SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
Bigpanzi botnet infects tens of thousands of Android TVs and set-top boxes
Security researchers at Qianxin share a detailed analysis of Bigpanzi, a botnet that is believed to have infected tens of thousands of Android TVs and set-top boxes. The cybercrime ring behind the botnet has been active for at least eight years, engaging in all sorts of illegal activities, including DDoS attacks.
Inferno Drainer multimillion-dollar scam-as-a-service detailed
Group-IB details Inferno Drainer, a defunct multichain crypto drainer that operated as a scam-as-a-service between November 2022 and November 2023. Impersonating over 100 brands, the threat actors used phishing to trick victims into connecting their crypto-wallets to attacker-controlled infrastructure, stealing at least $80 million in assets.
NoName057(16) launched over 1,500 DDoS attacks against NATO-aligned nations
Since March 2022, pro-Russian threat actor NoName057(16) launched over 1,500 DDoS attacks against NATO-aligned nations, to counter anti-Russia hostility, Netscout reports. The group uses low-cost public cloud and web services, relies mainly on HTTP/HTTPS floods, and offers digital currency payments via the Project DDoSia service to individuals interested in conducting attacks.
New Pegasus spyware detection method revealed
Kaspersky has identified a new method of detecting infections with sophisticated iOS spyware families, including Pegasus, Reign, and Predator. Traces of Pegasus infections can be found in the Shutdown.log system log, in the sysdiagnose archive, which contains information on reboots. Analysis of the log revealed a common infection path in Pegasus infections, mirroring those seen in Reign and Predator infections.
Multiple macOS infostealers evading detection
SentinelOne details several macOS information stealer families capable of evading static signature detection, including KeySteal, Atomic Stealer, and CherryPie, which continue to evolve despite Apple’s efforts to update its XProtect signature database.
Malicious campaign targets Docker hosts with miner, 9hits application
Vulnerable Docker services are under attack in a malicious campaign deploying a cryptocurrency miner and the 9hits viewer application. In the first documented case of the 9hits application being dropped as a payload, threat actors likely find their targets via Shodan and, following compromise, deploy the two containers on the host. The attackers abuse 9hits to visit specific sites and generate revenue. Because of the application’s design, it can be abused in illicit campaigns without the risk of the attacker’s account being compromised, Cado Security notes.
WhatsApp privacy issue
Researcher Tal Be’ery has identified a potential privacy issue in WhatsApp that involves the exposure of a user’s device setup information (including linked devices) to any other user, even if they are blocked or not in the contacts list. “Monitoring this information over time allows potential attackers to gather actionable intelligence about their victim’s devices setup and changes to it (device replaced/added/removed),” Be’ery said. However, in Meta’s view this is not an implementation bug but the way the protocol is designed to work.
Drupal and libX11 patches
Drupal developers have patched a moderately critical DoS vulnerability. In addition, two vulnerabilities have been found and patched in X.Org’s libX11 graphics library: one allows DoS attacks and the other can be exploited for remote code execution.
Spying on tablet users via ambient light sensor
Researchers showed that a malicious actor may be able to spy on tablet users by leveraging the built-in ambient light sensor. They showed that data from this sensor can be used to generate images of the user’s hands interacting with the screen, which could be leveraged to infer how the touchscreen is used. The research shows how a seemingly innocuous component could introduce a security risk, but users don’t have to worry about it as the attack is currently very slow and the information that can be captured is limited.
Reports on exploits, supply chain security, and AI in the cloud
Cloud security firm Wiz has published a report titled State of AI in the Cloud 2024, which shows that 70% of organizations are using managed AI services, with Microsoft’s Azure AI Services leading in this category. The study found that while many organizations are experimenting with AI, only 10% are ‘power users’, with more than 50 instances in their cloud environments.
ReversingLabs has released its 2024 State of Software Supply Chain Security Report. The company found 11,200 unique malicious packages across npm, PyPI, and RubyGems in 2023, a 28% increase compared to 2022. It also found a 400% annual increase in threats on the PyPI platform, and 40,000 instances of leaked or exposed development secrets across the three major package managers.
GreyNoise has released its 2023 Internet Exploitation Retrospective Report, which describes the most important exploits of 2023.