Week of December 27th, 2024
Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.
Here are this week’s top takeaways:
Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts
Cybersecurity researchers have flagged two malicious packages uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts.
The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.
The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the command-and-control (C2) server it communicates with over HTTP requests.
It also packs in a slew of features to harvest data, including leveraging the pynput library to capture keystrokes and ImageGrab to periodically grab screenshots every hour and save them to a local folder, prior to uploading them to the free image hosting service ImgBB using an API key retrieved from the C2 server.
Cometlogger, on the other hand, is very feature-packed and siphons a wide range of information, including cookies, passwords, tokens, and account-related data, from apps such as Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox.
领英推荐
United States Lists 9th Telecom Company to Known Salt Typhoon Targets
Nine U.S. telecommunications firms have been breached in a sweeping Chinese espionage campaign, a top White House official said on Friday, as the U.S. preps policy responses to the intrusion.
The comments from Anne Neuberger, deputy national security adviser for cyber and emerging technology, expand the list of eight previously known victims of the campaign, known as Salt Typhoon.?
The additional company was uncovered after the federal government issued guidance to telecoms that detailed the Chinese techniques and how to spot them on their networks, Neuberger told reporters.
“From that, yes, a ninth company was identified,” she said. The White House has not identified the company.
The Chinese government has denied responsibility for the hack, which swept up the? unclassified communications from the phones of senior U.S. government officials— as well as President-elect Donald Trump and Vice President-elect JD Vance— and the metadata of a still-unknown number of Americans.
Recent Posts From Our Ethical Hackers
Every month, our ethical hackers work to provide free resources so that your team can continue improving your organization's security posture.
Here are just some of our recent posts: