are continually expanding. 

An unprecedented convergence of high-impact events took place in January 2026, beginning with a major supply chain breach involving a global antivirus vendor, followed by a technical assault against a European power grid, and the revelation of fresh vulnerabilities in artificial intelligence-driven systems in the first few weeks of January 2026. 

There are a number of developments which have led to industry concerns that the traditional division between defensive software and offensive attack surfaces is eroding, forcing organizations to revisit long-standing assumptions about where trust begins and ends in their security architectures as a result. 

According to further technical analysis, eScan's compromised update channel was directly used to deliver the previously unknown malware, effectively weaponizing a trusted distribution channel that had been trusted. 

A report indicated that multiple security platforms detected and blocked attempted attacks associated with the malicious file the day of its distribution, prompting a quick external scrutiny to take place. It was MicroWorld Technologies who indicated to me that the incident was identified internally on January 20 through a combination of monitoring alerts and customer reports, with the affected infrastructure isolated within an hour of being identified. 

The company issued a security advisory the following day, January 21, as soon as the attack was under control and the situation had been stabilised. In spite of the fact that cybersecurity firm Morphisec later revealed that it had alerted eScan during its own investigation, MicroWorld maintains that containment efforts were already underway when the communication took place. 

The company disputes any suggestion that customers were not informed of the changes, claiming proactive notifications and direct outreach as part of the remediation process to address any concerns. 

A malicious update was launched by a file called Reload.exe, which set off a multi-stage infection sequence on the affected systems through the use of a file called Reload.exe. 

The researchers that conducted the initial analysis reported that the executable modified the local HOSTS file to prevent the delivery of corrective updates from eScan update servers and that this led to a number of client machines experiencing update service errors. 

As part of its persistence strategy, the malware created scheduled tasks, such as CorelDefrag, and maintained communication with external command-and-control infrastructure to retrieve additional payloads, in addition to disrupting operations. 

During the infection process, there was also a secondary malicious component called consctlx.exe written to the operating system, which further embedding the threat within the system. A further detail provided by Morphisec, an endpoint security company, provided a deeper technical insight into the underlying mechanism and intent of the malicious update distributed through the trusted infrastructure of eScan. 

As Morphisec stated in its security bulletin, the compromised update package contained a modified version of the eScan update component Reload.exe that was distributed both to enterprise environments and consumer environments via legitimate update channels. 

Despite the binary's appearance of being signed with eScan's code signing certificate, validation checks conducted by Windows and independent analysis platforms revealed that the signature was not valid. Morphisec's analysis revealed that the altered Reload.exe functions as a loader for a malware framework that consists of several stages. This raises concerns about certificate integrity and abuse of trusted signing processes. 

When the component is executed, it establishes persistence on infected machines, executes arbitrary commands, and alters the Windows HOSTS file to prevent access to eScan's update servers, preventing eScan from releasing updates by using routine update mechanisms.

Additionally, the malware started communicating outwards with a distributed command-and-control infrastructure, thus allowing it to download additional payloads from a variety of different domains and IP addresses in order to increase its reach.

According to Morphisec, the final stage of the attack chain involved the deployment of a second executable, CONSCTLX.exe. This secondary executable acted as both a backdoor and a persistent downloader.

A malicious component that was designed to maintain long-term access created scheduled tasks with benign-sounding names like CorelDefrag that were designed to avoid casual inspection while ensuring that the task would execute across restarts as well. 

The company MicroWorld Technologies developed a remediation utility in response to the incident that is specifically intended to identify and reverse unauthorized changes introduced by the malicious update. Using this tool, the company claims that normal update functionality is restored, a successful cleanup has been verified, and the process only requires a standard reboot of the computer to complete. 

Several companies, including eScan and Morphisec, have advised customers to take additional network-level security measures to protect themselves from further malicious communications during the recovery phase of the campaign by blocking the command-and-control endpoints associated with it. 

In addition, the incident has raised concerns about the recurring exploitation of antivirus update mechanisms, which have caused an increase in industry concern. There was an incident of North Korean threat actors exploiting eScan’s update process in 2024 to install backdoors inside corporate networks, illustrating again how security infrastructure remains one of the most attractive targets for state-sponsored attacks, particularly those aiming for high volumes of information. 

As this breach unfolds, it is part of a wider pattern of consequential supply chain incidents that have taken place in early 2026. These incidents range from destructive malware targeting European energy systems to large-scale intellectual property theft coupled with soon-to-appear AI-driven assault tactics. 

The events highlighted by these events also point to a persistent strategic reality in that organizations are increasingly dependent on trusted vendors and automated updates pipelines. If trust is compromised across the digital ecosystem, defensive technologies can become vectors of systemic risk as a result of a compromise in trust. 

In an industry context, the incident is notable for the unusual method of delivery used by the perpetrators. In spite of the fact that software supply chain compromises have been a growing problem over the past few years, malware is still uncommonly deployed through the security product’s own update channel. 

An analysis of the implants involved indicates that a significant amount of preparation has been performed and that the target environment is well known. A successful operation would have required attackers to have acquired access to eScan’s update infrastructure, reverse engineering aspects of its update workflow, and developing custom malware components designed specifically to function within that ecosystem in order to be successful.

Such prerequisites suggest a deliberate, resource-intensive effort rather than a purely opportunistic one. In addition, a technical examination of the implanted components revealed resilience features that were designed to ensure that attacker access would not be impeded under adverse conditions. 

There were multiple fallback execution paths implemented in the malware, so that continuity would be maintained even if individual persistence mechanisms were disrupted. In one instance, the removal of a scheduled task used to launch a PowerShell payload was not sufficient to neutralize the infection, since the CONSCTLX.exe component would also be able to invoke the same functionality. 

Furthermore, blocking the command-and-control infrastructure associated with the PowerShell stage did not completely eliminate an attacker's capabilities, as CONSCTLX.exe retained the ability to deliver shellcode directly to affected systems, as these design choices highlight the importance of operational redundancy, which is one of the hallmarks of well-planned intrusion campaigns. 

In spite of the sophistication evident in the attack's preparation, the attack's impact was mitigated by its relatively short duration and the techniques used in order to prevent the attack from becoming too effective. 

Modern operating systems have an elevated level of trust when it comes to security software, which means that attackers have theoretically the possibility to exploit more intrusive methods, including kernel-mode implants, which provide attackers with an opportunity to carry out more invasive attacks. 

In this case, however, the attackers relied on user-mode components and commonly observed persistence mechanisms, such as scheduled tasks, which constrained the operation's stealth and contributed to its relatively quick detection and containment, according to analysts. 

It is noteworthy that the behavioral indicators included in eScan's advisory closely correspond with those found by Morphisec independently. Both parties deemed the incident to have a medium-to-high impact on the enterprise environments in question. Additionally, this episode has revealed tensions between the disclosures made by vendors and researchers. 

As reported by Bloomberg News, MicroWorld Technologies has publicly challenged parts of Morphisec's public reporting, claiming some of it was inaccurate. It is understood that they are seeking legal advice in response to these claims. 

It was advised by eScan to conduct targeted checks to determine whether the systems were affected from an operational perspective, including reviewing schedule tasks for anomalous entries, inspecting the system HOSTS file for blocked eScan domains, and reviewing update logs from January 20 for irregularities. 

A remediation utility has been released by the company and is available through its technical support channels. This utility is designed to remove malicious components, reverse unauthorized changes, and restore normal update functionality. 

Consequently, customers are advised to block known command-and-control addresses associated with this campaign as a precaution, reinforcing the lesson of the incident: even highly trusted security infrastructure must continually be examined as potential attack surfaces in a rapidly changing threat environment.
Read more »
Third Party Risk
API security Automotive Cybersecurity Consumer Data Exposure Credit Monitoring Data Breach identity theft protection phishing threats Supply Chain Attack Third Party Risk

Credit Monitoring Provider Discloses Breach Impacting 5.6 Million Users


A data breach usually does not lend itself to straightforward comparisons, as each occurrence is characterized by distinctive circumstances and carries different consequences for those involved. It is common for headlines to emphasize the scale of an attack, the prominence of the organization that was affected, or the attack method used by the attacker, but in reality, the real significance of a breach lies in the sensitivity of the compromised data, along with the actions that are taken to correct it. 

It was apparent from a disclosure issued by 700Credit, a U.S.-based company that provides consumer information, preliminary credit checks, identity verifications, fraud detections, and compliance solutions for auto, recreational, powersport, and marine dealerships. As a result of a third-party supply-chain attack that occurred late in October 2025, the company confirmed that personally identifiable information had been accessed by unauthorized people through the use of a third-party supply chain. 

It has been revealed that the exposed data includes names, residential addresses, dates of birth, and Social Security numbers, all collected between May and October of the year. Based on the information provided by the agency, approximately 5.6 million people are expected to have been affected by the incident, making it one of the most substantial credit-related data breaches of the year, emphasizing the risks associated with retaining data for a long period of time and relying on external service providers. 

A 700Credit representative confirmed that the compromised information was the result of a breach of a database provided by auto dealerships between May and October 2025 as a result of regular credit verification and identity verification processes. 

Despite acknowledging that the precise technical details of how the intrusion was conducted have not yet been fully determined, the company has attributed the incident to an unidentified threat actor. Although there is no official word on who is affected, it has been revealed that those individuals whose personal data was processed by 700Credit for dealership clients have been brought into focus as data-handling risks arise across the entire automotive retail ecosystem. 

There are broader concerns raised about supply-chain exposures and the downstream impact of such events on consumer confidence, particularly when it comes to sensitive financial and identity-related information that has been disclosed. 

A Michigan Attorney General said that recipients of breach notification letters should not dismiss the letters in response to the disclosure, stressing that taking swift protective measures, such as freezing the credit history and enrolling in credit monitoring services, was critical to reducing the risk of identity theft and fraud that can result from the exposure to the breach. 

However, despite moving quickly to disable the exposed application programming interface (API), 700Credit acknowledged that, in spite of taking steps to prevent threats from accessing consumer records, threat actors were able to extract a significant percentage of them. The company estimates that approximately 20 percent of the affected datasets were accessed, which comprised extremely sensitive data such as names, addresses, birthdates, and Social Security numbers. 

In spite of the fact that 700Credit confirmed that its internal systems, payment platforms, and login credentials were unhacked, cybersecurity experts noted that the stolen data, in both quantity and nature, could still be utilized by phishing and social engineering companies to conduct highly convincing scams. 

Because of this, consumers and dealership clients have been advised to be vigilant when receiving unsolicited communications, especially those that appear to be from 700Credit or its partners, as well as any messages purported to have originated with the company. In addition to the details reported by CBTNews, it is clear that the breach is the result of a compromised integrated partner not alerting 700Credit in a timely manner after they became aware of the breach. 

Researchers have determined that attackers exploited vulnerabilities in the API validation process, which allowed malicious requests to be masked as legitimate partner traffic by exploiting vulnerabilities in the API validation process. An independent forensic analysis confirmed that the intrusion did not extend into 700Credit's internal network or core operational infrastructure, but rather was confined to the application layer through third-party API integration. 

Furthermore, experts concluded that attackers had been able to carry out the majority of the damage without compromising internal systems, underscoring the persistency of security gaps in API-driven architectures, particularly in modern times. 

According to 700Credit, in response, its API inspection controls have been strengthened, the validation framework is now more secure, the insurance coverage for cybersecurity has been expanded, and external cybersecurity firms have been engaged to assess residual risks and mitigate them, all while maintaining uninterrupted service to dealership clients throughout the investigation. 

Additionally to the technical remediation, 700Credit began a coordinated regulatory notification and response involving multiple authorities as well. For compliance with federal Safeguards Rule requirements, the company reported the incident to the Federal Bureau of Investigation and the Federal Trade Commission and also notified the FTC a consolidated breach notification on behalf of the affected dealer clients. 

Upon receiving written notifications of a breach of the Federal Safeguards Rule beginning December 22, 2025, impacted individuals were offered a 12-month free credit monitoring program from TransUnion and identity restoration services as part of the offer. Moreover, as part of the ongoing efforts to resolve consumer and dealer concerns, the company has also been in touch with the National Automobile Dealers Association and has notified state attorneys general throughout the country. 

A dedicated hotline was also established to address the concerns of consumers and dealers. In addition, the Michigan Attorney General issued a public consumer alert after an estimated 160,000 Michigan residents were identified as being affected by the fraud. They advised recipients to not ignore notification letters and to take immediate precautionary measures, such as putting a credit freeze on their credit report, signing up to a monitoring service, updating their passwords and enabling multifactor authentication, as soon as possible. 

Earlier this month, Michigan Attorney General Dana Nessel sent a consumer advisory explaining why people should not shrug off correspondence from 700Credit, emphasizing that taking prompt action can significantly reduce the risk of downstream fraud occurring as a result of this situation. 

According to her, victims should consider placing a credit freeze on their credit cards or registering for credit monitoring services, as these can serve as effective first-line defenses against identity theft, so that they may be able to protect themselves effectively. 

Moreover, Nessel emphasized the importance of being alert to potential phishing attempts, strengthening or changing passwords, removing unnecessary data stored on devices and enabling multi-factor authentication across all online services and devices. To be able to identify any suspicious activity as soon as possible, she also advised regularly reviewing credit reports from TransUnion as well as Equifax and Experian. 

As security expert Hill pointed out, the investigation revealed that the automotive retail sector was not adequately prepared in terms of cybersecurity, as highlighted by several industry perspectives. It has been discovered that several large dealerships have well-established security frameworks in place, including continuous monitoring and internal "red team" exercises which test defenses. However, smaller and mid-sized businesses lack the resources necessary to implement the same level of security measures. 

