A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).
The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.
Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.
Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.
This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.
Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming.
Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.
The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.
Indutny resorted to social media to express his reasons for archiving 'node-ip':
“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”
Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:
GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.
In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.
The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.
The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.
The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.
This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.
The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.
A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.
The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.
Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.
GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.
Security Recommendations
To protect against such malicious activities, GitHub users are encouraged to:
Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.
Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.
Verify Email Addresses: Ensure all email addresses associated with the account are verified.
Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.
Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.
Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.
Previous Attacks on GitHub
This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.
Phishing Campaigns
In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.
Researchers at Tenable have identified a severe memory corruption vulnerability in Fluent Bit, an open-source logging utility integral to major cloud services. With over 3 billion downloads as of 2022 and an additional 10 million deployments daily, Fluent Bit is a cornerstone of cloud infrastructure used by prominent organisations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and cloud giants like AWS, Microsoft, and Google Cloud.
The issue, dubbed "Linguistic Lumberjack" by Tenable, stems from how Fluent Bit's embedded HTTP server handles trace requests. The vulnerability can be exploited to cause denial of service (DoS), data leaks, or even remote code execution (RCE) in cloud environments.
"While vulnerabilities in major cloud providers like Azure, AWS, and GCP grab headlines, it's crucial to scrutinise the underlying technologies these services rely on," says Jimi Sebree, senior staff research engineer at Tenable. "Critical components like Fluent Bit, which are embedded in many cloud services, pose significant risks if compromised."
Tenable's researchers stumbled upon this flaw while investigating another security issue in a cloud service. They discovered they could access various internal metrics and logging endpoints of the cloud service provider, which included Fluent Bit instances. This cross-tenant data leakage revealed a more profound problem.
The vulnerability lies in the /api/v1/traces endpoint of Fluent Bit's monitoring API. The service fails to validate data types properly, allowing attackers to input non-string values that cause memory corruption. By manipulating these inputs, attackers can crash the service and leak sensitive data. Although exploiting this for RCE would require sophisticated, targeted efforts, the potential for harm remains high.
The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323, with critical CVSS scores exceeding 9.5 out of 10. After reporting the issue on April 30, Fluent Bit's developers promptly addressed it by validating input data types in the problematic endpoint. The fix was implemented in the project's main branch on GitHub by May 15.
Organisations using Fluent Bit are strongly advised to update their software to the latest version immediately. Alternatively, administrators should review and restrict access to Fluent Bit's monitoring API to authorised users only, or disable it entirely if feasible.
The discovery of this vulnerability accentuates the importance of scrutinising not just the cloud services themselves but also the foundational technologies they depend on. Ensuring the security of tools like Fluent Bit is vital for maintaining the integrity of cloud environments across industries.
GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.
Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.
Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.
The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.
However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.
Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.
In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.
For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.
Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.
This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.
Various technical details, including code about Binance's security procedures, were included in the leaked material. Interestingly, this contained details on multi-factor authentication (MFA) and passwords. A large portion of the code that was made public concerned systems that were identified as "prod," denoting a link to Binance's operational website as opposed to test or development environments.
On January 5, 2024, 404 Media contacted Binance to inform the exchange about the compromised data, which is when the problem became apparent. Binance then retaliated by sending GitHub a copyright removal request. Binance admitted in this request that internal code from the disclosed material "poses a significant risk" to the exchange, resulting in "severe financial harm" as well as possible user misunderstanding or harm.
Even after admitting the leak, Binance sent out a representative to try and reassure its user base. According to the spokesman, Binance's security team examined the circumstances and came to the conclusion that the code that had been leaked was not similar to the code that was being produced at the time. The representative emphasized the protection of users' data and assets and stated that there was only a "negligible risk" from the compromised information.
The significance of strong security procedures in the Bitcoin sector is highlighted by this occurrence. Crypto exchanges are required to uphold strict security procedures because of their role in managing users' sensitive information and financial assets. The prolonged public disclosure of security-related code and internal passwords on a public forum calls into doubt the effectiveness of Binance's security protocols.
Another level of worry is raised by the exposed data, especially the code about security protocols like multi-factor authentication and passwords. These kinds of security lapses can have serious repercussions, including the compromise of user funds and accounts. It draws attention to the continuous difficulties Bitcoin platforms have in maintaining the integrity and confidentiality of their internal systems.
Mercedes-Benz faces the spotlight as a critical breach comes to light. RedHunt Labs, a cybersecurity firm, discovered a serious vulnerability in Mercedes's digital security, allowing unauthorised entry to confidential internal data. Shubham Mittal, Chief Technology Officer at RedHunt Labs, found an employee's access token exposed on a public GitHub repository during a routine scan in January. This access token, initially meant for secure entry, inadvertently served as the gateway to Mercedes's GitHub Enterprise Server, posing a risk to sensitive source code repositories. The incident reiterates the importance of robust cybersecurity measures and highlights potential risks associated with digital access points.
