Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Source Code
Data Breach GitHub New York Times Repository Source Code

New York Times Source Code Leaked Online


 

In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.

The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.

The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.

The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.

This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.

The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.


Read more »
Repository
cyber attack Cyber Attacks Data Extortion GitHub Gitloker Repository

New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Read more »
RCE
Cloud Platform Data Breach Data Leak GitHub RCE

Major Security Flaw Discovered in Popular Cloud Logging Tool

 



Researchers at Tenable have identified a severe memory corruption vulnerability in Fluent Bit, an open-source logging utility integral to major cloud services. With over 3 billion downloads as of 2022 and an additional 10 million deployments daily, Fluent Bit is a cornerstone of cloud infrastructure used by prominent organisations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and cloud giants like AWS, Microsoft, and Google Cloud.

The issue, dubbed "Linguistic Lumberjack" by Tenable, stems from how Fluent Bit's embedded HTTP server handles trace requests. The vulnerability can be exploited to cause denial of service (DoS), data leaks, or even remote code execution (RCE) in cloud environments.

"While vulnerabilities in major cloud providers like Azure, AWS, and GCP grab headlines, it's crucial to scrutinise the underlying technologies these services rely on," says Jimi Sebree, senior staff research engineer at Tenable. "Critical components like Fluent Bit, which are embedded in many cloud services, pose significant risks if compromised."

Tenable's researchers stumbled upon this flaw while investigating another security issue in a cloud service. They discovered they could access various internal metrics and logging endpoints of the cloud service provider, which included Fluent Bit instances. This cross-tenant data leakage revealed a more profound problem.

The vulnerability lies in the /api/v1/traces endpoint of Fluent Bit's monitoring API. The service fails to validate data types properly, allowing attackers to input non-string values that cause memory corruption. By manipulating these inputs, attackers can crash the service and leak sensitive data. Although exploiting this for RCE would require sophisticated, targeted efforts, the potential for harm remains high.

The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323, with critical CVSS scores exceeding 9.5 out of 10. After reporting the issue on April 30, Fluent Bit's developers promptly addressed it by validating input data types in the problematic endpoint. The fix was implemented in the project's main branch on GitHub by May 15.

Organisations using Fluent Bit are strongly advised to update their software to the latest version immediately. Alternatively, administrators should review and restrict access to Fluent Bit's monitoring API to authorised users only, or disable it entirely if feasible.

The discovery of this vulnerability accentuates the importance of scrutinising not just the cloud services themselves but also the foundational technologies they depend on. Ensuring the security of tools like Fluent Bit is vital for maintaining the integrity of cloud environments across industries.



Read more »
Threat Researchers
Cheat cryptocurrency Cyberattacks CyberCrime Cyberthreats GitHub Info-stealing JIT malware McAfee Passwords Threat Researchers

Information Stealer Malware Preys on Gamers via Deceptive Cheat Code Baits

 


There is a new info-stealing malware that appears as a cheat on a game called Cheat Lab, and it promises downloaders that if they convince their friends to download it too, they will receive a free copy. It is possible to harvest sensitive information from infected computers by using Redline malware, including passwords, cookies, autofill information, and cryptocurrency wallet information, which is one of the most powerful information-stealing malware programs. 

As a result of the malware's popularity among cybercriminals and its widespread distribution channels, it has become widespread. According to McAfee threat researchers, the new malware leverages Lua bytecode to evade detection. This makes it possible to inject malicious code into legitimate processes for stealth, while also benefiting from Just-In-Time compilations (JIT). 

Using a command and control server associated with the malware, the researchers link this variant to Redline, which has been linked to the malware for a long time. The tests BleepingComputer conducted revealed that the malware does not exhibit the typical behaviour associated with Redline, such as stealing browser information, saving passwords, and stealing cookies. 

Through a URL linked to Microsoft's 'vcpkg' GitHub repository, the malicious Redline payloads resemble demonstrations of cheating tools named "Cheat Lab" and "Cheater Pro". When the malware is executed, it unpacks two files, compiler.exe and lua51.dll, once the MSI installer is installed.  The malicious Lua bytecode is also dropped in a file called 'readme.txt'. 

