The Good, the Bad and the Ugly in Cybersecurity – Week 40

The Good | Officials Indict Three IRGC Actors for Hack-and-Leak Campaign Against the 2024 U.S. Presidential Election

Three Islamic Revolutionary Guard Corps (IRGC) employees have been indicted by the DoJ for hacking former President Donald Trump's campaign and targeting U.S. campaign officialsand members of the media and several NGOs. Masoud Jalili (36), Seyyed Ali Aghamiri (34), and Yaser Balaghi (37) are charged for activities that span from 2020 to 2024, which amplify Iran's continued efforts to steal sensitive government information and undermine the U.S. electoral process.

In May, Jalili, Aghamiri, and Balaghi used years' worth of compromised accounts from former U.S. officials to target and gain access to personal accounts belonging to campaign members via spear phishing attacks. The conspirators continued by targeting Trump's re-election efforts, stealing non-public material from his campaign and attempting to share them with President Biden's team and various media outlets.

Despite these efforts, none of the recipients responded to their outreach. This 'hack-and-leak' attack also involved impersonating government officials and using fake personas to trick victims into downloading malware. U.S. officials confirmed the hackers tried to exploit the stolen data by contacting the media, but their attempts were mostly unsuccessful.

A joint advisory released by U.S and U.K. cybersecurity agencies warn that IRGC actors are likely to continue using similar tactics to influence elections and target high-profile individuals. The Department of State has announced a $10 million reward for information on Jalili, Aghamiri, and Balaghi's whereabouts. If convicted, the three IRGC actors face prison for aggravated identity theft, access device fraud, wire fraud, and conspiracy to provide material support to a designated foreign terrorist organization.

The Bad | Fake Crypto Wallet Tools Stealing Digital Assets Target PyPi Developer Community

A wave of malicious packages have been found in the Python Package Index (PyPI), posing as cryptocurrency wallet management tools but designed to steal data and digital assets. Researchers uncovering these packages noted that users of popular wallets such as Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, have all been targeted.

The packages work by masquerading as utilities for mnemonic phrase extraction and wallet data decryption so malicious actors can exfiltrate private keys, transaction histories, and wallet balances. Names for the packages such as "trustdecoderss" and "phantomdecoderss" were intentionally chosen to appeal to developers within the cryptocurrency ecosystem. To boost credibility, actors provided detailed installation instructions, usage examples, and even fake best practices and download statistics. Some of these packages showed a significant number of downloads averaging upwards of 300 to 400+ hits before they were removed from the index.

A key denominator across the packages was having the payload triggered only when specific functions were called, allowing it to remain undetected during installation. Exfiltrated data is then sent to remote servers. As an additional layer of security, the server addresses are retrieved dynamically through external resources in a technique known as 'dead drop resolver', which makes the servers much harder to trace yet easy to swap out should they be taken down.

Instead of triggering malicious actions during installation, packages remain dormant until specific actions are called (Source: Checkmarx)

Campaigns like this one can affect a broad spectrum of users given the level of trust in open-source communities and widespread use of wallet management tools. With threat actors creating new schemes to drain wallets, ongoing vigilance and a focus on continuous monitoring and community awareness continue to be critical across both the open-source software and cryptocurrency ecosystems.

The Ugly | CISA Warns Agencies to Patch Ivanti Endpoint Manager Flaw Under Active Exploit

Warnings from CISA this week center around a critical vulnerability in Ivanti's Endpoint Manager (EPM) appliances that is being actively exploited by threat actors. The vulnerability, tracked as CVE-2024-29824, affects EPM's Core server and allows unauthenticated attackers in the same network to perform remote code execution (RCE) via SQL injection on unpatched systems.

The Utah-based IT firm first released a security update on the vulnerability in May along with five others, all impacting EPM 2022 SU5 and earlier versions. A month later, researchers released a deep dive on CVE-2024-29824 specifically accompanied by a proof of concept (PoC) exploit published on GitHub. Their analysis urged Ivanti adminds to review MS SQL logs for signs of exploitation, particularly focusing on evidence of xp_cmdshell being used to obtain command execution.

Updating their original advisory, Ivanti has confirmed cases of the flaw being exploited in the wild and stated that a limited number of customers have been compromised. CISA has added CVE-2024-29824 to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch affected systems within three weeks under BOD 22-01.

While the KEV catalog primarily targets federal agencies, global organizations are also urged to prioritize patching to prevent attacks. Ivanti appliances have been a frequent target of zero-day exploits in this year, including a spate of attacks on the firm's Connect Secure (ICS) and Policy Secure (IPS) network access control appliances, ZTA gateways, and Cloud Services Appliance (CSA). An open letter from the firm's CEO acknowledges the severity of the issues and outlines Ivanti's goals to revamp their core engineering, security, and vulnerability management practices.

Encouraged to see this statement from @GoIvanti CEO Jeff Abbott taking ownership of security outcomes for customers and committing to move forward on the path to secure by design technology. https://t.co/N1TStXKBM7

- Jen Easterly️ (@CISAJen) April 3, 2024

Public link

Please use the above public link if you want to share this noodl on another website.