Mar 25, 2024NewsroomSupply Chain Attack / Cryptocurrency

Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site.

“The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry,” Checkmarx said in a technical report shared with The Hacker News.

The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. Some aspects of the campaign were previously disclosed at the start of the month by an Egypt-based developer named Mohammed Dief.

It chiefly entailed setting up a clever typosquat of the official PyPI domain known as “files.pythonhosted[.]org,” giving it the name “files.pypihosted[.]org” and using it to host trojanized versions of well-known packages like colorama. Cloudflare has since taken down the domain.

“The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it, and inserted malicious code,” Checkmarx researchers said. “They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake-mirror.”

These rogue packages were then propagated via GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker that contained a requirements.txt file, which serves as the list of Python packages to be installed by the pip package manager.

One repository that continues to remain active as of writing is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted on “files.pypihosted[.]org.”

Also altered as part of the campaign is the requirements.txt file associated with Top.gg’s python-sdk by an account named editor-syntax on February 20, 2024. The issue has been addressed by the repository maintainers.

It’s worth noting that the “editor-syntax” account is a legitimate maintainer of the Top.gg GitHub organization and has written permissions to Top.gg’s repositories, indicating that the threat actor managed to hijack the verified account in order to commit a malicious commit.

“The GitHub account of ‘editor-syntax’ was likely hijacked through stolen cookies,” Checkmarx noted.

“The attacker gained access to the account’s session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account’s password.”

What’s more, the threat actors behind the campaign are said to have pushed multiple changes to the rogue repositories in one single commit, altering as many as 52 files in one instance in an effort to conceal the changes to the requirements.txt file.

The malware embedded in the counterfeit colorama package activates a multi-stage infection sequence that leads to the execution of Python code from a remote server, which, in turn, is capable of establishing persistence on the host via Windows Registry changes and stealing data from web browsers, crypto wallets, Discord tokens, and sessions tokens related to Instagram and Telegram.

“The malware includes a file stealer component that searches for files with specific keywords in their names or extensions,” the researchers said. “It targets directories such as Desktop, Downloads, Documents, and Recent Files.”

The captured data is ultimately transferred to the attackers via anonymous file-sharing services like GoFile and Anonfiles. Alternately, the data is also sent to the threat actor’s infrastructure using HTTP requests, alongside the hardware identifier or IP address to track the victim machine.

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub,” the researcher concluded.

“This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”

Mar 20, 2024NewsroomCybercrime / Dark Web

The Cyber Police of Ukraine has arrested three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world.

The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.

The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.

The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.

Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim’s friends to urgently transfer money to their bank account.

“You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords,” the agency said.

As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.

The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.

Robert Purbeck (aka Lifelock or Studmaster) “aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims,” U.S. Attorney Ryan K. Buchanan said.

According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty today to federal charges of computer fraud and abuse, purchased access to the clinic’s computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.

The defendant also bought credentials associated with the City of Newnan, Georgia, Police Department server on an underground marketplace. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.

As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.