The campaign uses an interesting lure to spread the malware even further by telling victims that if they convince their friends to install the cheating program, they will receive a free, fully licensed copy of the cheating program. As an added layer of legitimacy, the malware payload is distributed in the form of an uncompiled bytecode rather than an executable to avoid detection. 

To make sure that the malware is not detected, it comes in the form of an activation key included. Upon installation of the compiler.exe program, Lua bytecode is compiled and executed by it, and it also creates scheduled tasks that execute during system startup when the program is installed. The same executable also sets up persistence by creating scheduled tasks. 

McAfee reports that a fallback mechanism is used by the malware to persist the three files, copying them to a long random path under the program directory that the malware is active on the infected system, it will communicate with a C2 server and send screenshots and system information to the server, then wait for commands to be executed by the server on the host system. 

Even though it is unknown exactly how information thieves first infect computers, they are typically spread through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites that can lead to infection. The Redline virus is a highly dangerous one, which is why users are urged not to use unsigned executables or download files from unreliable websites. 

As a result of this atta seemingly trustworthy programs, such as those found on Microsoft's GitHub, are at risk of infection by the Even though BleepingComputer contacted Microsoft about the executables that were distributed via its GitHub URLs, the company had not respond to the publication date.
Read more »
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
Security
AI-powered tool auto-fixes vulnerabilities Code Code Scanning Autofix CodeQL coding Cyber Security GHAS GitHub GitHub Advanced Security GitHub Copilot JavaScript Security

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Read more »
Python-based Malware
Cyber Attacks Cyber Security Threats data security GitHub Open Source Python-based Malware

GitHub Under Siege: Unraveling the Ongoing Automated Attack on Open-Source Repositories

 

GitHub, a cornerstone for programmers worldwide, faces a severe threat as an unknown attacker deploys an automated assault, cloning and creating malicious code repositories. The attack, involving sophisticated obfuscation and social engineering, poses a significant challenge to GitHub's security infrastructure. 

An assailant employs an automated process to fork and clone existing repositories, concealing malicious code under seven layers of obfuscation. These rogue repositories closely mimic legitimate ones, contributing to the challenge of detection. Developers unknowingly forking affected repos unintentionally amplify the attack. 

Once a developer utilizes a compromised repository, a hidden payload begins unpacking layers of obfuscation, revealing malicious Python code and a binary executable. The code then initiates the collection of confidential data and login details, which are subsequently uploaded to a control server. Security provider Apiiro's research and data teams report a substantial surge in the attack since its inception in May of the previous year. 

While GitHub diligently removes affected repositories, its automation detection system struggles to catch all instances. With millions of uploaded or forked repositories, even a 1% miss-rate translates to potentially thousands of compromised repos still operational. Initially modest in scale, the attack has grown in size and sophistication, presenting challenges for GitHub's security measures. 

Researchers attribute the operation's success to GitHub's vast user base and the increasing complexity of the attack technique. The attack's intrigue lies in the fusion of sophisticated automated methods and exploiting simple human nature. While obfuscation techniques become more intricate, the attackers heavily rely on social engineering to confuse developers, compelling them to select the malicious code. 

This unintentional spread exacerbates the attack's impact and heightens the difficulty of detection. As of now, GitHub has not issued a direct comment on the ongoing attack. However, the platform released a general statement reassuring users of its commitment to security. The platform employs manual reviews, at-scale detection utilizing machine learning, and continuously evolves to counter adversarial attacks. 

GitHub's popularity as a vital resource for developers globally has inadvertently made it a target. The platform's open-source nature and extensive user base create vulnerabilities that attackers exploit. Resolving the issue entirely proves to be an uphill battle, with GitHub still grappling with the effectiveness of the assailant's methods. 

GitHub, a linchpin for the global programming community, faces a formidable challenge as an automated attack exploits its open-source framework and vast user base. The ongoing assault, characterized by sophisticated obfuscation and social engineering, underscores the complexities of securing such a widely used platform. GitHub's response and adaptation will be crucial in mitigating the impact and fortifying defenses against evolving cyber threats.
Read more »
Supply chain vulnerability
Cyber Security GitHub RepoJacking Supply chain vulnerability

GitHub Vulnerability Exposes Millions to RepoJacking Threat

A recent study conducted by Massachusetts-based cloud-native security firm Aqua has shed light on a concerning vulnerability present in millions of software repositories hosted on GitHub. This vulnerability, dubbed RepoJacking, poses a significant threat to repositories belonging to esteemed organizations like Google, Lyft, and numerous others. 