Mittal found an employee's authentication token, an alternative to passwords, exposed in a public GitHub repository. This token provided unrestricted access to Mercedes's GitHub Enterprise Server, allowing the unauthorised download of private source code repositories. These repositories contained a wealth of intellectual property, including connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other crucial internal details.
The exposed repositories were found to include Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and actual Mercedes source code. Although it remains unclear whether customer data was compromised, the severity of the breach cannot be underestimated.
Upon notification from RedHunt Labs, Mercedes responded by revoking the API token and removing the public repository. Katja Liesenfeld, a Mercedes spokesperson, acknowledged the error, stating, "The security of our organisation, products, and services is one of our top priorities." Liesenfeld assured that the company would thoroughly analyse the incident and take appropriate remedial measures.
The incident, which occurred in late September 2023, raises concerns about the potential exposure of the key to third parties. Mercedes has not confirmed if others discovered the exposed key or if the company possesses the technical means to track any unauthorised access to its data repositories.
This incident comes on the heels of a similar security concern with Hyundai's India subsidiary, where a bug exposed customers' personal information. The information included names, mailing addresses, email addresses, and phone numbers of Hyundai Motor India customers who had their vehicles serviced at Hyundai-owned stations across India.
These security lapses highlight the importance of robust cybersecurity measures in an era where digital threats are increasingly sophisticated. Companies must prioritise the safeguarding of sensitive data to protect both their intellectual property and customer information.
As the situation unfolds, Mercedes will undoubtedly face scrutiny over its security protocols, emphasising the need for transparency and diligence in handling such sensitive matters. Consumers are reminded to remain vigilant about the cybersecurity practices of the companies they entrust with their data.
According to a report by Cryptopolitan, the breach happened when malicious code was added to Ledger's Github repository for Connect Kit, an essential component that is required by several DeFi protocols in order to communicate with hardware wallets for cryptocurrencies. Every application that used the Connect Kit had issues with its front end due to the malicious code. Notable protocols affected by this security flaw were Sushi, Lido, Metamask, and Coinbase.
In regards to the incident, Ledger informed that one of its employees had fallen victim to a phishing attack, resulting in the unauthorized leak of a compromised version of the Ledger Connect Kit. The leaked code revealed the name and email address of the former employees. It is important to note that the developer was first believed to be behind the exploit by the cryptocurrency community. Ledger subsequently stated, nevertheless, that the incident was the consequence of a former employee falling for a phishing scheme.
Ledger, after acknowledging the incident, identified and removed the exploited version of the software. However, despite the swift response, the damage was already done, since the software was left vulnerable for at least two hours, in the course of which the threat actors had already drained the funds.
The company acted promptly, identifying and removing the harmful version of the software. However, despite Ledger’s quick response, the damage had already been done in approximately two hours, during which the hackers drained funds.
This incident has raised major concerns regarding the security infrastructure of decentralized applications. DeFi protocols frequently rely on code from multiple software providers, including Ledger, which leaves them vulnerable to multiple potential points of failure.
This incident has further highlighted the significance of boosting security protocols across the DeFi ecosystem.
The victims who were directly affected by the attack included users of services such as revoke.cash. Also, the service normally used in withdrawing permissions from DeFi protocols following security breaches was compromised. Users who were trying to protect their assets were unintentionally sent to a fraudulent token drainer, which increased the extent of the theft.
Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.
Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.
Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.
Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.
Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.
Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."
This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.
While massive platforms like YouTube and Gmail use text classification models to identify frauds, offensive remarks, and phishing attempts, threat actors are known to create counter-strategies to get around these security mechanisms.
The project description on GitHub reads, "RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more."
"The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently."
The Google-sponsored platforms reveal that they have been using Adversarial text manipulations, such as the usage of homoglyphs, keyword stuffing, and invisible characters.
With its out-of-the-box support for over 100 languages, RETVec seeks to contribute to developing more robust and computationally affordable server-side and on-device text classifiers that are more durable and effective.
In natural language processing (NLP), vectorization is a technique that maps words or phrases from a lexicon to a matching numerical representation for use in sentiment analysis, text classification, and named entity recognition, among other analyses.
Google’s anti-abuse researchers Elie Bursztein and Marina Zhang note in the Google Security blog that, “due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments."
Google further notes that incorporating vectorizer into Gmail has really helped in detecting spam, with the detection rate escalating over the baseline by 38%. Also, the false positive rate has declined by 19.4%.
Moreover, vectorization has also reduced the model's Tensor Processing Unit (TPU) usage by 83%.
"Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models," Bursztein and Zhang added.
Spams are the most popular attack vector in the virtual space, used by almost every cybercriminal. The popularity comes with its convenience of being omnipresent, cheap, and efficient, enabling cybercriminals to transfer malware and access sensitive data from targeted systems.