Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads - Related to deezer, downloads, records, under, firewall

Firewall Bug Under Active Attack Triggers CISA Warning

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Software running Palo Alto Networks’ firewalls is under attack, prompting [website] Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning to public and federal IT security teams to apply available fixes. Federal agencies urged to patch the bug by September 9.

Earlier this month, Palo Alto Networks issued a fix for the high-severity bug (CVE-2022-0028) that it says adversaries attempted to exploit. The flaw could be used by remote hackers to carry out reflected and amplified denial-of-service (DoS) attacks without having to authenticate targeted systems.

Palo Alto Networks maintains the flaw can only be exploited on a limited number of systems, under certain conditions and that the vulnerable systems are not part of a common firewall configuration. Any additional attacks exploiting the bug have either not occurred or been publicly reported.

Affected products include those running the PAN-OS firewall software include PA-Series, VM-Series and CN-Series devices. PAN-OS versions vulnerable to attack, with patches available, include PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website] and PAN-OS prior to [website].

; “A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.”.

The advisory describes the non-standard configuration at risk as the “firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.”.

The configuration is likely unintended by the network administrator, the advisory introduced.

On Monday, CISA added the Palo Alto Networks bug to its list of Known Exploited Vulnerabilities Catalog.

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a curated list of flaws that have been exploited in the wild. It is also a list of KEVs that the agency “strongly recommends” public and private organizations pay close attention to in order to “prioritize remediation” to “reduce the likelihood of compromise by known threat actors.”.

Reflective and Amplification DoS Attacks.

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks.

Reflected and amplified denial-of-service attacks are not new and have steadily become more common over the years.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Unlike limited volume DDoS attacks, reflective and amplified DoS attacks can produce much higher volumes of disruptive traffic. This type of attack allows an adversary to magnify the amount of malicious traffic they generate while obscuring the insights of the attack traffic. An HTTP-based DDoS attack, for example, sends junk HTTP requests to a target’s server tying up resources and locking out customers from using a particular site or service.

A TCP attack, believed used in the recent Palo Alto Networks attack, is when an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Hap......

Starting mid-March 2025, Microsoft will start prompting individuals of its Microsoft 365 apps for Windows to back up their files to OneDrive.

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads

Cybersecurity researchers have flagged a malicious Python library on the Python Package Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer.

The package in question is automslc, which has been downloaded over 104,000 times to date. First , it remains available on PyPI as of writing.

"Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions by embedding hardcoded credentials and communicating with an external command-and-control (C2) server," Socket security researcher Kirill Boychenko unveiled in a findings .

Specifically, the package is designed to log into the French music streaming platform via user-supplied and hard-coded credentials, gather track-related metadata, and download full audio files in violation of Deezer's API terms.

The package also periodically communicates with a remote server located at "[website][.]17:8031" to provide updates on the download status, thereby giving the threat actor centralized control over the coordinated music piracy operation.

Put differently, automslc effectively turns the systems of the package individuals into an illicit network for facilitating bulk music downloads in an unauthorized manner. The IP address is associated with a domain named "automusic[.]win," which is expressed to be used by the threat actor to oversee the distributed downloading operation.

"Deezer's API terms forbid the local or offline storage of complete audio content, but by downloading and decrypting entire tracks, automslc bypasses this limitation, potentially placing customers at risk of legal repercussions," Boychenko noted.

The disclosure comes as the software supply chain security firm detailed a rogue npm package called @ton-wallet/create that has been found stealing mnemonic phrases from unsuspecting individuals and developers in the TON ecosystem, while impersonating the legitimate @ton/ton package.

The package, first , has attracted 584 downloads to date. It remains available for download.

The malicious functionality embedded into the library is capable of extracting the [website] environment variable, thereby giving threat actors complete access to a cryptocurrency wallet and potentially drain a victim's digital assets. The information is transmitted to an attacker-controlled Telegram bot.

"This attack poses severe supply chain security risks, targeting developers and consumers integrating TON wallets into their applications," Socket stated. "Regular dependency audits and automated scanning tools should be employed to detect anomalous or malicious behaviors in third-party packages before they are integrated into production environments."

The Python package "automslc" is no longer available for download from PyPI.

Twitter is blasted for security and privacy lapses by the firm’s former head of security who alleges the social media giant’s actions amount to a n......

YouTube warns that scammers are using an AI-generated video featuring the organization's CEO in phishing attacks to steal creators' credentials.

The [website] Federal Bureau of Investigation (FBI) formally linked the record-breaking $[website] billion Bybit hack to North Korean threat actors, as the compa......

Student Loan Breach Exposes 2.5M Records

[website] million people were affected, in a breach that could spell more trouble down the line.

EdFinancial and the Oklahoma Student Loan Authority (OSLA) are notifying over [website] million loanees that their personal data was exposed in a data breach.

The target of the breach was Nelnet Servicing, the Lincoln, Neb.-based servicing system and web portal provider for OSLA and EdFinancial, .

Nelnet revealed the breach to affected loan recipients on July 21, 2022 via a letter.

“[Our] cybersecurity team took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched[sic] an investigation with third-party forensic experts to determine the nature and scope of the activity,” .

’s general counsel, Bill Munn, to the state of Maine the breach occurred sometime between June 1, 2022 and July 22, 2022. However, a letter to affected end-customers pinpoints the breach to July 21. The breach was discovered on August 17, 2022.

“On July 21, 2022, Nelnet Servicing, LLC (Nelnet), our servicing system and customer website.

portal provider, notified us that they had discovered a vulnerability that we believe led to this incident,” .

It’s unclear what the vulnerability was.

“On August 17, 2022, this investigation determined that certain student loan account registration information was accessible by an unknown party beginning in June 2022 and ending on July 22, 2022,” .

Although clients’ most sensitive financial data was protected, the personal information that was accessed in the Nelnet breach “has potential to be leveraged in future social engineering and phishing campaigns,” explained Melissa Bischoping, endpoint security research specialist at Tanium, in a statement via email.

“With recent news of student loan forgiveness, it’s reasonable to expect the occasion to be used by scammers as a gateway for criminal activity,” Bischoping stated.

Last week, the Biden administration showcased a plan to cancel $10,000 of student loan debt for low- and middle-income loanees. She expressed the loan forgiveness program will be used to lure victims into opening up phishing emails.

She warns that lately breached data will be used to impersonate affected brands in waves of phishing campaigns targeting students and recent college graduates.

“Because they can leverage the trust from existing business relationships they can be particularly deceptive,” she wrote.

’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity.”.

Remediation also included two years of free credit monitoring, credit reports and up to $1 million in identity theft insurance.

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

A [website] Army soldier who pleaded guilty last week to leaking phone records for high-ranking [website] government officials searched online for non-extraditi......

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hund......