RepoJacking involves the exploitation of vulnerabilities within GitHub repositories, potentially allowing malicious actors to gain unauthorized access and manipulate the code stored within. This vulnerability could have far-reaching consequences, including the compromise of sensitive data, the introduction of malicious code, and the disruption of software development processes. 

What is GitHub Repository and What Does it Mean When a Hacker Has Control Over It? 

Think of GitHub repositories as digital filing cabinets where developers store their code and project files. These cabinets use a system called Git to track changes made to the code over time and allow multiple developers to collaborate on the same project. However, if a hacker gains control of a GitHub repository, it can spell trouble. 

They could sneak in harmful code, swipe important data, disrupt the project's progress, or trick other developers into using their compromised code. This could lead to serious security breaches, data leaks, and project delays. So, it becomes crucial for developers to safeguard their repositories and carefully manage who has access to them. 

Emerging Dependency Repository Hijacking (aka RepoJacking)

Supply chain vulnerability, also referred to as dependency repository hijacking (RepoJacking), poses a significant threat to software security. In this form of attack, malicious actors exploit previously owned organizations or user names to distribute compromised versions of software repositories. These altered repositories may contain hidden malware, allowing attackers to perform harmful actions on systems where the tainted software is installed. 

The vulnerability arises from a flaw in the process when a repository owner decides to change their username. Although a connection is created between the old and new usernames to ensure continuity for users relying on dependencies from the old repository, this connection can be exploited by anyone who claims the old username. This loophole enables the injection of malicious code into the repository without detection. 

This type of supply-chain attack has been observed since at least 2016, when a college student uploaded custom scripts to popular package repositories like RubyGems, PyPi, and NPM, posing as legitimate packages. This technique, known as typosquatting, takes advantage of users' mistakes when selecting package names. 

Similarly, in 2021, a researcher employed a technique called dependency confusion or namespace confusion attack to breach the networks of major companies such as Apple, Microsoft, and Tesla. This involved placing malicious code packages with the same names as genuine dependencies used by the targeted companies, allowing the counterfeit code to be automatically downloaded and installed by the companies' package managers.
Read more »
User Security
Binance Cryptocurrency exchange Cyber Security GitHub User Security

Leaked Data from Binance Taken Down


One of the biggest cryptocurrency exchanges in the world's security has come under scrutiny following the recent disclosure of private information from Binance on GitHub. Several documents, including code, internal passwords, and architecture diagrams, were purportedly released by an account on GitHub going by the name "Termf" and were accessible to the public for several months. The content was removed after Binance requested a copyright takedown.

Binance has effectively removed its GitHub data breach

Various technical details, including code about Binance's security procedures, were included in the leaked material. Interestingly, this contained details on multi-factor authentication (MFA) and passwords. A large portion of the code that was made public concerned systems that were identified as "prod," denoting a link to Binance's operational website as opposed to test or development environments.

On January 5, 2024, 404 Media contacted Binance to inform the exchange about the compromised data, which is when the problem became apparent. Binance then retaliated by sending GitHub a copyright removal request. Binance admitted in this request that internal code from the disclosed material "poses a significant risk" to the exchange, resulting in "severe financial harm" as well as possible user misunderstanding or harm.

What next?

Even after admitting the leak, Binance sent out a representative to try and reassure its user base. According to the spokesman, Binance's security team examined the circumstances and came to the conclusion that the code that had been leaked was not similar to the code that was being produced at the time. The representative emphasized the protection of users' data and assets and stated that there was only a "negligible risk" from the compromised information.

The significance of strong security procedures in the Bitcoin sector is highlighted by this occurrence. Crypto exchanges are required to uphold strict security procedures because of their role in managing users' sensitive information and financial assets. The prolonged public disclosure of security-related code and internal passwords on a public forum calls into doubt the effectiveness of Binance's security protocols.

