This report delves into Doppelgänger information operations conducted by Russian actors, focusing on their activities from early June to late-July 2024. Our investigation was motivated by the unexpected snap general election in France, prompting a closer look at Doppelgänger activities during this period.

While recent activities have been described since1,2, our first dive into the information operations topic offers a complementary threat-intelligence analysts’ perspective on the matter, brings additional knowledge on associated infrastructure, tactics and motivation in Europe and the United States.

• A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation.
• The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data.
• The harvested credentials are sent to a remote server.

SeleniumGreed is an active crypto-mining campaign targeting older versions of Grid services. Explore the risks, attack methods, and essential security measures.

• Wiz Research has detected an ongoing threat campaign that exploits exposed Selenium Grid services for cryptomining, dubbed “SeleniumGreed”.

• Selenium is among the most commonly used testing frameworks. Our data shows that the technology can be found in 30% of cloud environments, and the official selenium/hub docker image has over 100 million pulls in Docker Hub.

• Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands.

• By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes.

• We have identified a threat actor targeting publicly exposed instances of Selenium Grid and leveraging features of Selenium WebDriver API to run Python with a reverse shell to deploy scripts that download a XMRig miner.

• The threat actor is still active as of this blog post’s date of publication.

• We believe this is the first documentation of this misconfiguration being exploited in the wild.

Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.

In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.

The private member information of the BreachForums v1 hacking forum from 2022 has been leaked online, allowing threat actors and researchers to gain insight into its users.

The National Crime Agency has infiltrated a significant DDoS-for-hire service which has been responsible for tens of thousands of attacks every week across the globe.

The disruption targeting digitalstress.su, a criminal marketplace offering DDos capabilities, was made in partnership with the Police Service of Northern Ireland.

It comes after the PSNI arrested one of the site’s suspected controllers earlier this month.

The following estimates are calculated using data from the NVD Dashboard. At the time of this reports generation, NVD's 2024 daily average for analyzing new CVEs is 30.27. There is a current backlog of 16777 CVEs awaiting analysis. With an average influx of 111.07 new CVEs per day, a daily average of 217.93 analyses is required to clear this backlog and process new CVEs. Currently, NVD is falling short of this goal by 187.66 CVEs a day. Given this data, if the current daily rate of CVE analysis persists, the projected number of CVEs awaiting analysis by the end of 2024 will be 29462.6.

Microsoft has started responding with changes it wants to see in the wake of the CrowdStrike botched update. It looks like Windows kernel access is on the agenda.

The Internet Systems Consortium (ISC) released BIND security updates that fixed remotely exploitable DoS bugs in the DNS software suite.

PKfail is a zero day disclosure detected by the Binarly REsearch Team and responsibly disclosed.

Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.

Hacking Group Known as “Andariel” Used Ransom Proceeds to Fund Theft of Sensitive Information from Defense and Technology Organizations Worldwide, Including U.S. Government Agencies

Key Attack Insights:

• Web DDoS attack campaign lasted six days and peaked at 14.7 Million RPS
• Featured multiple attack waves amounting to a total of 100 hours of attack time
• Sustained an average of 4.5 million RPS
• Targeted a financial institution in the Middle East
• Averaged a 0.12% ratio of legitimate to malicious web requests
• Attributed by Radware to SN_BLACKMETA, a pro-Palestinian hacktivist with potential ties to Sudan that may operate from within Russia
• Possibly leveraged the InfraShutdown premium DDoS-for-hire service

• Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.
• This network is a highly sophisticated operation that acts as a Distribution as a Service (DaaS). It allows threat actors to share malicious links or malware for distribution through highly victim-oriented phishing repositories.
• Check Point Research is tracking the threat group behind this service as Stargazer Goblin. The group provides, operates, and maintains the Stargazers Ghost Network and distributes malware and links via their GitHub Ghost accounts.
• The network distributed all sorts of malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
• Our latest calculations suggest that more than 3,000 active Ghost accounts are part of the network. Based on core GitHub Ghost accounts, we believe that the network began development or testing on a smaller scale for the first time around August 2022.
• Check Point Research discovered an advertiser in Dark-Web forums that provides the exact GitHub operation. The first advertisement was published on July 8, 2023, from an account created the previous day.
• Based on the monitored campaigns from mid-May to mid-June 2024, we estimate that Stargazer Goblin earned approximately $8,000. However, we believe that this amount is only a small fraction of what the actor made during that period. The total amount during the operations’ lifespan is estimated to be approximately $100,000.
• Stargazers Ghost Network appears to be only one part of the grand picture, with other Ghost accounts operating on different platforms, constructing an even bigger Distribution as a Service universe.

In the wake of Spanish Authorities arresting three individuals associated with NoName057(16), the group declared a "holy war" on Spain. The call to arms encourages all pro-Russian hacker groups to join under the hashtag #FuckGuardiaCivil. Over the past two days, NETSCOUT observed a significant increase in claimed attacks on Spanish websites, coinciding with the call to arms in retaliation for the arrests made. Despite the surge in hacktivist targeting and claims of victory, the daily DDoS attacks manifest as a normal day for Spanish network operators.

Documents reveal how Israel seized files, suppressed information related to WhatsApp’s lawsuit against Pegasus spyware vendor NSO

• Amid a lawsuit pitting WhatsApp against the Israeli company NSO, the state of Israel ordered documents to be seized from the offices of the Pegasus spyware vendor
• Israel also emitted a gag order on the seizure to prevent further dissemination of the information
• Leaked files from the Israeli Ministry of Justice accessed by Forbidden Stories suggest that the MoJ pushed for language in NSO court filings to be modified

The United States remains reluctant to work with open source, but European countries are bolder.
Several European countries are betting on open-source software. In the United States, eh, not so much. In the latest news from across the Atlantic, Switzerland has taken a major step forward with its "Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks" (EMBAG). This groundbreaking legislation mandates using open-source software (OSS) in the public sector.

The Minnesota-based spyware maker Spytech snooped on thousands of devices before it was hacked earlier this year.

TuDoor is a new DNS attack, which could be exploited to carry out DNS cache poisoning, denial-of-service, and resource consuming.

DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations.