ElizaRAT hits India
Security researchers at Checkpoint discovered an ongoing campaign from Transparent Tribe, a group with suspected ties to the Pakistani government, using the custom impact ElizaRAT since at least late 2023. The group used this to target Indian entities in cyberespionage operations. Transparent Tribe uses phishing lures to prompt a Google Drive download to distribute ElizaRAT-infected Windows Control Panel files. The researchers also noted that in early 2024, ElizaRAT showed upgraded capabilities, enabling the download of specific second-stage payloads and automatic data exfiltration. Checkpoint sees these updates as a trend of using more flexible and modular payload deployment techniques.
IT outage impacts Washington courts
The Washington State Administrative Office of the Courts, or AOC, confirmed that it recently observed “unauthorized activity” on its network, taking critical systems offline. AOC associate director Wendy Ferrell said there was “no reason to believe that was a targeted attack” but did take the network offline for “security reasons.” Because AOC oversees technology across the court system, all courts in Washington saw some impact and will operate with “limited service.” In-person customer service remains available, and officials recommend contacting courts directly to see what services are available.
Alleged Snowflake hacker arrested
The Canadian Department of Justice confirmed that authorities arrested Alexander Moucka, an individual suspected of being involved in accessing data held by the cloud services company Snowflake under the aliases Waifu and Juische. These attacks accessed data from roughly 165 corporate customers, including AT&T and Ticketmaster. Speaking to 404 Media last month, Judische said they expected to be arrested by authorities soon, also claiming they “destroyed a lot of evidence.” Moucka was arrested on a provisional warrant on October 30th at the request of US authorities. Turkish authorities arrested the alleged co-conspirator of the attack, John Binns, earlier this year.
Russian intelligence blamed for parcel bomb plot
Over the last few months, parcels sent by DHL exploded in two warehouse locations in Europe. The head of Germany’s domestic intelligence service said at a government hearing that one of these parcels had been scheduled to be on a cargo flight if not for a delay. Lithuania’s chief national security adviser Kęstutis Budrys, blamed the incident on Russia’s GRU military intelligence agency. The Wall Street Journal reports several other Western intelligence agencies agree with this assessment. Polish officials arrested four people over concealing explosives in packages back in July. DHL said it is “cooperating with the relevant authorities to protect our people, our network, and our customers’ shipments.”
Thanks to today’s episode sponsor, Vanta
Visit vanta.com to learn more about Questionnaire Automation.
Interpol operation takes down 22,000 IP addresses
The European law enforcement agency announced that, as part of Operation Synergia II, it took down 1,037 malicious servers across 22,000 IP addresses, leading to 41 arrests. The operation spanned Hong Kong, Mongolia, Macau, Madagascar, and Estonia from April to August 2024. Interpol worked with threat intelligence from Group-IB, Kaspersky, Trend Micro, Team Cymru, and other private firms to identify over 30,000 suspect IP addresses, eventually taking down 76%.
Columbus drops case against whistleblower
Over the summer, we covered the Rhysida ransomware attack against the city of Columbus, Ohio. The group leaked 3.1 terabytes of data stolen from the city, which officials claimed was encrypted and corrupted. Security researcher David Leroy Ross, also known as Connor Goodwolf, claimed the data was intact and accessible online. The city subsequently sued Ross for damages and sought an order to stop him from discussing the data leak. Now, the two parties have agreed to drop the case. Ross got the case dismissed with prejudice, which means the city can’t sue him again for the same thing, but agreed to a permanent injunction to only share data related to this leak considered in the public record with written approval from the city.
CISA urges you to vet election information
A joint advisory from CISA, the FBI, and the Office of the Director of National Intelligence warned that Russia, Iran, and other foreign adversaries will likely increase online disinformation efforts meant to undermine the US presidential election in the coming weeks. The advisory urged voters to look for trusted, official sources from state and local election officials, not media outlets or online accounts.
In other election news, Meta will expand its ban on new election ads until several days after the polls close. The company already blocked new social issues, electoral, or political ads the week prior to the election. Google also announced a similar ad ban last month.
(Infosecurity Magazine, Axios)
A typosquatting campaign with a crypto spin
Typosquatting npm packages is a tried and true technique. Researchers from Phylum, Socket, and Checkmarx spotted the same campaign, which used at least 287 malicious packages to lure developers that fat finger a package name. Researchers at Phylum suggest this campaign was still in the early stages, targeting several popular cryptocurrency libraries. Once the package is installed, persistence is established. From there, the code queries an Ethereum smart contract for a C2 server’s IP address for further payloads. The decentralized nature of the contract makes it easy to simply change the IP address. There is no word on who is operating the campaign, but researchers at Socket said it found error messages written in Russian.