The necessity of heightened security protocols

Another level of worry is raised by the exposed data, especially the code about security protocols like multi-factor authentication and passwords. These kinds of security lapses can have serious repercussions, including the compromise of user funds and accounts. It draws attention to the continuous difficulties Bitcoin platforms have in maintaining the integrity and confidentiality of their internal systems.

Read more »
social media risks
data deception GitHub malware Malware attacks social media risks

Sneaky USB Hackers Pose Threat on Favorite Sites

 

In a recent revelation in the world of cybersecurity, a financially motivated hacker has been discovered utilizing USB devices as a means to infiltrate computer systems. This malicious group has chosen a cunning approach, hiding their harmful software in plain view on widely used platforms like GitHub, Vimeo, and Ars Technica. 

Their strategy involves embedding malicious codes within seemingly innocuous content, creating a challenging environment for detection and prevention. We strongly advise our readers to maintain a vigilant stance while navigating the online platforms. 

Reassuring our website visitors, we confirm that the peculiar text strings encountered on GitHub and Vimeo pose no harm upon clicking. However, there's a twist: these seemingly harmless strings serve as a key tool for hackers, discreetly facilitating the download and deployment of harmful software in their attacks. 

The cybersecurity watchdogs, Mandiant, are actively monitoring this group of hackers identified as UNC4990. Operating in the shadows since 2020, they have specifically targeted individuals in Italy. 

The cyber assault unfolds with an unsuspecting individual clicking on a deceptive file on a USB drive. The mystery lies in how these USB devices find their way into the hands of unsuspecting users. Once opened, the file initiates a digital script, explorer.ps1, downloading an intermediary code that reveals a web address. This address acts as the gateway for installing a malware downloader named 'EMPTYSPACE.' 

UNC4990 initially employed special files on GitHub and GitLab but later shifted their tactics to Vimeo and Ars Technica, embedding their secret codes in mundane areas on these sites to avoid suspicion. The harmful PowerShell script, decoded, decrypted, and executed from legitimate sites, leads to the activation of EMPTYSPACE. This payload establishes communication with the hackers' control server, subsequently downloading a sophisticated backdoor called 'QUIETBOARD.' 

Additionally, UNC4990 employs this backdoor for crypto mining activities targeting Monero, Ethereum, Dogecoin, and Bitcoin. The financial gains from this cyber scheme exceed $55,000, not including the hidden Monero. 

QUIETBOARD, UNC4990's advanced backdoor, exhibits a wide range of capabilities, including executing commands, cryptocurrency theft, USB drive propagation, screenshot capture, system information collection, and geographical location determination. Mandiant highlights UNC4990's penchant for experimentation to refine their attack strategies. 

Despite ongoing efforts to mitigate USB-based malware threats, they persist as a significant danger. The tactic of concealing within reputable sites challenges traditional security measures, underscoring the need for enhanced online safety practices. In the evolving digital landscape, staying informed and vigilant is paramount. Cyber threats may emerge from unexpected quarters, demanding a proactive approach to cybersecurity.
Read more »
Vulnerabilities and Exploits
Cybersecurity Data Breach Digital Privacy GitHub Mercedes-Benz Robust security Vulnerabilities and Exploits

Mercedes-Benz Accidentally Reveals Secret Code

 



Mercedes-Benz faces the spotlight as a critical breach comes to light. RedHunt Labs, a cybersecurity firm, discovered a serious vulnerability in Mercedes's digital security, allowing unauthorised entry to confidential internal data. Shubham Mittal, Chief Technology Officer at RedHunt Labs, found an employee's access token exposed on a public GitHub repository during a routine scan in January. This access token, initially meant for secure entry, inadvertently served as the gateway to Mercedes's GitHub Enterprise Server, posing a risk to sensitive source code repositories. The incident reiterates the importance of robust cybersecurity measures and highlights potential risks associated with digital access points.

Mittal found an employee's authentication token, an alternative to passwords, exposed in a public GitHub repository. This token provided unrestricted access to Mercedes's GitHub Enterprise Server, allowing the unauthorised download of private source code repositories. These repositories contained a wealth of intellectual property, including connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other crucial internal details.

