Offtopic, Digitalisierung, andere News

WhatsApp now lets you lock chats with a password or fingerprint

Meta is now rolling out ‘Chat Lock,’ a new WhatsApp privacy feature allowing users to block others from accessing their most personal conversations.

Chat Lock will create a new folder that can be locked with a password or biometric methods like a fingerprint.

You can ensure the privacy of your conversations by choosing the lock option after tapping the name of a one-to-one or group chat.

“Locking a chat takes that thread out of your inbox and puts it behind its own folder that can only be accessed with your device’s password or biometric, like a fingerprint,” WhatsApp said today.

It will also automatically hide details of the locked chat in notifications to prevent others from snooping in while using the phone.

“We believe this feature will be great for people who share their phones from time to time with a family member, or in moments where someone else is holding your phone at the exact moment an extra-special chat arrives,” the company added.

To view locked chats, gently pull down on your inbox, and authenticate yourself with your password or the biometric identification you used when locking the conversation.

Today, WhatsApp added that it’s planning to further expand Chat Lock capabilities to provide users with additional features.

These forthcoming additions include locks explicitly designed for companion devices and the ability to establish a personalized password for your chats, allowing the use of a distinct password separate from your phone’s credentials.

WhatsApp also introduced end-to-end encryption seven years ago and started rolling out end-to-end encrypted chat backups to iOS and Android five years later, in October 2021, to block access to backed-up chat content.

In December 2021, WhatsApp expanded the platform’s privacy control features by adding default disappearing messages to all new chats.

Meta says the WhatsApp video calling and instant messaging platform is now used by over two billion people worldwide.

 

(c) Sergiu Gatlan

Hackers target vulnerable WordPress Elementor plugin after PoC released

Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month.

The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites.

The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin’s version 5.7.2.

Scale of exploitation

On May 14th, 2023, researchers published a proof-of-concept (PoC) exploit on GitHub, making the tool widely available to attackers.

At the time, a BleepingComputer reader and website owner reported that their site was hit by hackers who reset the admin password by leveraging the flaw. Still, the scale of the exploitation was unknown.

A Wordfence report published yesterday sheds more light, with the company claiming to observe millions of probing attempts for the presence of the plugin on websites and has blocked at least 6,900 exploitation attempts.

On the day after the disclosure of the flaw, WordFence recorded 5,000,000 probing scans looking for the plugin’s ‘readme.txt’ file, which contains the plugin’s version information, and hence determines if a site is vulnerable.

Number of recorded faily scans
Number of recorded daily scans (Wordfence)

“While there are services that probe installation data for legitimate purposes, we believe this data indicates that attackers began looking for vulnerable sites as soon as the vulnerability was disclosed,” comments Wordfence in the report.

Most of these requests came from just two IP addresses, ‘185.496.220.26’ and ‘185.244.175.65.’

As for the exploitation attempts, the IP address ‘78.128.60.112’ had a considerable volume, utilizing the PoC exploit released on GitHub. Other high-ranking attacking IPs count between 100 and 500 attempts.

Origin of most exploitation attempts
Origin of most exploitation attempts (Wordfence)

Website owners using the ‘Essential Addons for Elementor’ plugin are advised to apply the available security update by installing version 5.7.2 or later immediately.

“Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability,” advises Wordfence.

Additionally, website administrators should use the indicators of compromise listed on Wordfence’s report and add the offending IP addresses to a blocklist to stop these and future attacks.

Users of Wordfence’s free security package will be covered by protection against CVE-2023-32243 on June 20, 2023, so they’re currently exposed too.

 

(c) Bill Toulas

ScanSource says ransomware attack behind multi-day outages

Technology provider ScanSource has announced it has fallen victim to a ransomware attack impacting some of its systems, business operations, and customer portals.

ScanSource is a U.S.-based cloud service and SaaS connectivity and network communications provider that also offers special PoS (point of sale) and payments, security, and AIDC (automatic identification and data capture) solutions.

The firm is also the owner of the cloud service provider and education platform Intelisys, and cloud distributor and managed services provider intY.

