CyberWire Daily: Self-Replicating Malware, Phishing-as-a-Service, and DDR5 Vulnerabilities

Self-Replicating Malware in NPM

• 🦠 A new self-replicating malware named Shy Halude has infected over 180 npm packages, stealing developer credentials and publishing them publicly.
• 🛠️ The worm spreads by hijacking npm tokens and injecting itself into popular packages, using tools like Truffle Hog for propagation.
• 🔒 Experts emphasize the need for stronger two-factor authentication for publishing packages to prevent similar outbreaks.

Disruption of Phishing Operations

• 🎣 Microsoft and Cloudflare have disrupted Raccoon 0365, a phishing-as-a-service platform targeting Microsoft 365 credentials.
• 💻 The platform used adversary-in-the-middle tactics to bypass MFA and captured session cookies, generating at least $100,000.
• 🇳🇬 Nigerian programmer Joshua Ouipe has been identified as the ringleader and is facing international law enforcement action.
• 🎯 Octa uncovered Void Proxy, another phishing-as-a-service platform targeting Microsoft 365 and Google accounts using similar MITM techniques.

Advanced Persistent Threats and Backdoors

• 🇺🇦 Researchers discovered a new APT28 Fancy Bear campaign, Operation Phantom Net Voxil, using malicious Office documents to deliver backdoors to Ukrainian military officials.
• ☁️ Attackers leverage cloud services like Kufer and Ice Drive for command and control, highlighting a growing reliance on blended open-source and legitimate cloud services for stealth.

Memory Vulnerabilities and Budget Concerns

• ⚡ A new Rowhammer attack variant, dubbed Phoenix, targets DDR5 memory, exploiting electrical charge leakage to corrupt data.
• 📉 Democrats warned that proposed budget cuts could slash the FBI's cyber division staff by half, potentially undermining defenses against foreign threats and ransomware.
• 🏛️ FBI Director Patel countered that arrests have increased, but concerns remain about resource allocation and AI-driven election interference.

Securing Google Workspace

• 🔑 Abhishek Agrawal from Material Security discussed the challenges of securing Google Workspace, emphasizing its role as a critical identity and data repository.
• ⚙️ While Google Workspace offers secure infrastructure, organizations often need additional controls and customization for security operations and investigations.
• 🔒 Identity-based attacks are prevalent, and attackers can move laterally within Workspace by compromising accounts, establishing persistence through mail rules or MFA changes.
• 📊 Data sprawl in services like Google Drive poses significant risks, with vast amounts of data often shared broadly and forgotten, creating large exposure surfaces.
• 📈 Material Security leverages Google Workspace's powerful APIs to build custom detection and response capabilities, offering automated remediation to free up security team resources.

Legal Consequences for Cybercriminals

• ⚖️ Connor Brian Fitzpatrick, founder of Breach Forums, was sentenced to 3 years in prison for facilitating the sale of billions of stolen records.