@securelist.com
//
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.
The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers. This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness. References :
Classification:
Kaspersky@Securelist
//
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.
The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner. Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m. References :
Classification:
Mike Moore@techradar.com
//
A new wave of cyberattacks is targeting Internet of Things (IoT) devices through both the Mirai botnet and BadBox 2.0 malware. Cybersecurity researchers have discovered a new variant of the Mirai botnet that exploits a critical vulnerability, CVE-2024-3721, in TBK DVR devices. This vulnerability allows attackers to remotely deploy malicious code on digital video recording systems commonly used for surveillance. Kaspersky GReAT experts have described the new features of this Mirai variant, noting that the latest botnet infections specifically target TBK DVR devices.
Simultaneously, the FBI has issued a warning about the dangerous BadBox 2.0 malware, which has already infected over a million devices, including smart TVs, streaming boxes, digital projectors, and tablets. These devices, often cheap, off-brand, Android-powered units, are being hijacked to form a global botnet used for malicious activities such as ad fraud, click fraud, and distributed denial-of-service (DDoS) attacks. The compromised devices are turned into residential proxies, which are then sold or provided for free to cybercriminals, enabling a wide range of illicit activities. The Mirai botnet leverages a vulnerability in TBK DVR devices, enabling unauthorized system command execution. Attackers send targeted POST requests to vulnerable endpoints, containing encoded shell commands to download and execute ARM32 binary payloads. This streamlined approach allows for efficient infection, bypassing traditional reconnaissance phases. Meanwhile, BadBox 2.0 often comes preloaded on devices or is transferred through malicious firmware updates and Android applications. Once infected, devices become part of a botnet that cybercriminals exploit for various nefarious purposes, highlighting the persistent threat IoT devices pose to cybersecurity. References :
Classification:
|