Starting around May 15th, ScanSource customers contacted BleepingComputer saying they no longer had access to the company’s customer portals and websites, concerned that they suffered a cyberattack.

Yesterday, ScanSource confirmed that they suffered a ransomware attack on May 14, 2023 that impacted some of its systems.

The company began implementing its incident response plan, including alerting law enforcement and enlisting the aid of forensic and cybersecurity professionals.

These experts assist with the ongoing investigation and help implement strategies to minimize the operational disruptions caused by the incident.

The impact of the cyberattack has been significant, as the company warns that there will be delays in the provision of services to customers in the forthcoming period, expected to affect operations in North America and Brazil.

“The Company is working diligently to bring affected systems back online, while also mitigating the impact on its business,” reads the press release.

“ScanSource regrets any inconvenience or delays in business this may cause customers and suppliers in North America and Brazil and appreciates their patience.”

The tech company is a Fortune 1000 entity traded on NASDAQ, where its stock price recorded a 1.42% drop today, presumably a result of the cyberattack disclosure.

At the time of publication, it is not known what ransomware operation is behind the attack or whether data has been stolen.

BleepingComputer has reached out to ScanSource to request more details about the ransomware attack, and we will update this post when we hear back.

 

(c) Bill Toulas

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

“In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network,” the company’s threat intelligence team said. “They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware.”

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.

Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

Another notable tactic in its playbook is its pattern of setting up fake security companies – Combi Security and Bastion Secure – to recruit employees for conducting ransomware attacks and other operations.

Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino that’s developed by the cybercrime cartel.

FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development signifies FIN7’s continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by pivoting away from payment card data theft to extortion.

 

(c) Ravie Lakshmanan

Dr. Active Directory vs. Mr. Exposed Attack Surface: Who’ll Win This Fight?

Active Directory (AD) is among the oldest pieces of software still used in the production environment and can be found in most organizations today. This is despite the fact that its historical security gaps have never been amended. For example, because of its inability to apply any security measures beyond checking for a password and username match, AD (as well the resources it manages) is dangerously exposed to the use of compromised credentials. Furthermore, this exposure is not confined to the on-prem environment. The common practice of syncing passwords between AD and the cloud identity provider means any AD breach is a potential risk to the SaaS environment as well.

In this article, we’ll explore AD’s inherent security weaknesses and examine their scope and potential impact. We’ll then learn how Silverfort’s Unified Identity Protection platform can address these weaknesses at their root and provide organizations using AD with the resiliency they need to thwart identity threats and mitigate the risks of compromised user accounts.

What Cloud? Why AD Will Be Continue to Be Part of the Hybrid Environment

While cloud computing has triggered a tectonic shift in IT, it hasn’t completely replaced the on-prem environment but instead lives with it side by side. The pragmatic route that most organizations have chosen is to maintain a hybrid environment, where user access to SaaS and web resources is managed by a dedicated identity provider while AD still manages the on-prem resources.

From the operations side, this strategy is reasonable since there are multiple resources that can be migrated to the cloud or exchanged with SaaS apps. However, it’s important to be aware that this approach means AD’s long-ignored security weaknesses are still at large.

AD’s Achilles Heel: Unable to Detect and Prevent Malicious Access Attempts Using Compromised Credentials

When a user initiates an access request, AD knows how to do one thing only: check if username and password match. If they don’t, AD blocks access; if they do, access is granted. But what can AD do if username and password match but are being used by an adversary that has obtained them? Unfortunately, the answer is absolutely nothing.

As strange as it sounds, from AD’s perspective there’s no difference between a legitimate user providing the correct username and password and a malicious adversary doing the same thing. Both are granted the same access.

So Why Can’t Traditional MFA Solve This Problem?

At this point, you may wonder why MFA can’t simply be added to the AD authentication process, as is done with SaaS apps. The answer, unfortunately, is that it’s not so simple. AD and its authentication protocols (NTLM and Kerberos) were built and designed more than two decades ago — long before MFA even existed. As a result, unlike modern authentication protocols that SaaS apps use, they can’t support MFA at all. Nor are there any plans from Microsoft to open up these protocols and rewrite them so that they’d have this capability.