The author warned that these gaps can result in systemic risks within shared data networks, and advised dealerships to increase security awareness, better understand emerging threats, and evaluate the cybersecurity posture of third party partners that may have access to consumer information in a more detailed manner. 

As a whole, the 700Credit breach indicates how cyber risk is distributed across multiple interconnected industries, where vulnerabilities in one partner can ripple outward so that millions of individuals and hundreds of businesses are affected. 

As investigations and notifications continue, it will probably prompt an increased focus on third-party risk management, particularly in sectors which are heavily dependent on the sharing of data and the integration of real-time data. It is important for consumers to maintain vigilance, even after taking initial measures to prevent identity-based fraud, as identity-based fraud often emerges well after the original attack has been made. 

For dealerships and service providers, the breach serves as an alarming example of the need for cybersecurity governance to extend beyond internal systems to include vendors, integrations, and data lifecycle controls, in addition to internal systems. 

In addition to proactive investments in security assessments, employee training, and transparency, analysts note that proactive investments can help minimize both technical exposure and reputational damage in the automotive industry.

It is ultimately up to whether the lessons learned from the incident translate into stronger safeguards and more resilient data practices in the credit monitoring industry as well as automotive retail to determine the long-term impact of the incident.
Read more »
TruffleHog leak
Data Breach GitHub repositories breach NPM malware Shai-Hulud attack Supply Chain Attack TruffleHog leak

Shai-Hulud 2.0 Breach Exposes 400,000 Secrets After Massive NPM Supply-Chain Attack

 

The second wave of the Shai-Hulud malware attack last week led to the exposure of nearly 400,000 raw secrets after compromising hundreds of NPM (Node Package Manager) packages and leaking stolen data across more than 30,000 GitHub repositories.

While only around 10,000 of those secrets were confirmed as valid using the TruffleHog open-source scanning tool, cloud security company Wiz reports that over 60% of the NPM tokens leaked in this incident were still active as of December 1st.

Shai-Hulud first surfaced in mid-September, infecting 187 NPM packages with a worm-like payload. The malware scanned systems for account tokens using TruffleHog, injected a harmful script into the targeted packages, and then automatically republished them.
In the latest attack, the threat escalated—impacting more than 800 packages (including all affected versions) and adding a destructive feature capable of wiping a victim’s home directory under specific conditions.

During their review of the secrets spilled by Shai-Hulud 2.0 into over 30,000 GitHub repositories, Wiz researchers found several types of sensitive files exposed:

  • About 70% of repositories contained a contents.json file with GitHub usernames, tokens, and file snapshots

  • Around 50% stored truffleSecrets.json with TruffleHog scan results

  • Nearly 80% included environment.json, which revealed OS details, CI/CD metadata, npm package information, and GitHub credentials

  • 400 repositories had actionsSecrets.json, exposing GitHub Actions workflow secrets

Wiz notes that the malware used TruffleHog without the --only-verified flag, meaning the full set of 400,000 leaked secrets only matched valid formats—they weren’t necessarily functional. Even so, the dataset still contained active credentials.

While the secret data is extremely noisy and requires heavy deduplication efforts, it still contains hundreds of valid secrets, including cloud, NPM tokens, and VCS credentials,” Wiz explained.

To date, these credentials pose an active risk of further supply chain attacks. For example, we observe that over 60% of leaked NPM tokens are still valid.

From the 24,000 environment.json files analyzed, nearly half were unique. About 23% originated from developer machines, with the remainder linked to CI/CD systems or similar automated environments.

The investigation also showed that 87% of compromised machines were running Linux, and 76% of infections occurred within containerized environments. Among CI/CD services, GitHub Actions was the most affected, followed by Jenkins, GitLab CI, and AWS CodeBuild.

When examining which packages were hit hardest, Wiz identified @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 as the most impacted—together accounting for over 60% of all infections. Researchers believe the overall damage could have been significantly reduced if these key packages had been flagged and taken down early.

The infection pattern also revealed that 99% of attacks triggered during the preinstall event, specifically through the node setup_bun.js script. The few anomalies observed were likely test runs.

Wiz warns that the operators behind Shai-Hulud are likely to continue refining their methods. The team expects more waves of supply-chain attacks powered by the extensive trove of leaked credentials gathered so far.

