08.08.22

Corvus Threat Intel

Typosquatting, Bypassing EDR, & DDoS Attacks

You'll find that threat actors are always innovating — some of them just happen to be on summer vacation.

Forget Pranks: School Kid Turns to Typosquatting

A young hacker uploaded numerous malicious Python packages, some containing ransomware scripts to the Python Package Index (PyPI). PyPI is a repository of software “add-ons” enabling developers to easily search, install, and deploy additional functionalities in their programs. To garner downloads, the individual cleverly named the malicious packages common misspellings of popular Python packages, a method commonly called typosquatting. Even the most advanced developer can hit a wrong key. In this case, however, that may have happened quite a few times, leading to over 250 downloads of the malicious package named “requesys” (mimicking the popular HTTP “requests” library). Upon downloading and executing, some of the malicious packages ran a ransomware script that encrypts the victim’s machine. Fortunately, security firm Sonatype reports that the author of the malicious packages provided decryption keys without charge and reports to the PyPI have been successful in removing some of the malicious libraries.

Why This Matters

Vendors and applications rely on common programming libraries to undergird many business-critical systems. However, as we’ve seen with Log4j, security has become a difficult issue to grapple with. As this story demonstrates, even reputable repositories don’t negate the need for scrutiny. There’s no avoiding programming packages, so teams should always vet these for security.

Additional Information:



Honey Badger Takes What It Wants: Pentesting Tool Brute Ratel Bypassing EDR

After a long period favoring Cobalt Strike, threat actors are pivoting to a new tool, Brute Ratel, with features designed to bypass Endpoint Detection and Response (EDR) solutions. Once attackers gain an initial foothold into a network, tools such as Cobalt Strike or Brute Ratel are used by cybercriminals to remotely communicate with their malware. But the presence of the software gives an opportunity for defenders to detect and stop the malicious activity. To combat this, top ransomware groups including BlackCat, are now adopting Brute Ratel in the hopes of evading detection by EDR and antivirus.

Why This Matters

As we’ve reported in a prior blog post, attackers are always innovating. EDR solutions aren’t “set and forget” and need active monitoring to stop advanced threats. Brute Ratel is just one way attackers will try and sneak past defenses, and it’s not unstoppable.

Additional Information: 



Taiwan Defense Ministry Claims DDoS Attack

After a newsworthy visit by U.S. House Speaker Nancy Pelosi, the Taiwanese government claims a distributed denial-of-service attack took down its National Defense network for a short period of time. In addition, reports have circulated that a number of other websites and public screens were defaced with criticisms of the political visit. Some of these included convenience stores and government facilities. While no attribution has been made for the attacks, experts argue that the malicious activity could be sponsored by the Chinese government, outspoken in its displeasure with Pelosi’s visit. 

Why This Matters

Cyber fallout is unpredictable when attacks circulate for political intent. Though this was not devastating, political attacks like this demonstrate the impact of cyber weapons and technologies against legitimate business operations. As opposed to weapons of conventional war, cyber attacks have become a key weapon for countries to employ with minimal consequences. Corvus Insurance takes great steps to evaluate the geopolitical landscape for cyber risk due to war or regional conflict. 

Additional Information:

 


This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.