This means we’re back to square one, where an attacker using compromised credentials in an AD environment can literally connect to any workstation, server, or app they please, with no security measures barring their way.

An AD Breach AD Paves The Adversary’s Way to Your Cloud Resources 

What many security stakeholders often forget is that on-prem and cloud environments are entwined. In fact, many attackers seeking to access SaaS apps choose to access them via a compromise of the on-prem environment, instead of attacking them directly through a browser. The common pattern of this kind of attack is to gain control of an employee’s endpoint using social engineering and, once there, strive to compromise usernames and passwords to use them for malicious access to SaaS apps. Alternatively, if a federation server is in place, adversaries can simply compromise it as they would with any other on-prem resource and gain SaaS access from there.

One way or another, it’s important to realize that when we’re talking about AD’s security gaps, this doesn’t mean that only the AD-managed environment is at risk rather but the entire hybrid environment with all its users and resources.

Silverfort Unified Identity Protection: Overcome AD’s Gaps with Real-Time Protection

Silverfort has pioneered the first platform purpose-built to protect against identity threats – in real time – making use of compromised credentials to access targeted resources. Silverfort provides continuous monitoring, risk analysis, and active policy enforcement on every incoming authentication and access request made by any user to any resource, both on-prem and in the cloud.

In this way, Silverfort can solve AD’s security gaps at their root through an integration with AD’s native authentication flow, thus taking the role of deciding for AD whether a user can fully be trusted when accessing a resource or not.

Silverfort’s AD Protection: A Layer of Threat Protection Natively Integrated into AD’s Authentication Flow

Here’s how it works:

  1. A user wants to access a resource and initiates an access request to AD.
  2. AD, instead of deciding by itself whether to grant or deny access based on the password match, forwards this access request to Silverfort.
  3. Silverfort receives the access request and analyzes it using a multi-layered AI engine while also evaluating the request against pre-configured access policies.
  4. If the analysis reveals a suspected compromise, Silverfort connects to an MFA service to challenge the user to verify their identity.
  5. The MFA service sends the user the message and passes their response back to Silverfort.
  6. Based on the MFA response, Silverfort instructs AD whether to block or allow access.
  7. AD blocks or allows access per Silverfort’s instruction.

Agentless and Proxyless Technology, Agnostic to All Protocols and Access Methods

As you can see, this unique ability to receive every access attempt in real time from AD enables Silverfort to add the missing risk analysis and MFA capabilities into the AD authentication flow. Additionally, because Silverfort sits behind AD and gets 100% of its authentication requests, this eliminates the need to install MFA agents on individual resources or place a proxy in front of them. It also means that it makes no difference what protocol is used or whether it supports MFA. As long as an authentication to AD is carried out, AD will forward this to Silverfort and protection will be in place.

 

(c) Ravie Lakshmanan

Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks

The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country.

“From malicious emails and URLs to malware, the strain between China’s claim of Taiwan as part of its territory and Taiwan’s maintained independence has evolved into a worrying surge in attacks,” the Trellix Advanced Research Center said in a new report.

The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023.

Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics.

What’s more, the spike in malicious emails targeting Taiwan was followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indicating that the phishing lures acted as an initial access vector to drop additional payloads.

PlugX, a remote access trojan spotted in the wild since 2008, is a Windows backdoor that has been put to use by numerous Chinese threat actors to control victim machines. It’s also known for employing DLL side-loading techniques to fly under the radar.

Cyber Attacks

“This technique consists of a legitimate program loading a malicious dynamic link library (DLL) file that masquerades as a legitimate DLL file,” Trellix researchers Daksh Kapur and Leandro Velasco said.

“This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file.”

Besides PlugX, Trellix said it also identified other malware families such as the Kryptik trojan as well as stealers like Zmutzy and FormBook targeting the nation.

That’s not all. Some of the socially engineered messages contained links to seemingly innocuous login pages that mimic legitimate brands, including DHL, in an attempt to trick users into entering their credentials.

