Sunlight Shuts Down Spy.pet: Discord Data Harvesters Defeated

Sneaky Spy.pet got swatted! Discord’s data diner, feasting on 620 million messages, went from feast to famine overnight. Law enforcement’s snack or AI’s lunch, it’s off the menu now. Infosec in brief: Don’t invite shady guests to your server party. 🕵️‍♂️💻🚫 #DiscordDataHarvesting

Hot Take:

Discord’s data drama is like discovering your house party wasn’t just friends but included a few undercover data-hungry party crashers. Cue the mad scramble to show them the door (and perhaps a lawsuit) while the rest of us are left wondering if our meme game was secretly judged by AI or lurking law enforcement. Meanwhile, in the realm of things that keep IT folks up at night, it’s a buffet of vulnerabilities with a side of infostealer campaigns and malware-laden antivirus updates—just your typical week in cybersecurity!

Key Points:

  • Discord data harvesting site Spy.pet got the digital boot after sucking up user messages from over 14,000 servers.
  • Spy.pet was selling user data to anyone from cops to creepers, but now they’ve ghosted after being outed.
  • Industrial software is waving red flags with vulnerabilities hitting high on the CVSS score, and one naughty CrushFTP bug is actively exploited.
  • CoralRaider’s infostealer campaign gets creative by hiding malware on CDN cache servers, making cybersecurity pros play an unwanted game of hide-and-seek.
  • In India, eScan antivirus updates got hijacked by GuptizMiner malware, because why catch viruses when you can spread them, right?
Title: Unauthenticated arbitrary file read and remote code execution in CrushFTP
Cve id: CVE-2024-4040
Cve state: PUBLISHED
Cve assigner short name: directcyber
Cve date updated: 04/23/2024
Cve description: A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Title: Rockwell Automation Input/Output Device Vulnerable to Major Nonrecoverable Fault
Cve id: CVE-2024-2424
Cve state: PUBLISHED
Cve assigner short name: Rockwell
Cve date updated: 04/15/2024
Cve description: An input validation vulnerability exists in the Rockwell Automation 5015-AENFTXT that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.

Need to know more?

The Spy Who Loved Data

Think of Discord like a massive virtual house party where Spy.pet was that uninvited guest who eavesdropped on conversations, then tried to sell the gossip. Discord's reaction was swift and unambiguous: account bans and potential legal action against the data-vacuuming offenders. They supposedly only scraped public data, which is like saying, "I only read the diary on your desk, not the one in your drawer." Creepy either way, right? After their cover was blown, the number of accessible Discord servers dwindled faster than the ice at said party, and by Friday, Spy.pet had vanished, possibly trying to lay low or just taking a break to enjoy their ill-gotten data gains.

Vulnerabilities Galore

Welcome to the rollercoaster ride of industrial software vulnerabilities! We've got Honeywell, Hitachi, and Rockwell Automation all handing out tickets to potential security breach nightmares with CVSS scores high enough to induce vertigo. And if you're using CrushFTP, you might want to patch things up before you get a crush of a different kind—courtesy of a server-side template injection that's already being exploited. Like a cybersecurity soap opera, the drama never ends; it just introduces more characters.

Cyber Ninjas Hiding in the CDN Shadows

Infostealers are getting crafty, and the CoralRaider group is no exception, using CDN cache servers like a magician's hat to pull out their malicious rabbits. Cryptbot, LummaC2, and Rhadamanthys are the names of their tricks, and they're surprisingly good at fooling network defenders. The movie file downloads that Talos discovered are like those free snacks at the grocery store—come for the freebies, leave with a nasty surprise. And just like that, a global audience unwittingly becomes part of a malware blockbuster.

Antivirus or Malware? It's a Surprise!

For eScan users in India, it's been a real plot twist: their trusty antivirus decided to take a walk on the dark side, thanks to GuptizMiner malware that hitched a ride on the update train. Avast stumbled upon this cyber soap opera and delved into the intrigue, uncovering a man-in-the-middle attack that replaced "good" with "evil." The hows remain murky, but the why is clear as day—compromise and conquer. Good news, though: eScan claims they've cleaned up their act, so make sure your software is up to date, or you might end up starring in your own malware drama.

Tags: CDN malware, CoralRaider group, CrushFTP Vulnerability, data harvesting, Discord vulnerability, GuptiMiner Malware, network security threats