Read more »
Supply Chain Attack
GitHub GlassWorm malware OpenVSX Supply Chain Attack

GlassWorm Malware Exploits Invisible Unicode to Infect VS Code Extensions

 

A major and ongoing supply-chain attack is currently targeting developers through the OpenVSX and Microsoft Visual Studio Code (VS Code) extension marketplaces via a self-spreading malware dubbed "GlassWorm" that has triggered an estimated 35,800 installations to date. 

The campaign leverages novel techniques, such as embedding malicious code within invisible Unicode characters, enabling it to bypass detection and make the threats literally invisible in code editors. GlassWorm not only infects extensions, but also uses compromised accounts to further propagate itself, posing an accelerating risk through the dependency and update mechanisms of these platforms.

The malware focuses on stealing credentials for GitHub, npm, and OpenVSX accounts, as well as harvesting cryptocurrency wallet information from 49 different extensions. It then escalates the compromise by deploying a SOCKS proxy on infected machines, facilitating covert malicious traffic, and by installing HVNC (Hidden Virtual Network Computing) clients for undetectable remote access. 

GlassWorm leverages a hardcoded Solana blockchain wallet that participates in transactions used to distribute base64-encoded links pointing to its next-stage payload, referred to by researchers as the obfuscated "ZOMBI" module. Once installed, ZOMBI transforms the workstation into a node of a decentralized criminal infrastructure, enabling persistent and stealthy cybercriminal operations.

Unique for its resilience, GlassWorm's operators use the Solana blockchain as the primary command-and-control channel, making takedown efforts extremely challenging due to the blockchain’s decentralized, persistent, and anonymous nature. Secondary methods for controlling infected hosts include embedding payload links in Google Calendar event titles and directly contacting specific IP addresses (e.g., 217.69.3[.]218). To ensure redundancy and robust communication, the malware also incorporates BitTorrent’s Distributed Hash Table (DHT).

Researchers at Koi Security have identified at least eleven infected extensions on OpenVSX, with some still available for download as of reporting, and one on Microsoft’s VS Code Marketplace. Notably, the auto-update feature in VS Code means users can become infected without any interaction—the malicious version of extensions is silently pushed to all endpoints. Microsoft quickly removed the compromised extension following the alert, while some extension publishers have issued security updates.

These attacks follow a wider trend, echoing last month’s Shai-Hulud worm attack that affected 187 npm packages. Koi Security warns that the sophistication, propagation methods, and resilience of GlassWorm represent a significant escalation in the threat landscape, underscoring the urgent need for enhanced supply-chain security and vigilant monitoring.
Read more »
Supply Chain Attack
Malicious Campaign malware NPM Package Shai-Hulud Supply Chain Attack

Shai-Hulud Worm Strikes: Self-Replicating Malware Infects Hundreds of NPM Packages

 

A highly dangerous self-replicating malware called “Shai-Hulud” has recently swept through the global software supply chain, becoming one of the largest incidents of its kind ever documented. 

Named after the sandworms in the Dune series, this worm has infected hundreds of open-source packages available on the Node Package Manager (NPM) platform, which is widely used by JavaScript developers and organizations worldwide. 

Shai-Hulud distinguishes itself from previous supply chain attacks by being fully automated: it propagates by stealing authentication tokens from infected systems and using them to compromise additional software packages, thus fueling a rapid, worm-like proliferation.

The attack vector starts when a developer or system installs a poisoned NPM package. The worm then scans the environment for NPM credentials, specifically targeting authentication tokens, which grant publishing rights. Upon finding such tokens, it not only corrupts the compromised package but also infects up to twenty of the most popular packages accessible to that credential, automatically publishing malicious versions to the NPM repository. 

This creates a domino effect—each newly infected package targets additional developers, whose credentials are then used to expand the worm’s grip, further cascading the spread across the global development community.

Researchers from various security firms, including CrowdStrike and Aikido, were among those affected, though CrowdStrike quickly removed impacted packages and rotated its credentials. Estimates of the scale vary: some report at least 180 packages infected, while others cite figures above 700, underscoring the scope and severity of the outbreak. 

Major tools used by the worm, such as TruffleHog, enabled it to scan compromised systems for a broad array of secrets, including API and SSH keys, as well as cloud tokens for AWS, Azure, and Google Cloud, making its impact particularly far-reaching.

Response to the attack involved urgent removals of poisoned software, rotations of compromised credentials, and investigations by platform maintainers. Security experts argued for immediate industry reforms, recommending that package managers like NPM require explicit human approval and use robust, phishing-resistant two-factor authentication on all publishing operations. 