“In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber attacks on a variety of industries and institutions,” Joseph Tal, senior vice president of the Trellix Advanced Research Center, said.

“Monitoring geopolitical events can help organizations to predict cyber attacks in countries they operate in.”

 

(c) Ravie Lakshmanan

OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users

A hacking group dubbed OilAlpha with suspected ties to Yemen’s Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.

“OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets,” cybersecurity company Recorded Future said in a technical report published Tuesday.

“It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.”

OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups.

 

 

The assessment that the adversary is acting in the interest of the Houthi movement is based on the fact that the infrastructure used in the attacks is almost exclusively associated with Public Telecommunication Corporation (PTC), a Yemeni telecom service provider subjected to Houthi’s control.

That having said, the persistent use of PTC assets doesn’t exclude the possibility of a compromise by an unknown third-party. Recorded Future, however, noted that it did not find any evidence to back up this line of reasoning.

Another factor is the use of malicious Android-based applications to likely surveil delegates associated with Saudi Arabian government-led negotiations. These apps mimicked entities tied to the Saudi Arabian government and a humanitarian organization in the U.A.E.

The attack chains commence with potential targets – political representatives, media personalities, and journalists – receiving the APK files directly from WhatsApp accounts using Saudi Arabian telephone numbers by masquerading the apps as belonging to UNICEF, NGOs, and other relief organizations.

The apps, for their part, act as a conduit to drop a remote access trojan called SpyNote (aka SpyMax) that comes with a plethora of features to capture sensitive information from infected devices.

“OilAlpha’s focus in targeting Android devices is not surprising due to the high saturation of Android devices in the Arabian Peninsula region,” Recorded Future said.

The cybersecurity company said it also observed njRAT (aka Bladabindi) samples communicating with command-and-control (C2) servers associated with the group, indicating that it’s simultaneously making use of desktop malware in its operations.

“OilAlpha launched its attacks at the behest of a sponsoring entity, namely Yemen’s Houthis,” it theorized. “OilAlpha could be directly affiliated to its sponsoring entity, or could also be operating like a contracting party.”

“While OilAlpha’s activity is pro-Houthi, there is insufficient evidence to suggest that Yemeni operatives are responsible for this threat activity. External threat actors like Lebanese or Iraqi Hezbollah, or even Iranian operators supporting the IRGC, may have led this threat activity.”

 

(c) Ravie Lakshmanan

Identifying a Patch Management Solution: Overview of Key Criteria

Software is rarely a one-and-done proposition.

In fact, any application available today will likely need to be updated – or patched – to fix bugs, address vulnerabilities, and update key features at multiple points in the future.

With the typical enterprise relying on a multitude of applications, servers, and end-point devices in their day-to-day operations, the acquisition of a robust patch management platform to identify, test, deploy, install, and document all appropriate patches are critical for ensuring systems remain stable and secure.

As with most tech tools, not all patch management solutions are created equal, and what’s seen as robust by one organization may prove inadequate for another. However, an evaluation that begins with a focus on specific key criteria – essential attributes and functionality likely to be offered by many vendors but not all – will allow IT teams to narrow down their options as they work to identify the best solution for their organization’s patch management needs.

Inventory

A patch management tool’s ability to maintain an inventory of all patchable systems is essential for managing patches at every level. Vital information to track includes:

  • the operating system and applications
  • current and past version
  • patch groups
  • patch dependencies.

Where the inventory resides—is it part of the patch system, or can it live in an existing configuration system — is also an important consideration.

Life Cycle Management

When combined with continuous integration/continuous delivery (CI/CD) processes in DevOps, the patch lifecycle becomes a part of software development for in-house applications. However, keep in mind that patch lifecycles can exhibit complex dependencies. For instance, in Linux operating systems, the platform must determine whether a patch can be applied or if an existing patch must be removed before the new patch is applied, at which point the original patch can be reinstalled.

Patch Testing

In order to determine the impact of a patch on existing systems, a patch management tool must be capable of deploying a patch for testing in a closed environment. This should include the ability to enable debug-level logging on patch installations to ensure no errors were suppressed or determine what triggered a failure in the event that they were. Decision makers should also determine whether there is support for testing on isolated systems, in a pilot group, or, ideally, in an air-gapped environment to validate patches.