The exposed repositories were found to include Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and actual Mercedes source code. Although it remains unclear whether customer data was compromised, the severity of the breach cannot be underestimated.

Upon notification from RedHunt Labs, Mercedes responded by revoking the API token and removing the public repository. Katja Liesenfeld, a Mercedes spokesperson, acknowledged the error, stating, "The security of our organisation, products, and services is one of our top priorities." Liesenfeld assured that the company would thoroughly analyse the incident and take appropriate remedial measures.

The incident, which occurred in late September 2023, raises concerns about the potential exposure of the key to third parties. Mercedes has not confirmed if others discovered the exposed key or if the company possesses the technical means to track any unauthorised access to its data repositories.

This incident comes on the heels of a similar security concern with Hyundai's India subsidiary, where a bug exposed customers' personal information. The information included names, mailing addresses, email addresses, and phone numbers of Hyundai Motor India customers who had their vehicles serviced at Hyundai-owned stations across India.

These security lapses highlight the importance of robust cybersecurity measures in an era where digital threats are increasingly sophisticated. Companies must prioritise the safeguarding of sensitive data to protect both their intellectual property and customer information.

As the situation unfolds, Mercedes will undoubtedly face scrutiny over its security protocols, emphasising the need for transparency and diligence in handling such sensitive matters. Consumers are reminded to remain vigilant about the cybersecurity practices of the companies they entrust with their data.


Read more »
Online Safety
Content Abuse Cyber Crime GitHub malware Online Safety

GitHub Faces Rise in Malicious Use

 


GitHub, a widely used platform in the tech world, is facing a rising threat from cybercriminals. They're exploiting GitHub's popularity to host and spread harmful content, making it a hub for malicious activities like data theft and controlling compromised systems. This poses a challenge for cybersecurity, as the bad actors use GitHub's legitimacy to slip past traditional defences. 

 Known as ‘living-off-trusted-sites,’ this technique lets cybercriminals blend in with normal online traffic, making it harder to detect. Essentially, they're camouflaging their malicious activities within the usual flow of internet data. GitHub's involvement in delivering harmful code adds an extra layer of complexity. For instance, there have been cases of rogue Python packages (basically, software components) using secret GitHub channels for malicious commands on hacked systems. 

This situation highlights the need for increased awareness and updated cybersecurity strategies to tackle these growing threats. It's a reminder that even widely used platforms can become targets for cybercrime, and staying informed is crucial to staying secure. 

While it's not very common for bad actors to fully control and command systems through GitHub, they often use it as a way to share secret information. This is called a "dead drop resolver." It's like leaving a message in a hidden spot for someone else to pick up. Malware like Drokbk and ShellBox frequently use this technique. 

Another thing they sometimes do is use GitHub to sneakily take information out of a system. This doesn't happen a lot, and experts think it's because there are limits on how much data they can take and they want to avoid getting caught. 

Apart from these tricks, bad actors find other ways to misuse GitHub. For example, they might use a feature called GitHub Pages to trick people into giving away sensitive information. Sometimes, they even use GitHub as a backup communication channel for their secret operations. 

Understanding these tactics is important because it shows how people with bad intentions can use everyday platforms like GitHub for sneaky activities. By knowing about these things, we can be more careful and put in measures to protect ourselves from online threats. 

This trend of misusing popular online services extends beyond GitHub to other familiar platforms like Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord. It's not just limited to GitHub; even source code and version control platforms like GitLab, BitBucket, and Codeberg face exploitation. 

GitHub acknowledges that there's no one-size-fits-all solution to detect abuse on their platform. They suggest using a combination of strategies influenced by specific factors like available logs, how organisations are structured, patterns of service usage, and the willingness to take risks. To know that this problem isn't unique to GitHub is crucial. Threat actors are using various everyday services to carry out their activities, making it important for users and organisations to be aware and adopt a mix of strategies to detect and prevent abuse. This includes being mindful of how different platforms may be misused and tailoring detection methods accordingly.


Read more »
Security Breach
Cryptopolitan Cyber Attacks DeFi DeFi Platforms GitHub hack Security Breach

Hackers Steal Assets Worth $484,000 in Ledger Security Breach


Threat actors responsible for attacking Ledger’s connector library have stolen assets valued at approximately $484,000. This information was given by the blockchain analysis platform Lookonchain. Ledger has said that the security breach might have a large effect, possibly totalling hundreds of thousands of dollars, even if they are yet to confirm the actual valuation. 

Direct Impact of the Hack

According to a report by Cryptopolitan, the breach happened when malicious code was added to Ledger's Github repository for Connect Kit, an essential component that is required by several DeFi protocols in order to communicate with hardware wallets for cryptocurrencies. Every application that used the Connect Kit had issues with its front end due to the malicious code. Notable protocols affected by this security flaw were Sushi, Lido, Metamask, and Coinbase.

In regards to the incident, Ledger informed that one of its employees had fallen victim to a phishing attack, resulting in the unauthorized leak of a compromised version of the Ledger Connect Kit. The leaked code revealed the name and email address of the former employees. It is important to note that the developer was first believed to be behind the exploit by the cryptocurrency community. Ledger subsequently stated, nevertheless, that the incident was the consequence of a former employee falling for a phishing scheme.

Ledger, after acknowledging the incident, identified and removed the exploited version of the software. However, despite the swift response, the damage was already done, since the software was left vulnerable for at least two hours, in the course of which the threat actors had already drained the funds. 

The company acted promptly, identifying and removing the harmful version of the software. However, despite Ledger’s quick response, the damage had already been done in approximately two hours, during which the hackers drained funds.

Broader Implications for the DeFi Community

This incident has raised major concerns regarding the security infrastructure of decentralized applications. DeFi protocols frequently rely on code from multiple software providers, including Ledger, which leaves them vulnerable to multiple potential points of failure.

This incident has further highlighted the significance of boosting security protocols across the DeFi ecosystem.

The victims who were directly affected by the attack included users of services such as revoke.cash. Also, the service normally used in withdrawing permissions from DeFi protocols following security breaches was compromised. Users who were trying to protect their assets were unintentionally sent to a fraudulent token drainer, which increased the extent of the theft.  

Read more »
Vulnerabilities and Exploits
Android App Safety Apple Bluetooth GitHub Linux Linux Servers macOS Vulnerabilities and Exploits

Bluetooth Security Flaw Strikes Apple, Linux, and Android Devices

Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.

The flaw, identified as CVE-2023-45866, was first brought to light by security researchers who detected a potential loophole in the Bluetooth communication protocol. The severity of the issue lies in its capability to allow hackers to take control of the targeted devices, potentially leading to unauthorized access, data theft, and even remote manipulation.

Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.

Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.

Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.

Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.

Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."

This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.

Read more »
Spams
Cyber Security GitHub Google RETVec Spams

Google Introduces RETVec: Gmail’s New Defense to Identify Spams


Google has recently introduced a new multilingual text vectorizer called RETVec (an acronym for Resilient and Efficient Text Vectorizer), to aid identification of potentially malicious content like spam and fraudulent emails in Gmail. 

While massive platforms like YouTube and Gmail use text classification models to identify frauds, offensive remarks, and phishing attempts, threat actors are known to create counter-strategies to get around these security mechanisms. 

The project description on GitHub reads, "RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more."

"The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently."

The Google-sponsored platforms reveal that they have been using Adversarial text manipulations, such as the usage of homoglyphs, keyword stuffing, and invisible characters. 

With its out-of-the-box support for over 100 languages, RETVec seeks to contribute to developing more robust and computationally affordable server-side and on-device text classifiers that are more durable and effective. 

In natural language processing (NLP), vectorization is a technique that maps words or phrases from a lexicon to a matching numerical representation for use in sentiment analysis, text classification, and named entity recognition, among other analyses. 

Google’s anti-abuse researchers Elie Bursztein and Marina Zhang note in the Google Security blog that, “due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments." 

Google further notes that incorporating vectorizer into Gmail has really helped in detecting spam, with the detection rate escalating over the baseline by 38%. Also, the false positive rate has declined by 19.4%. 

Moreover, vectorization has also reduced the model's Tensor Processing Unit (TPU) usage by 83%. 

"Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models," Bursztein and Zhang added. 

Spams are the most popular attack vector in the virtual space, used by almost every cybercriminal. The popularity comes with its convenience of being omnipresent, cheap, and efficient, enabling cybercriminals to transfer malware and access sensitive data from targeted systems.  

Read more »
NPM
Cyber Attacks Cyber Hackers Cyberattack Threat CyberCrime Cybersecurity GDPR GitHub North Korea NPM

New Cyber Threat: North Korean Hackers Exploit npm for Malicious Intent

 


There has been an updated threat warning from GitHub regarding a new North Korean attack campaign that uses malicious dependencies on npm packages to compromise victims. An earlier blog post published by the development platform earlier this week claimed that the attacks were against employees of blockchain, cryptocurrency, online gambling, and cybersecurity companies.   

Alexis Wales, VP of GitHub security operations, said that attacks often begin when attackers pretend to be developers or recruiters, impersonating them with fake GitHub, LinkedIn, Slack, or Telegram profiles. There are cases in which legitimate accounts have been hijacked by attackers. 

Another highly targeted attack campaign has been launched against the NPM package registry, aimed at enticing developers into downloading immoral modules by enticing them to install malicious third-party software. There was a significant attack wave uncovered in June, and it has since been linked to North Korean threat actors by the supply chain security firm Phylum, according to Hacker News. This attack wave appears to exhibit similar behaviours as another that was discovered in June. 

During the period from August 9 to August 12, 2023, it was identified that nine packages were uploaded to NPM. Among the libraries that are included in this file are ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. A conversation is initiated with the target and attempts are made to move the conversation to another platform after contacting them. 

As the attacker begins to execute the attack chain, it is necessary to have a post-install hook in the package.json file to execute the index.js file which executes after the package has been installed. In this instance, a daemon process is called Android. The daemon is launched as a dependency on the legitimate pm2 module and, in turn, a JavaScript file named app.js is executed. 

A JavaScript script is crafted in a way that initiates encrypted two-way communications with a remote server 45 seconds after the package is installed by masquerading as RustDesk remote desktop software – "ql. rustdesk[.]net," a spoofed domain posing as the authentic RustDesk remote desktop software. This information entails the compromised host's details and information. 

The malware pings every 45 seconds to check for further instructions, which are decoded and executed in turn, after which the malware checks for new instructions every 45 seconds. As the Phylum Research Team explained, "It would seem to be that the attackers are monitoring the GUIDs of the machines in question and selectively sending additional payloads (which are encoded Javascript code) to the machines of interest in the direction of the GUID monitors," they added. 

In the past few months there have been several typosquat versions of popular Ethereum packages in the npm repository that attempts to make HTTP requests to Chinese servers to retrieve the encryption key from the wallet on the wallet.cba123[.]cn, which had been discovered. 

Additionally, the highly popular NuGet package, Moq, has come under fire since new versions of the package released last week included a dependency named SponsorLink, that extracted the SHA-256 hash of developers' email addresses from local Git configurations and sent them to a cloud service without their knowledge. In addition, Moq has been receiving criticism after new versions released last week came with the SponsorLink dependency. 

Version 4.20.2 of the app has been rolled back as a result of the controversial changes that raise GDPR compliance issues. Despite this, Bleeping Computer reported that Amazon Web Services (AWS) had withdrawn its support for the project, which may have done serious damage to the project's reputation. 

There are also reports that organizations are increasingly vulnerable to dependency confusion attacks, which could've led to developers unwittingly introducing malicious or vulnerable code into their projects, thus resulting in large-scale attacks on supply chains on a large scale. 

There are several mitigations that you can use to prevent dependency confusion attacks. For example, we recommend publishing internal packages under scopes assigned to organizations and setting aside internal package names as placeholders in the public registry to prevent misuse of those names.

Throughout the history of cybersecurity, the recent North Korean attack campaign exploiting npm packages has served as an unmistakable reminder that the threat landscape is transforming and that more sophisticated tactics are being implemented to defeat it. For sensitive data to be safeguarded and further breaches to be prevented, it is imperative that proactive measures are taken and vigilant measures are engaged. To reduce the risks posed by these intricate cyber tactics, organizations need to prioritize the verification of identity, the validation of packages, and the management of internal packages.
Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Subscribe to: Posts (Atom)