The attack also exposed the vulnerabilities inherent in modern open-source ecosystems, where a single compromised credential or package can threaten countless downstream systems and organizations. This incident highlights the evolving tactics of cyber attackers and the critical need for improved security measures throughout the global software supply chain.
Read more »
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
VPN breach
cyber espionage Data Breach IPany VPN malware infection PlushDaemon hackers SlowStepper malware Supply Chain Attack VPN breach

IPany VPN Compromised in Supply Chain Attack Deploying Custom Malware

 

South Korean VPN provider IPany fell victim to a supply chain attack orchestrated by the China-aligned hacking group "PlushDaemon." The attackers compromised IPany's VPN installer, embedding a custom malware named 'SlowStepper' into the installer file, affecting customers upon installation.

ESET researchers discovered that the attackers infiltrated IPany's development platform and modified the installer file ('IPanyVPNsetup.exe') to include the SlowStepper backdoor. Customers downloading the VPN's ZIP installer ('IPanyVPNsetup.zip') from the company's official website between November 2023 and May 2024 were impacted. Victims include a South Korean semiconductor firm and a software development company, with the first signs of infections reported in Japan.

When executed, the installer deploys the legitimate VPN alongside malicious files like 'svcghost.exe,' which ensures persistence by creating a Registry Run key. The SlowStepper payload is concealed within an image file ('winlogin.gif') and loaded through a malicious DLL ('lregdll.dll') into the 'PerfWatson.exe' process. The executable monitors this process to keep it operational.

ESET reports that the Lite version 0.2.10 of SlowStepper was used in this attack, designed for stealth with a smaller footprint while maintaining powerful spyware capabilities. The malware, developed in Python and Go, supports a range of espionage commands:

  • System Details Collection: Gathers system data like CPU information, HDD serials, public IP, webcam/microphone status, and more.
  • Payload Deployment: Fetches and executes files from a command-and-control server.
  • File Enumeration: Lists files and directories on compromised systems.
  • Spyware Execution: Runs Python-based tools for browser data theft, keylogging, and credential harvesting.
  • Interactive Control: Enables shell-mode for system commands.
  • Trace Removal: Deletes files or directories to erase evidence.
  • Spyware Modules: Loads specific Python modules to steal browser data, chat logs, and capture screens or webcam footage.
ESET explained, "Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos."

They promptly notified IPany, leading to the removal of the compromised installer from its website. However, previously infected users must clean their systems to eliminate the malware. 

Notably, the download page lacked geo-fencing, leaving users across the globe potentially vulnerable.The complete list of the indicators of compromise (IoCs) associated with this campaign can be found here
Read more »
Wi-Fi router security
ASU security flaw hash collision issue Imagebuilder vulnerability OpenWrt One hardware OpenWrt update right-to-repair device secure firmware upgrade Supply Chain Attack Wi-Fi router security

OpenWrt Urges Users to Update Images to Avoid Potential Supply Chain Attacks

OpenWrt, the open-source Wi-Fi router project, has urged users to upgrade their images to the same version to mitigate a potential supply chain attack. The issue, discovered last week, stems from vulnerabilities in the project’s attended sysupgrade server (ASU). 

Details of the Vulnerability 

Paul Spooren, an OpenWrt developer, alerted users via email about a security flaw in the ASU service. The issue was first reported by Ry0taK, a security researcher from Flatt Security, two days prior. Spooren explained: "Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision."

Key Vulnerabilities
  • Command Injection: A flaw in Imagebuilder caused by improper sanitization of user-supplied package names allows attackers to create malicious firmware signed with legitimate keys.
  • Weak Hash Vulnerability (CWE-328): Tracked as CVE-2024-54143 with a 9.3 CVSS severity rating, the truncation of the SHA-256 hash to 12 characters enables attackers to generate hash collisions.
Spooren warned, "By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to 'poison' the artifact cache and deliver compromised images to unsuspecting users."

Impact and Mitigation 

The vulnerabilities compromise the ASU service, which helps users upgrade firmware while preserving settings and packages. However, sensitive resources like SSH keys and signing certificates remained secure, as ASU instances operate separately from Buildbot. OpenWrt assured users that:
  • Official images and custom images from version 24.10.0-rc2 onward were unaffected.
  • Build logs for older custom images were reviewed, though logs older than seven days were excluded due to cleanup policies.
To address the issue, Spooren recommended: "Although the possibility of compromised images is near 0, it is suggested to the user to make an in-place upgrade to the same version to eliminate any possibility of being affected. If you run a public, self-hosted instance of ASU, please update it immediately."

