BOOK THIS SPACE FOR AD
ARTICLE ADInfosec in brief They say sunlight is the best disinfectant, and that appears to have been true in the case of Discord data harvesting site Spy.pet – as it was recently and swiftly dismantled after its existence and purpose became known.
The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers.
Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models.
When Spy.pet was discovered, Discord told us that it was working to take action against anyone that's violated its terms of service, but that it couldn't share more.
Things are a bit clearer now.
"Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines. In addition to banning the affiliated accounts, we are considering appropriate legal action," a Discord spokesperson told us. "We identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned."
The scraping was apparently accomplished by accounts accessing open Discord servers or those with an easy-to-access invite link. Once in, Spy.pet operators were only able to access the same data as any other user, so none of the info that was uploaded was critically sensitive – at least in theory.
The number of Discord servers to which Spy.pet claimed access began to drop last week before hitting zero last Thursday. By Friday the Spy.pet website itself had ceased to work – though it's not clear if the site was offline because of Discord's actions or if the operators are trying to disappear.
According to a Telegram profile that allegedly belongs to the Spy.pet administrator, the website was suspended last Friday, but the administrator has plans to get a backup domain functioning. It doesn't appear to have been restored. Yet.
Critical vulnerabilities of the week
Not too much to report, unless you work in the OT world. In that case, there's a few vulnerabilities to be aware of this week.
CVSS 9.1 – Multiple CVEs: Honeywell Experion PKS, LX, PlantCruise, Safety Manager and Safety Manager SC software contains a number of issues allowing RCE and other exploitation. CVSS 8.9 – Multiple CVEs: Hitachi Energy Mach SCMs are improperly controlling code generation, allowing for arbitrary code execution. CVSS 8.7 – CVE-2024-2424: Rockwell Automation 5015-AENFTXT ethernet/IP adapters are improperly validating input, allowing an attacker to crash affected devices.One known vulnerability is under active exploitation this week: a server-side template injection vulnerability in all versions of CrushFTP before 10.7.1 and 11.1.0 on all platforms. The vulnerability, CVE-2024-4040, has been awarded a CVSS score of 10.0, so get this one patched asap.
CDN cache servers: The hot new place to hide malware droppers
Infostealer? Check. Malicious host files? Also check.
If you want to trick defensive software, why not hide your payload on a CDN cache server?
Talos threat intelligence researchers have found evidence of an infostealer campaign that’s run since February and does just that. Believed to be operated by Vietnamese threat actors with the CoralRaider group, the group is using three well-known infostealer malware packages to do its dirty work: Cryptbot, LummaC2 and Rhadamanthys.
All are lurking on CDN servers, Talos explained, to avoid request delays and "to deceive network defenders."
Additional details of the attack, IOCs and the like are all included in Talos's report.
Victims have been found in the US, UK, Germany, Japan, and other countries around the world. In each case the victim was found to be downloading a movie file from the internet that contained the malicious code, which Talos said indicates a possibly wide-ranging attack on users across business verticals and locations.
Antivirus update hijacked to deliver malware
Beware, readers in India: local antivirus product eScan is having its updates hijacked to deliver the rather nasty GuptizMiner malware suite.
Researchers at Avast discovered the campaign after noticing some unusual responses coming from eScan update requests on customer computers. After looking more closely at what they'd noticed, it turned out someone involved with GuptiMiner – believed to be linked to North Korean APT Kimsuky – was performing a man-in-the-middle attack to exploit an insecurity in the update process to replace legitimate files with malicious ones.
"eScan unpacks and loads the package and a DLL is sideloaded by eScan clean binaries. This DLL enables the rest of the chain, following with multiple shellcodes and intermediary PE loaders," Avast explained.
Unfortunately, while Avast was able to uncover what the criminals involved were doing, researchers were unable to determine exactly how precisely the MITM attack was conducted.
"We assume that some kind of pre-infection had to be present on the victim's device or their network," Avast noted, but wouldn't speculate beyond that.
eScan said the issue was patched in a software update last July, so don't neglect to get this one installed. ®