Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Crime Scheme. Show all posts

VMConnect Supply Chain Attack Persists

 

During the initial weeks of August, the ReversingLabs research team uncovered a malicious supply chain operation, code-named "VMConnect." This nefarious campaign involved the distribution of approximately twenty-four malevolent Python packages through the Python Package Index (PyPI), a widely used open-source repository for Python software. 

These deceptive packages were cleverly designed to mimic well-known open-source Python utilities, including vConnector (a wrapper module for pyVmomi VMware vSphere bindings), eth-tester (a toolkit for testing Ethereum-based applications), and databases (a tool offering asynchronous support for various database systems). In their investigation, the researchers noticed that the perpetrators of this campaign have gone to great lengths to create an aura of authenticity around their actions. 

They take the time to establish GitHub repositories, complete with descriptions that appear entirely legitimate, and even incorporate authentic source code. In their latest findings, the team has identified several new packages, each with its own download statistics. Notably, these include 'tablediter,' which has garnered 736 downloads, 'request-plus' with 43 downloads, and 'requestspro' boasting 341 downloads. 

Among these recently uncovered packages, the first one appears to camouflage itself as a tool for table editing. Meanwhile, the other two pose as legitimate versions of the widely-used 'requests' Python library, typically utilized for making HTTP requests. ReversingLabs could not definitively identify the source of the campaign, but some analysts were more confident, attributing the malware to Labyrinth Chollima, a subgroup within the notorious Lazarus Group, a North Korean state-sponsored threat entity. 

Additionally, JPCERT/CC, a respected cybersecurity organization, connected the attack to another Lazarus Group subsidiary known as DangerousPassword. Considering these attributions and the striking code similarities observed between the packages discovered in the VMConnect campaign and those described in JPCERT/CC's research, it strongly implies that the same threat actor is responsible for both attacks. 

What is A supply chain attack? 

A supply chain attack is a cyber assault strategy that depends on an organization's vulnerabilities within its supply chain. The supply chain represents the intricate network of individuals, companies, resources, processes, and technologies involved in creating and distributing a product. This chain encompasses everything from raw material shipment from suppliers to manufacturers, right up to the product's delivery to end-users. 

In targeting a weak link within this supply chain, cyber attackers increase their chances of success, capitalizing on the trust organizations often place in their third-party vendors. These attacks are a subset of island hopping attacks, where threat actors leverage trusted connections to infiltrate their primary targets.

U.S. Charged Eight in $45 Million Cyber Crime Scheme

The United States Department of Justice charged eight people on Wednesday in connection with a racketeering (RICO) conspiracy. 

Following a multimillion-dollar fraud that took place, threat actors stole money from hacked accounts at banks and financial institutions, laundered it, and sent it overseas. 

The defendants, Dickenson Elan, Andi Jacques, Jenkins, Louis Noel Michel, Monika Shauntel Jeff Jordan Propht-Francisque, Vladimyr Cherelus, Michael Jean Poix, and Louisaint Jolteus, allegedly worked together to perform computer fraud and scams. 

According to the Department of Justice, the campaign was started in 2011 when threat actors began to gain access to accounts at 15 big financial institutions including Citibank, E-Trade, PayPal and TD Ameritrade, JP Morgan Chase, payroll processor Automated Data Processing (ADP), and niche organizations including the U.S. military's Defense Finance and Accounting Service. 

As per the data, the defendants along with others from 2015 and 2019, including a now-deceased conspirator referred to as Rich4Ever4430, banded together in a cybercrime and fraud scheme involving tax returns. 

The indictment claims, Jenkins, Michel, Propht-Francisque, Cherelus, and Rich4Ever4430, purchased on the dark web server credentials for Certified Public Accounting (CPA) and tax preparation firms and used the data to gain access and exfiltrate the tax returns of thousands of people. 

"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland. 

Overall, they have stolen more than $36 million in false tax refunds. The estimated loss surpasses $4 million however, the exact amount is yet to be confirmed. 

The eight defendants have been charged with conspiracy to commit wire fraud, conspiracy to commit identity theft, and conspiracy to commit money laundering. According to the law, defendants could face fines and up to 20 years in prison on each of the first two charges, and 15 years on the third. 

The case is referred as "United States of America v. Oleksiy Sharapka, Leonid Yanovitsky, Oleg Pidtergerya, Richard Gundersen, Robert Dubuc, Lamar Taylor, Andrey Yarmoltskiy and Ilya Ostapyuk," number 13-06089, at the U.S. District Court for the District of New Jersey.