Infosec in brief After activating its chameleon field and going to ground following press attention earlier this year, the dangerous Predator commercial spyware kit is back - with upgrades.

Insikt Group, the threat research arm of cyber security firm Recorded Future, reported last week that new Predator infrastructure has popped up in countries like the Democratic Republic of the Congo and Angola, suggesting US sanctions applied to Intellexa, the spyware firm behind Predator, did not completely succeed.

"After Intellexa … faced sanctions and exposure, a noticeable reduction in Predator activity was observed," Insikt Group wrote in its report on Predator. "However, according to [our] recent analysis, Predator is far from disappearing."

Predator, like Pegasus from the NSO group and other commercial spyware, allows government actors to infiltrate devices and spy on users. The product is known for its ability to track locations, access device cameras, record calls, read messages and do other privacy-invading things.

The latest updates, unfortunately, mean Predator will be a lot harder to track.

According to Insikt, the Predator update it has spotted further anonymizes customer operations and makes it harder to locate users.

"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the researchers noted.

"Defenders can mitigate risks by following cyber security best practices, including regular device updates, using lockdown mode, and deploying mobile device management systems," Insikt recommends. "Given Predator's renewed presence and the sophistication of its infrastructure, individuals and organizations must stay vigilant."

Act now, and you might even protect yourself against Russian cyber spies using similar tactics, too.

Trump family X accounts hijacked to push crypto scam

X accounts belonging to two of former US president Donald Trump's family members were hijacked last week to push links to a scam version of Trump's forthcoming decentralized finance venture, in a pair of now-deleted Xeets.

Republican National Committee co-chair Lara Trump, and Donald Trump's daughter Tiffany, both posted about the launch of Trump's World Liberty Financial - a crypto platform the ex-president and current Republican nominee announced in late August as "the DeFiant Ones," but apparently already renamed.

The platform hasn't launched yet, and the spoof links went to a mystery website promising to be the only official source on the project.

World Liberty Financial - promoted by Trump as a way for everyday Americans to avoid being "squeezed by big banks and financial elites" - has raised concerns. Seventy percent of the tokens being minted when World Liberty is launched are supposed to go to project insiders - an amount crypto publication Coindesk noted is "unusually high."

Fog ransomware target finance sector

A relatively new and nasty ransomware variant known as "Lost in the Fog" that targeted education and recreation institutions appears to have started targeting financial institutions.

According to security operations-as-a-service firm Adlumin, it spotted someone using Fog last month trying to break into a "mid-sized financial business using compromised VPN credentials." That type of attack is standard operating procedure for Fog.

Once inside a network, Fog uses advanced techniques like pass-the-hash attacks to escalate privileges, cripple network security, steal data and encrypt it with a ransom note. Fog hasn't been attributed to any known threat actor yet, which Adlumin said suggests it may come from a new, but "highly skilled" threat actor that appears to be based in Russia.

Standard ransomware prevention techniques apply here, folks - just be advised if you're in the financial sector that there's a hot new variant out there gunning for your systems, especially weak VPNs.

PyPI hijack exposes 22K+ packages to takeover attacks

Security researchers monitoring open source packages have spotted nasty folk waiting for a package to be deleted and re-creating the repository with a malicious version.

Dubbed "revival hijack" by researchers at JFrog, the tactic involves abusing the Python Package Index's (PyPI) package registration system.

"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," the JFroggers wrote.

The DevOps and security firm estimates there are around 22,000 packages in PyPI vulnerable to a revive hijack attack, and the researchers noted they've already spotted the technique being used in the wild to infect the pingdomv3 package.

The result of a successful revive hijack could be disastrous - especially because it can be used to trick systems into thinking the malicious package is simply an updated version of the old, now deleted, official one.

"On average, 309 [PyPI] packages are removed each month," JFrog noted.

So start checking the age of repositories and the name of the maintainer before updating those packages, folks

Maltese security researchers charged for finding flaw

A trio of computer science students, and their lecturer, have been charged with unauthorized access to computer data after discovering and presenting evidence of a security flaw.

Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri were reportedly arrested in 2022 and recently charged, along with their lecturer Mark Joseph Vella, for authorized access, preventing or obstructing the input of data without authorization and obstructing or preventing the use of a computer system for vulnerability testing in FreeHour, a scheduling app for students.

After reporting the vulnerability to FreeHour and requesting a bounty, the trio were reportedly arrested instead. They are scheduled to head to trial next year on the matter.

While the United States and many other countries have some form of concession in place to not prosecute good-faith security researchers, Malta appears to have no such law. ®

https://www.theregister.com//2024/09/09/predator_spyware_trump_crypto/