Alternatively, users can apply two specific commits listed in OpenWrt’s advisory. Coinciding with the announcement, OpenWrt unveiled its first hardware platform, OpenWrt One, developed with the Software Freedom Conservancy (SFC). The device is described as "unbrickable," featuring a switch that separates NOR and NAND flashing. This milestone supports the right-to-repair movement, emphasizing user control and sustainability.
Read more »
WordDrone
DLL malware Microsoft Word Supply Chain Attack Taiwan WordDrone

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Read more »
WordPress Plugins
Backdoor CyberCrime CyberNAttacks Cybersecurity CyberThreat Supply Chain Attack WordPress Plugins

Hackers Slip Backdoor into WordPress Plugins in Latest Supply-Chain Attack

 


Security researchers announced on Monday that there had been a supply chain attack on up to 36,000 WordPress plugins running on a wide range of websites that had been backdoored by unknown hackers. Currently, researchers from security firm Wordfence report that the campaign has affected five plugins as of Monday morning. It has been active since last week. It has been reported that unknown threat actors have recently added malicious functionality to plugin updates on WordPress.org, which is the official site for the free open-source WordPress CMS. This update creates an attacker-controlled administrative account that can be used to control the compromised site, as well as add content designed to boost search results. 

The updates can be installed automatically when the updates are installed. There has been a significant amount of backdooring in WordPress plugins to allow malicious code to be injected which can lead to the creation of rogue administrator accounts which can be used for arbitrary purposes. As Wordfence security researcher Chloe Chamberland pointed out in an alert on Monday, the malware injects itself into the system, attempting to create an administrator user account and sending back that account's details to the attacker's server. 

Further, it appears that the threat actor may also have injected malicious JavaScript into the footers of websites, which appears to be causing SEO spam to be displayed throughout the website. According to Wordfence security researchers, a company that monitors the security of the biggest website builder platforms in the world, five plugins have been poisoned with a poisonous patching function so far. Whenever users patch these WordPress plugins, they are presented with a piece of code that creates a new admin account, which is then used by the attackers to establish the account login credentials. 

The perpetrators of this threat (whose identity has not been revealed yet) thus gain full and unrestricted access to the website in this way. The plugins that have been made available are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, and Contract Form 7 Multi-Step Add-on as well as Just Show Hooks. Combined, these five plugins have been installed 36,000 times. Of these, Social Warfare has the most number of installations at 30,000, far and away the most popular one. As of the time of publication, it was not yet clear how the attackers were able to compromise the patching process for these five plugins, and thus compromise their security.

It was reported that reporters at Ars Technica attempted to get in touch with the plugin developers (some did not even provide contact information on their plugin websites, meaning it was impossible to get in touch with them) but did not receive any response. There has been a sharp rise in the number of supply-chain attacks over the past decade, which has become one of the most effective ways to install malware within a supply chain. The threat actors have been able to achieve significant gains by poisoning the software source code so that by simply running a trusted update or installation file, they can infect large numbers of devices. 

This year, an almost disastrous event occurred when a backdoor was discovered, largely through chance, in the widespread open-source XZ Utils code library a week or so ahead of its general release date, narrowly averting disaster. In addition, there have been many other recent supply-chain attacks that can be found in the media. Researchers are currently working on investigating how and why the malware was uploaded to the plugin channel for downloading on the WordPress site to increase their knowledge about it. Several emailed questions were sent to representatives of WordPress, BLAZE, and Social Warfare, none of whom responded. 

Because there is no contact information on the websites of the developers of the remaining three plugins, it was impossible to connect with the representatives of those developers. As mentioned by the Wordfence researchers, they were first made aware of the attack on Saturday when they received an email from a member of the WordPress plugin review team that mentioned the attack. Based on their analysis of the malicious file, the researchers were able to identify four other plugins that had similar codes that were exposed to the same threat. 

There is generally a perception that WordPress is a secure platform for designing and building websites. However, it is a platform with a vast number of third-party themes and plugins, many of which suffer from poor protection, and/or don't enjoy the same level of maintenance as the platform itself. Consequently, they are considered to be a great entry point for threat actors, due to their unique nature. Moreover, the themes and plugins available for WordPress can be both free-to-use and commercially produced, but the latter are often abandoned or maintained by a single developer or hobbyist. 

There is therefore a strong need for WordPress administrators to use extreme caution when installing third-party additions to their websites. They need to ensure that only the files they intend to use are installed. It is imperative for users to ensure their WordPress plugins are always updated and to remain vigilant for any news regarding vulnerabilities. Individuals who have installed any of the compromised plugins should uninstall them immediately and thoroughly inspect their sites for any newly created admin accounts or unauthorized content. Users who utilize the Wordfence Vulnerability Scanner will be alerted if their site is running any of the affected plugins. 

