Hello and welcome to the Tuesday, December 17th, 2024 edition of the Sands and it's Storms and a

stormcast. My name is Johannes Ulrich and I'm recording from Washington, D.C.

Data Talk Security Labs published an interesting blog post showing the inner workings a little bit of an attack group

that they're calling Mutt 1244.

This group specialized among others on targeting security researchers.

If you attack salespeople, you may threaten them with an updated commission

structures for security people. The lure of choice is usually exploit code. So what MUT 1244 did

is that they published a number of different repostories on GitHub promising new exploit code that,

of course, was backdoored.

This is a common theme.

Nothing really new if you are working with a code that you're downloading from GitHub

in particular.

If it claims to be malicious, well, you better assume it's malicious, but malicious

not in the way that you are expecting. It isn't clear exactly how successful this was.

Their goal was to then install a malicious Cryptocon miner update that, of course, steals

credentials. There was a leak, of course, steals credentials.

There was a leak of 390,000 credentials associated with this group, but these are credentials for WordPress accounts, so there is likely other data that also has been leaked by this particular

group.

In addition to the malicious GitHub reposit, the group also used fishing in the particular

phishing email that was published here by Datadog.

They promised an update to CPU microcode.

It looked actually pretty good at the email.

...