Predator spyware updated with dangerous new features, also now harder to track
Plus: Trump family X accounts hijacked to promote crypto scam; Fog ransomware spreads; Hijacked PyPI packages; and more
Infosec in brief After activating its chameleon field and going to ground following press attention earlier this year, the dangerous Predator commercial spyware kit is back – with upgrades.
Insikt Group, the threat research arm of cyber security firm Recorded Future, reported last week that new Predator infrastructure has popped up in countries like the Democratic Republic of the Congo and Angola, suggesting US sanctions applied to Intellexa, the spyware firm behind Predator, did not completely succeed.
"After Intellexa … faced sanctions and exposure, a noticeable reduction in Predator activity was observed," Insikt Group wrote in its report on Predator. "However, according to [our] recent analysis, Predator is far from disappearing."
Predator, like Pegasus from the NSO group and other commercial spyware, allows government actors to infiltrate devices and spy on users. The product is known for its ability to track locations, access device cameras, record calls, read messages and do other privacy-invading things.
The latest updates, unfortunately, mean Predator will be a lot harder to track.
According to Insikt, the Predator update it has spotted further anonymizes customer operations and makes it harder to locate users.
"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the researchers noted.
"Defenders can mitigate risks by following cyber security best practices, including regular device updates, using lockdown mode, and deploying mobile device management systems," Insikt recommends. "Given Predator's renewed presence and the sophistication of its infrastructure, individuals and organizations must stay vigilant."
Act now, and you might even protect yourself against Russian cyber spies using similar tactics, too.
Critical vulnerabilities of the week
We've got just a single item to report this week, but it's still a doozy for anyone using Kingsoft WPS Office – a Chinese-developed Microsoft Office alternative.
Its versions between 12.2.0.13110 and 12.2.0.16412 on Windows contain an arbitrary code execution vulnerability that has been found in the wild in the form of a single-click exploit in a spreadsheet. The flaw, tracked as CVE-2024-7262, is rated with a CVSS score of 9.3, so ensure those updates are installed.
Trump family X accounts hijacked to push crypto scam
X accounts belonging to two of former US president Donald Trump's family members were hijacked last week to push links to a scam version of Trump's forthcoming decentralized finance venture, in a pair of now-deleted Xeets.
Republican National Committee co-chair Lara Trump, and Donald Trump's daughter Tiffany, both posted about the launch of Trump's World Liberty Financial – a crypto platform the ex-president and current Republican nominee announced in late August as "the DeFiant Ones," but apparently already renamed.
The platform hasn't launched yet, and the spoof links went to a mystery website promising to be the only official source on the project.
World Liberty Financial – promoted by Trump as a way for everyday Americans to avoid being "squeezed by big banks and financial elites" – has raised concerns. Seventy percent of the tokens being minted when World Liberty is launched are supposed to go to project insiders – an amount crypto publication Coindesk noted is "unusually high."
FYI … Tewkesbury Borough Council, in Gloucestershire, UK, has experienced a cyber attack on its IT environment that has forced its services offline. The council has turned to British intelligence nerve center GCHQ for help.
Borough council boss Alistair Cunningham said: "With all our systems shut down, our main focus is around the vulnerable people we serve in this community. We are currently dealing with an IT incident. Our systems have been compromised."
Fog ransomware target finance sector
A relatively new and nasty ransomware variant known as "Lost in the Fog" that targeted education and recreation institutions appears to have started targeting financial institutions.
According to security operations-as-a-service firm Adlumin, it spotted someone using Fog last month trying to break into a "mid-sized financial business using compromised VPN credentials." That type of attack is standard operating procedure for Fog.
Once inside a network, Fog uses advanced techniques like pass-the-hash attacks to escalate privileges, cripple network security, steal data and encrypt it with a ransom note. Fog hasn't been attributed to any known threat actor yet, which Adlumin said suggests it may come from a new, but "highly skilled" threat actor that appears to be based in Russia.
Standard ransomware prevention techniques apply here, folks – just be advised if you're in the financial sector that there's a hot new variant out there gunning for your systems, especially weak VPNs.
If you recall … In June we reported that the US Navy had cracked down on an illicit Wi-Fi network that had been installed on a combat ship and demoted the senior enlisted leader who ordered its installation.
More details of that snafu have now emerged – including how a Starlink satellite internet dish was placed on the top of the ship to provide internet connectivity to the Wi-Fi network, which was named "Stinky." This network was used to check sports scores, stream movies, and communicate with civilians, the Navy Times reports.
PyPI hijack exposes 22K+ packages to takeover attacks
Security researchers monitoring open source packages have spotted nasty folk waiting for a package to be deleted and re-creating the repository with a malicious version.
Dubbed "revival hijack" by researchers at JFrog, the tactic involves abusing the Python Package Index's (PyPI) package registration system.
"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," the JFroggers wrote.
The DevOps and security firm estimates there are around 22,000 packages in PyPI vulnerable to a revive hijack attack, and the researchers noted they've already spotted the technique being used in the wild to infect the pingdomv3 package.
The result of a successful revive hijack could be disastrous – especially because it can be used to trick systems into thinking the malicious package is simply an updated version of the old, now deleted, official one.
"On average, 309 [PyPI] packages are removed each month," JFrog noted.
So start checking the age of repositories and the name of the maintainer before updating those packages, folks
Maltese security researchers charged for finding flaw
A trio of computer science students, and their lecturer, have been charged with unauthorized access to computer data after discovering and presenting evidence of a security flaw.
Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri were reportedly arrested in 2022 and recently charged, along with their lecturer Mark Joseph Vella, for unauthorized access, preventing or obstructing the input of data without authorization and obstructing or preventing the use of a computer system for vulnerability testing in FreeHour, a scheduling app for students.
After reporting the vulnerability to FreeHour and requesting a bounty, the trio were reportedly arrested instead. They are scheduled to head to trial next year on the matter.
While the United States and many other countries have some form of concession in place to not prosecute good-faith security researchers, Malta appears to have no such law. ®