Malware Activity
Rising Cyber Threats: Supply Chain Attacks, Malicious Packages, and Open-Source Malware
Cybersecurity experts have uncovered a malicious RubyGems package impersonating the trusted Fastlane tool to steal Telegram API credentials. Exemplifying the growing sophistication of supply chain attacks in software development. Such malicious packages, often disguised to appear legitimate, are increasingly used across npm, Python, and Ruby repositories to exfiltrate sensitive data like hijack cryptocurrency wallets or even delete codebases post-installation. Attackers leverage tactics like typosquatting, malware embedding, exploiting emerging technologies and geopolitical tensions to evade detection. Concurrently, threat actors are deploying open-source remote access Trojans like Chaos RAT, crafted in Golang, to gain persistent control over Windows and Linux systems. These tools, resembling legitimate utilities, facilitate expansive control features and are exploited in cryptocurrency mining campaigns. The convergence of sophisticated supply chain infiltration and weaponized open-source malware underscores the urgent need for vigilant package verification and enhanced security practices across development environments. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Malicious RubyGems Pose As Fastlane To Steal Telegram API Data article
- BleepingComputer: Malicious RubyGems Pose As Fastlane To Steal Telegram API Data article
- TheHackerNews: Chaos RAT Malware Targets Windows and Linux via Fake Network Tool article
Threat Actor Activity
FBI and CISA Release Joint Advisory Regarding The Play Ransomware Gang after Increased Activity
The Play ransomware gang, also known as Playcrypt, has emerged as a significant threat, breaching approximately 900 organizations across North America, South America, and Europe since its inception in 2022. This figure, updated by the FBI, CISA, and the Australian Cyber Security Centre, marks a substantial increase from the 300 attacks initially reported in 2023. The group has been particularly active in targeting businesses and critical infrastructure, making it one of the most prolific ransomware groups in recent years. Play ransomware operators employ a ransomware-as-a-service (RaaS) model, using recompiled malware in each attack to evade detection by security solutions. They exploit multiple vulnerabilities, such as CVE-2024-57727, in remote monitoring and management tools like SimpleHelp, which has been widely used by U.S.-based victims. The gang's tactics involve stealing sensitive documents from compromised systems and using them to extort victims, threatening to publish the data on their dark web leak site if ransoms are not paid. Unlike other ransomware operations, Play uses email for negotiations and does not provide victims with a Tor page link. The gang also utilizes a custom VSS Copying Tool to steal files from shadow volume copies, enhancing their data exfiltration capabilities. High-profile victims include cloud computing company Rackspace, the City of Oakland in California, Dallas County, and the doughnut chain Krispy Kreme. CTIX analysts recommend organizations prioritize updating systems, software, and firmware to mitigate the risk of unpatched vulnerabilities being exploited. Implementing multifactor authentication (MFA) across all services, particularly VPNs and accounts with critical access, is also recommended. Additionally, maintaining offline data backups and developing recovery routines are crucial security practices to counteract the Play ransomware threat.
- Bleeping Computer: Play Ransomware Article
- The Record: Play Ransomware Article
- CISA: Play Ransomware Advisory
Vulnerabilities
Critical Auth Bypass and RCE Flaws Identified in Hewlett Packard Enterprise StoreOnce Software
Hewlett Packard Enterprise (HPE) has released a security bulletin addressing eight (8) vulnerabilities in its StoreOnce backup and deduplication solution, urging users to upgrade to version 4.3.11. Among the issues is a critical authentication bypass flaw, tracked as CVE-2025-37093 (CVSS 9.8/10), which can undermine all other vulnerabilities by allowing attackers to gain unauthorized access. The update also resolves three (3) remote code execution flaws, two (2) directory traversal issues, a server-side request forgery (SSRF) vulnerability, and a sensitive information disclosure bug. All versions prior to 4.3.11 are affected, and HPE has not provided mitigations or workarounds, making immediate patching essential. Discovered by the Zero Day Initiative (ZDI), the flaws were reported in October 2024 but took seven (7) months to patch. While no active exploitation has been reported, the risk is significant due to StoreOnce’s widespread use in large enterprises, cloud environments, and data centers, particularly where it integrates with major backup tools like Veeam and Commvault. CTIX analysts recommend that all administrators ensure that their devices have been sufficiently updated to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