Patch Deployment

A solution must be able to deploy patches to all intended systems, including determining deployment policies, groups, and methods appropriate for the item to be patched. Ideally, a deployment will be able to call pre- and post-scripts during deployment to address services, application shutdown, backup processes, or check-pointing, testing, and restart. There must also be a testing process completed before the node is added back into rotation on the load balancer.

Trusted Sources

A patch management tool should know who trusted uploaders and publishers are, be able to validate the patch and support an on-site repository of validated and trusted patches. While the use of distributed on-site repositories is optimal for both performance and security purposes, the use of both vendor and on-site repositories is the expected condition. Any tool solely relying on a vendor repository offers the least desirable storage situation.

Patch Prioritization

A patch management solution must be able to either automatically or manually prioritize patches for deployment. If setting patch priority involves a manual process, it’s critical to know the data source used. If the vendor provides the priority, it’s essential to understand how the patch system consumes this information. The use of vendor priority, CVEs, and emergency response when necessary (zero-day patches) will provide an enterprise with the most complete patch management solution.

Patching Architecture

Patching can utilize either an agent or agentless method of scanning. Systems with only agentless methods have a negative impact on network and CPU performance and are thus the least desirable. However, while using an agent is expected, solutions utilizing both an agent and an agentless approach provide the most flexibility.

Third-Party Support

An enterprise patching solution must be able to patch third-party applications, especially on desktops and laptops, as these can be a vector for viruses, malware, or ransomware. Obviously, the ability to support all common applications from major players – Adobe, Microsoft, etc. – is non-negotiable. But ideally, third-party support would be extensive and include an ability to support the patching of in-house applications.

Take Away

With businesses and organizations forced to navigate an increasingly treacherous landscape of ransomware and other cyber threats, identifying an effective patch management solution is absolutely critical to ensuring safe and efficient operations. However, as the space has become awash in vendors, determining which solution will best meet the needs of a specific enterprise has only grown more complicated.

There may not be a single patch management solution for every enterprise, making selection more of a process than a simple choice of vendor. However, when the search for a patch management solution begins with an emphasis on key criteria considered to be non-negotiable, decision-makers will be in a better position to formulate a short list of vendors and solutions most likely to meet their organization’s needs.

 

(c) Ravie Lakshmanan

npm packages caught serving TurkoRAT binaries that mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.

These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.

Not the node you’re looking for

Researchers at software security firm ReversingLabs have analyzed three npm packages that lurked on the npmjs.com registry for over two months.

These packages, downloaded a little over 1,200 times in total, are called:

Package Versions Total Downloads
nodejs-encrypt-agent 6.0.2, 6.0.3, 6.0.4, 6.0.5 521
nodejs-cookie-proxy-agent 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4 678
axios-proxy 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, 1.9.9 23

“First published more than two months ago, nodejs-encrypt-agent appears at first glance to be a legitimate package,” state ReversingLabs researchers in their report.

“However,  discrepancies raised red flags with our researchers. Despite that, our first thought was still that this package couldn’t be malicious. If it were, it would surely have been noticed and removed by npm administrators.”

Although nodejs-encrypt-agent didn’t initially sound alarms and even mirrored the functionality of legitimate packages like agent-base, there was more to it, the researchers discovered.

npm page for malicious package nodejs-encrypt-agent
npm page for malicious package nodejs-encrypt-agent (ReversingLabs)

“There was, however, a small, but very significant difference: the nodejs-encrypt-agent package contained a portable executable (PE) file that, when analyzed by ReversingLabs was found to be malicious,” write the researchers.

