CyberSecurity news

FlagThis - #supplychainsecurity

Dissent@DataBreaches.Net //
Luxury brand Cartier has confirmed a data breach impacting its customers. The breach stemmed from a security incident affecting one of its third-party service providers. This incident has exposed sensitive customer information, including names, contact details, and dates of birth. Cartier has notified affected clients and is taking steps to address the breach and reinforce its security measures.

This incident highlights the growing concern around supply chain security and the potential vulnerabilities introduced by third-party vendors. Even prestigious brands like Cartier are susceptible to data breaches if their partners' security defenses are not robust. The breach serves as a reminder for organizations to carefully assess and manage the security risks associated with their external service providers. It's yet another reminder that supply chain security is not a theoretical risk. Even the most prestigious brands can find their reputation tarnished if a partner’s defences aren't watertight.

While details remain limited, this breach comes amid a series of recent cyberattacks targeting high-end brands in both Europe and the U.S.. According to SecurityWeek, Cartier emphasized that no passwords, credit card numbers, or banking information were involved in the breach. It is not yet known if these attacks are related or the work of a single group. Cartier is owned by Richemont, and the company is working to determine the full scope of the incident and implement measures to prevent future occurrences.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: Cartier suffered a data breach that exposed customer personal information after its systems were compromised.
  • DataBreaches.Net: Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • malware.news: Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Graham Cluley: Cartier has confirmed a data breach that exposed customers' personal information, following a security incident at a third-party service provider.
  • BleepingComputer: Luxury fashion brand Cartier is warning customers it suffered a data breach that exposed customers' personal information after its systems were compromised.
  • www.techradar.com: Luxury retailer Cartier experienced a data breach exposing customer personal information, including names, emails, and countries.
  • cyberinsider.com: Cartier Alerts Customers of Data Breach Exposing Personal Information
  • Davey Winder: Warning As Cartier Hacked — What You Need To Know
  • www.scworld.com: Data compromise confirmed by Cartier
  • securityaffairs.com: Luxury-goods conglomerate Cartier disclosed a data breach that exposed customer information after a cyberattack.
  • hackread.com: Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims
  • www.itpro.com: North Face, Cartier among latest retail cyber attack victims – here’s what we know so far
  • The Register - Security: Bling slinger Cartier tells customers to be wary of phishing attacks after intrusion
Classification:
info@thehackernews.com (The@The Hacker News //
A cyber espionage group known as Earth Ammit, believed to be linked to Chinese APT groups, has been actively targeting organizations in Taiwan and South Korea through coordinated multi-wave attacks. These campaigns, dubbed VENOM and TIDRONE, were conducted from 2023 to 2024 and aimed to disrupt the drone supply chain by compromising trusted networks. Victims spanned various sectors, including military, satellite, heavy industry, media, technology, software services, and healthcare, highlighting the group's broad targeting scope. The attacks demonstrate Earth Ammit's long-term goal to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach, potentially leading to data theft and exfiltration of credentials.

The VENOM campaign focused on penetrating the upstream segment of the drone supply chain. Attackers exploited web server vulnerabilities to deploy web shells and used open-source tools like REVSOCK and Sliver in an attempt to avoid attribution. The only custom malware observed in VENOM was VENFRPC, a customized version of FRPC, which is a modified version of the open-source fast reverse proxy tool. The goal was to harvest credentials and use them as a stepping stone for the TIDRONE campaign, which targeted downstream customers.

The TIDRONE campaign involved multiple stages, mirroring the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers. Custom-built tools like CXCLNT and CLNTEND backdoors were used for cyber espionage purposes. Post-exploitation activities included establishing persistence, escalating privileges, disabling antivirus software, and installing screenshot capturing tools. Trend Micro researchers have provided detections and blocking mechanisms via Trend Vision One™ and offer hunting queries and threat intelligence reports to help organizations defend against Earth Ammit's tactics.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Virus Bulletin: Trend Micro's Pierre Lee, Vickie Su & Philip Chen discuss the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
  • www.trendmicro.com: Trendâ„¢ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
  • The Hacker News: A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
  • Industrial Cyber: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
  • industrialcyber.co: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
  • aboutdfir.com: The Chinese-speaking threat group Earth Ammit targeted a broader range of industries than just Taiwanese drone manufacturers, as initially assumed.
  • aboutdfir.com: The Chinese-speaking threat group Earth Ammit targeted a broader range of industries than just Taiwanese drone manufacturers, as initially assumed.
Classification:
  • HashTags: #CyberEspionage #SupplyChainSecurity #EarthAmmit
  • Company: Trend Micro
  • Target: Taiwan, South Korea
  • Attacker: Earth Ammit
  • Product: TIDRONE and VENOM
  • Feature: tradecraft
  • Malware: VENOM, TIDRONE
  • Type: Espionage
  • Severity: Major
@socket.dev //
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.

The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands.

The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • socket.dev: Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • The Hacker News: Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times
  • www.scworld.com: RAT-laced PyPI package sets sights on Discord developers
  • thecyberexpress.com: Article highlighting the malicious discord developer package and its purpose
  • Security Risk Advisors: Malicious PyPI package "discordpydebug" targets Discord developers with remote access trojan. Over 11K downloads enables arbitrary command execution and data theft.
  • www.bleepingcomputer.com: Malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.
Classification: