APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched critical remote code execution flaw in Kingsoft WPS Office to deploy a bespoke backdoor dubbed SpyGlace.
The activity has been attributed to a threat actor dubbed APT-C-60, according to cybersecurity firms ESET and DBAPPSecurity. The attacks have been found to infect Chinese and East Asian users Read More
Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server
[[{“value”:”
Volkswagen, one of the world’s leading automotive manufacturers, has fallen victim to a sophisticated hacking operation in a significant cybersecurity breach. Investigations suggest that the cyberattack originated in China, raising concerns over international cyber espionage and its implications for the global electric vehicle (EV) industry.
The cyberattack on Volkswagen was first detected earlier this week. Still, details of the incident have only recently come to light following investigations by ZDF’s frontline journalism team and Der Spiegel.
According to joint investigations by German broadcaster ZDF and news magazine Der Spiegel, the hackers managed to infiltrate Volkswagen’s computer systems and siphon gigabytes of sensitive data related to the company’s electric mobility efforts and other core operations.
Volkswagen managed to recover files the hackers had sent to their servers and then deleted them. In total, the hackers are said to have stolen around 19,000 documents.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Nature of Stolen Data
The stolen data includes critical information on Volkswagen’s proprietary EV technologies and production strategies.
This theft directly threatens Volkswagen’s competitive edge in the rapidly growing EV market and raises alarms about the potential misuse of this information.
The specifics of the data stolen suggest that the hackers were not merely opportunistic but had a clear and targeted agenda to capture high-value technological insights.
The documents list “identified targets” of the hackers, including:
the development of gasoline engines
transmission development as well
especially dual clutch transmissions
Preliminary analyses by cybersecurity experts have traced the attack’s digital footprints to groups known to operate out of China.
While there is no official confirmation yet linking the attack directly to the Chinese government, the nature and sophistication of the breach suggest the involvement of entities with significant resources and capabilities.
This incident is a stark reminder of major corporations’ vulnerabilities in an era where industrial espionage can have significant economic and strategic consequences.
The automotive industry is particularly vulnerable to such threats due to its increasing reliance on digital technology and interconnected systems. Companies within the sector are now reassessing their cybersecurity protocols to prevent similar cyber incidents.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
Volkswagen’s Response
In response to the breach, Volkswagen has initiated a comprehensive security overhaul. The company works closely with cybersecurity experts and international law enforcement agencies to track the perpetrators and prevent further leaks of sensitive information.
“At that time, we were already in the process of investing significantly in our IT security and strategically strengthening it as part of ongoing security programs,” said a VW spokesman. “The incident reminded us once again of its correctness and urgency.”
Volkswagen has assured its customers and stakeholders that immediate steps are being taken to enhance security measures and safeguard against future attacks.
Global Reactions and Future Steps
The international community has expressed serious concerns over this breach, with several governments calling for stricter cybersecurity regulations and enhanced cooperation in combating cyber threats.
The incident has also sparked a broader discussion about the need for a unified global strategy to protect critical technological infrastructures.
The automotive industry and policymakers worldwide will watch closely as the investigation continues.
The outcome of this incident could very well shape the future strategies implemented to secure the increasingly digital landscape of global industries.
The cyberattack on Volkswagen is a critical wake-up call to the global automotive industry and beyond.
It highlights the growing scope and scale of cyber threats in the modern world. It underscores the need for robust cybersecurity measures to protect sensitive information and maintain public trust in technological advancements.
As we move forward, the balance between innovation and security will be paramount in shaping the future of international commerce and industry.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
SonicWall warns of critical access control flaw in SonicOS
SonicWall’s SonicOS is vulnerable to a critical access control flaw that could allow attackers to gain access unauthorized access to resources or cause the firewall to crash. […] Read More
Hackers Attack Python Developers by Poising With Typosquat on PyPI
[[{“value”:”
An automated risk detection system identified a typosquatting campaign targeting popular Python libraries on PyPI. In two waves with a 20-hour break, the attack deployed over 500 variations with typos in names like requests, TensorFlow, and BeautifulSoup.
The campaign included incorrect names (pytorch instead of torch) and libraries already part of the standard library (asyncio, tkinter). Some variations were also targeted at users who might mistype “pip install—r requirements.”
The attacker experimented with a package called schubismomv3 for a few hours before the automated attack, where he first experimented with install hooks, then smuggled the encrypted payload in a string that gets written to a local file and then executed.
The variations were iterated for the rest of the schubismomv3 publications, and after that, the attacker published insanepackagev1414 with the malicious bit in the setup.py file.
The setup.py file from the fourth publication, v1.3.0,.
The main difference is that the payload is significantly smaller and pulled from a remote URL instead of being stuffed in the setup file entirely and then the attacker published seven more variations of these packages under different variations of the “insanepackage” naming scheme.
Start of the Attack
An attacker launched a typosquatting attack against the PyPI repository, publishing 566 malicious variations across popular packages like Tensorflow, requests, and Matplotlib.
Document
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Understand the importance of a zero trust strategy
Complete Network security Checklist
See why relying on a legacy VPN is no longer a viable security strategy
Get suggestions on how to present the move to a cloud-based network security solution
Explore the advantages of converged network security over legacy approaches
Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
The attack occurred in two bursts, the first targeting 360 packages over 1.5 hours and the second targeting 206 packages over several hours. PyPI responded swiftly by taking down the malicious packages and temporarily suspending new user and project creations to prevent further compromise.
A screenshot of the PyPI status page shortly after suspension started. Note that full service has been re-instated as of March 28, 2024, at 12:56UTC.
A malicious Python script initiates a multi-stage attack. First, it retrieves encrypted code from a remote server and executes it after decryption with a local key. The secondary payload likely injects a compromised `app.asar` file into targeted cryptocurrency wallets (Exodus, Atomic) for potential theft.
It then exfiltrates browser data (logins, cookies, and potentially wallet data) from Chromium-based browsers (Chrome, Edge, and Opera), searches user directories for wallet applications and credentials; it also scrapes Discord tokens for account access.
the setup.py file from insanepackagev1414.
The stolen information is compressed and uploaded to a remote server, which employs strong security measures: avoid untrusted sources, update software, utilize antivirus, practice caution online, and leverage password managers with two-factor authentication.
Attackers launched an automated typosquatting campaign on PyPI, publishing over 500 malicious packages with names similar to popular ones (e.g., TensorFlow vs. TensorFlow).
According to Phylum, it targeted 16 well-known packages and aimed to trick developers into installing malware-laden packages. PyPI responded swiftly by suspending new user registrations, but the incident highlights the vulnerability of ecosystems with open package repositories.
Even with a quick response, typosquatting attacks can be successful if the malware executes upon installation, requiring users to be highly vigilant when installing packages.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.