The PE file being referred to is a Windows executable ‘lib.exe,’ about 100 MB in size that may not look suspicious right away.

lib.exe present inside nodejs-encrypt-agent npm package
lib.exe present inside nodejs-encrypt-agent npm package (BleepingComputer)

The file closely resembles the real NodeJS application with regards to its PE headers and metadata, code and functionality. In fact, BleepingComputer observed, variants of ‘lib.exe’ executables present in certain versions of nodejs-encrypt-agent had a very low detection rate:

Low VirusTotal Detection Rate for lib.exe
Low VirusTotal detection rate for certain ‘lib.exe’ files (VirusTotal)

The same also remains the case for the lib.exe specifically analyzed by ReversingLabs. VirusTotal analysis reveals how the executable mimics Node.js and contains identical metadata from the legitimate application.

ReversingLabs researcher Igor Kramarić who analyzed the malicious package spotted that one or more JavaScript files within nodejs-encrypt-agent contained legitimate functionality but also had code that quietly ran the bundled ‘lib.exe’:

EXE runs from within npm package
npm package running the bundled ‘lib.exe’ (ReversingLabs)

“As we observed above: there was little question that the PE discovered within the npm package was malicious,” states Lucija Valentić of ReversingLabs.

The malicious executable in question ran what’s called TurkoRAT infostealer—a customizable “grabber” and credential stealer that is hard to detect.

“The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files.”

TurkoRAT Code
A snippet of TurkoRAT code packed within the EXE (ReversingLabs)

Like nodejs-encrypt-agent, versions of nodejs-cookie-proxy-agent also dropped this trojan but introduced an additional step in between to evade detection.

Instead of directly bundling ‘lib.exe’ within, nodejs-cookie-proxy-agent listed axios-proxy as a dependency and it is the latter that contained the malicious executable which would get pulled any time the former package was installed by a user.

“This time, attackers disguised it as a dependency, axios-proxy, that was imported into every file found inside nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2,” reveal the researchers.

All malicious packages were removed from the npm registry shortly after their detection by ReversingLabs. But, the fact that these remained on npm for more than two months highlights the ongoing risk that unvetted open source packages can pose to software supply chain security, warn the researchers.

 

(c) Bill Toulas

Police dismantles Try2Check credit card verifier used by dark web markets

The U.S. Department of Justice announced today the indictment of Russian citizen Denis Gennadievich Kulkov, suspected of running a stolen credit card checking operation that generated tens of millions in revenue.

Kulkov is believed to have created the Try2Check underground service in 2005, a platform that soon became highly popular among cybercriminals in the illegal credit card trade and helped the suspect make at least $18 million in bitcoin.

The service was used by those who dealt with both the bulk purchase and sale of stolen credit card numbers and needed to check what percentage of cards were valid and active, including dark web marketplaces like Joker’s Stash for card testing.

With the help of the Try2Check platform, the defendant victimized not only credit card holders and issuers but also a prominent U.S. payment processing firm whose systems were exploited to conduct the card checks.

Try2Check was also taken down on Wednesday following a joint operation between the U.S. government and partners in Germany and Austria, including units in the Austrian Criminal Intelligence Service, the German Federal Criminal Police Office (B.A.), the German Federal Office for Information Security (B.S.), and the French Central Directorate of the Judicial Police (DCPJ).

Try2Check seizure banner
Try2Check seizure banner 

​”Try2Check ran tens of millions of credit card checks per year and supported the operations of major card shops that made hundreds of millions in bitcoin in profits,” the DOJ said today.

“Over a nine-month period in 2018, the site performed at least 16 million checks, and over a 13-month period beginning in September 2021, the site performed at least 17 million checks.”

The U.S. State Department in partnership with the U.S. Secret Service also announced today a $10 million reward through the Transnational Organized Crime Rewards Program (TOCRP) for anyone who can provide information that leads to the capture of Kulkov, who now resides in Russia.

Denis Gennadievich Kulkov
Denis Gennadievich Kulkov (U.S. Secret Service)

If found guilty and convicted, Kulkov faces 20 years of imprisonment as soon as he is apprehended.

“The individual named in today’s indictment is accused of operating a criminal service with immeasurable reach to fund further illicit activity with global impact,” said U.S. Secret Service Special Agent in Charge Patrick J. Freaney.

“Thanks to the cooperation and dedication of our global law enforcement community, Try2Check can no longer serve as a vehicle for continued criminal activity or illicit profits.”

 

(c) Bill Toulas