Furthermore, the Wordfence post advises users to monitor their sites for connections originating from the IP address 94.156.79.8, as well as to check for admin accounts with the usernames "Options" or "PluginAuth."
Read more »
TeamCity
Authentication Bypass Cyber Security JetBrains Server Exploit Supply Chain Attack TeamCity

TeamCity Software Vulnerability Exploited Globally

 


Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent action from software developer JetBrains, who released an update on March 4 to address the issue.

The gravity of this situation is evident as hackers exploit the vulnerability on an extensive scale, creating hundreds of unauthorised users on instances of TeamCity that have not yet received the essential update. According to LeakIX, a platform specialising in identifying exposed device vulnerabilities, over 1,700 TeamCity servers remain unprotected. Most notably, vulnerable hosts are predominantly found in Germany, the United States, and Russia, with an alarming 1,440 instances already compromised.

On March 5, GreyNoise, a company analysing internet scanning traffic, detected a notable surge in attempts to exploit CVE-2024-27198. The majority of these attempts originated from systems in the United States, particularly those utilising the DigitalOcean hosting infrastructure.

These compromised TeamCity servers are not mere inconveniences; they serve as vital production machines used for building and deploying software. This presents a significant risk of supply-chain attacks, as the compromised servers may contain sensitive information, including crucial credentials for environments where code is deployed, published, or stored.

Rapid7, a prominent cybersecurity company, brought attention to the severity of the situation. The vulnerability, with a critical severity score of 9.8 out of 10, affects all releases up to TeamCity version 2023.11.4. Its nature allows remote, unauthenticated attackers to gain control of a vulnerable server with administrative privileges.

JetBrains responded swiftly to the report by releasing TeamCity version 2023.11.4 on March 4, featuring a fix for CVE-2024-27198. They are urging all TeamCity users to update their instances to the latest version immediately to mitigate the risks associated with this critical vulnerability.

Considering the observed widespread exploitation, administrators of on-premise TeamCity instances are strongly advised to take immediate action in installing the newest release. Failing to do so could leave systems vulnerable to unauthorised access and potential supply-chain attacks, amplifying the urgency of this situation.

The recent discovery of a critical flaw in TeamCity software has far-reaching implications for the global security landscape. Users are urged to act promptly by updating their TeamCity instances to ensure protection against unauthorised access and the looming threat of potential supply-chain attacks. The urgency of this matter cannot be overstated, accentuating the imperative need for immediate action.



Read more »
Vulnerability
ConnectWise ScreenConnect Cyber Security Cybersecurity Mass Exploitation Ransomware remote desktop management Supply Chain Attack Vulnerability

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.
Read more »
Xfinity
comcast Data Breach Supply Chain Attack Telecommunication Xfinity

Comcast-Owned Telcom Business 'Xfinity' Suffers Data Breach


Comcast-owned Xfinity has suffered a major data breach, affecting more than 25 million of its customers. 

This intrusion not only demonstrates a risky and expanding practice among hackers, but it has also greatly increased the vulnerability of millions of US-based individuals. In certain cases, the situation is actually a lot worse than one may believe.

According to editor of Scamicide.com, Attorney Steven Weisman, this data breach is significantly dreadful for customers since threat actors were able to access the last four digits of social security numbers of the affected individuals. The first five numbers could easily be figured out by the hackers, as they are based on the owner’s residential address and the location where the card was issued.

“So if a criminal has the last four digits, the first three they can figure out easily, the second set they can get relatively easily, so it puts a lot of people in danger of identity theft,” explained Weisman.

Due to this particular issue of rather uncomplicated identification of social security numbers, the government had started randomizing the numbers in 2011.

Furthermore, these hackers are rather harmful. They introduced their malware in the software that Xfinity bought, rather than really hacking into Xfinity. According to Weisman, they are known as "supply chain" hacks, and their prevalence is significantly on the rise. 

“They put their malware into the legitimate software. A company like Comcast gets some accounting software that they have no reason to think is anyway tainted and bam – the malware is in there and the personal information is stolen,” said Weisman.

In the recent times, these types of data breach are becoming more common. Customers are being asked by Xfinity to check their credit, change their passwords, and sign up for a multi-step verification process after the company announced the incident on its website. Additionally, people ought to routinely check their credit scores and freeze their credit.

About Xfinity

Xfinity is a US-based telecommunications business segment, owned by Comcast Corporation, used in marketing consumer cable television, internet, telephone, and wireless services provided by the company. Xfinty, before being established in 2010 was operating under the common-label of Comcast, where the aforementioned services were marketed.  

Read more »
Subscribe to: Comments (Atom)