Search This Blog

Showing posts with label GitHub. Show all posts

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Drizly Sued by FTC Over Data Breach Which Affected 2.5 Million Customers

According to claims that Drizly's security lapses resulted in a data breach that exposed the personal information of roughly 2.5 million customers, the Federal Trade Commission is taking legal action against the company and its CEO James Cory Rellas.

The FTC claims that the Uber-owned booze delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. The digital alcohol retailer Drizly and its CEO James Cory Rellas are being investigated by the Federal Trade Commission over claims that the company's security flaws caused a data breach that exposed the private data of around 2.5 million customers.

Drizly, an Uber subsidiary, runs an online marketplace where local shops can sell alcohol to customers who are of legal drinking age. The complaint alleges that Drizly gathered and stored users' email addresses, passwords, geolocation data, and postal addresses on Amazon Web Services (AWS) cloud computing service while negotiating deals.

According to the FTC, Drizly's lax security procedures, such as not forcing employees to utilize two-factor authentication for GitHub, where it stored login information, allowed those occurrences to occur. The FTC further notes that Drizly has no senior executive in charge of its security practice and did not restrict employees' access to consumers' personal information.

According to Samuel Levine, Director of the FTC's Bureau of Consumer Protection, "our proposed order against Drizly not only limits what the firm can retain and collect going ahead but also ensures the CEO suffers penalties for the company's negligence."

In its lawsuits and rulings, the FTC has been naming firm officials more frequently. As CEO of Drizly, Rellas was accused by the FTC of failing to appoint a senior executive to manage the security procedures. Companies may wish to make sure they hire a senior official in charge of security to help reduce the potential of individual liability for CEOs.

These draft orders will be published by the FTC soon, and the public will have 30 days to comment on them until the commission chooses whether to make them public.



GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








U.S. Bans Crypto Mixing Service Tornado Cash

A 29-year-old man was detained in Amsterdam on Friday, per the Dutch tax authorities investigative department, who suspects him of working as a developer for Tornado Cash, a cryptocurrency mixing business that the US had earlier in the week sanctioned. 

The Dutch agency's action further demonstrates the increasing interest that governments are showing in so-called crypto mixers. Another cryptocurrency mixing service, Blender, received approval from the Office of Foreign Asset Control earlier this year. 

Sanctions against the service were imposed by the US Treasury Department on Monday. According to reports, North Korean state hackers used Tornado Cash to hide billions of dollars.

The Block identified the Tornado Cash engineer as Alexey Pertsev despite FIOD concealing his name. Tornado Cash, as per FIOD, "has been utilized to mask large-scale criminal money flows, particularly from data thefts of cryptocurrencies so-called crypto hacks and scams," the organization claimed.

The platform works by pooling and scrambling different digital assets from thousands of addresses, including money that might have been obtained illegally as well as money that might have been obtained legally, to hide the trail back to the asset's original source, giving criminals a chance to hide the source of the stolen money.  

After the U.S. sanction, a variety of companies have banned or deleted accounts connected to Tornado Cash, including GitHub, Circle, Alchemy, and Infura.

On the news, the Tornado Cash token TORN fell from $16.5 to $13.7, furthering this month's fall. According to CoinMarketCap, the token's decline during the past seven days has exceeded 50%.

The latest findings point to the greater attention of bitcoin mixing services for what is believed to be a means of paying out illicitly obtained cryptocurrency. 

This includes the indebted North Korean government, which is known to rely on cyberattacks on the cryptocurrency industry to steal virtual money and circumvent trade and economic sanctions placed on the country. 




               

Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

 

According to GitHub, the attackers were able to obtain the credentials of over 100K NPM users during the April incident. GitHub discovered threat actors in April who were utilising stolen OAuth user credentials to get access to their repositories and take confidential data from other companies.

The attackers utilised stolen OAuth user tokens granted to Heroku and Travis-CI, two third-party OAuth integrators, to extract data from dozens of firms, including npm. The attacker did not gain these tokens through a compromise of GitHub or its systems, according to GitHub. The stolen tokens used to access the repositories are not kept by GitHub in their original, useable formats. 

On April 12, the business initiated an inquiry into a series of unlawful accesses to data kept in hundreds of organisations' repositories. On April 12, the experts discovered the incident when the company's security team discovered unauthorised access to their npm production infrastructure via a hacked AWS API key. Using the stolen OAuth token from one of the two compromised OAuth applications, the threat actors reportedly got the AWS API key by downloading a series of unnamed private NPM repositories. The access tokens connected with the impacted applications were revoked by GitHub. 

 According to an update released by the Microsoft-owned firm, the attackers were able to elevate access to npm infrastructure and view the following files exfiltrated from npm cloud storage: 
  • A backup of skimdb.npmjs.com containing data from April 7, 2021, with the following information:An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
  • All private npm package manifests and package metadata as of April 7, 2021. 
  • A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022. 
  • Private packages from two organizations. 
According to the log analysis and package hash verification, the attackers did not edit any packages in the repository or post any new versions of existing packages. 

A separate investigation uncovered a number of plaintext user credentials for the npm registry that were acquired in internal logs as a result of the integration of npm with GitHub logging systems. The organisation is changing impacted users' passwords and contacting them through email.

“Passwords belonging to the impacted users of the accessed database backup have been reset and these users are being notified. The two organizations that had private packages stolen were notified immediately after analysis confirmed the activity. Over the next few days, we will directly notify those with exposed private package manifests, metadata, and private package names and versions.” concludes the announcement.

 

GitHub Brings Auto-Blocking Feature Including API Keys and Tokens

GitHub announced this Monday that it widened its code hosting platform's secret scanning features for GitHub Advanced Security customers to automatically restrict secret leaks. Secret scanning is a premium security feature provided to companies that use GitHub's Advanced Security license. Organizations can use this feature for extra repository scanning. The feature works via matching patterns mentioned by the organization or provided by a service partner or provider. 

Every match is defined as a security alert in the repos' Security tab or to providers if it connects with a provider pattern. The latest feature is called as push protection, it is made to protect against accidental exposure of creds before implementing code to remote repositories. The new feature attaches secret scanning within the developers' workflow and works using 69 token types (API keys, management certificates, access tokens, private creds, secret keys, noticed with a less "false positive" identification rate. 

"With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified. High-confidence secrets have a low positive rate, so security teams can protect their organizations without compromising developer experience," GitHub reports. If the GitHub Enterprise Cloud is able to find a secret before implementing the code, the git push is restricted to let the developers recheck and delete the secrets from the code they tried to shift towards remote repos. 

"GitHub Advanced Security helps secure organizations around the world through its secret scanning, code scanning, and supply chain security capabilities, including Dependabot alerts and Dependabot security updates that are forever free," says the GitHub blog. 

How to enable Push Protection for your company? 

1. Go to GitHub, and find the page of the company. 
2. Under the organization name, open settings. 
3. In the sidebar section, find "Security," open Code security and analysis. 
4. After that, find "GitHub Advanced Security." 
5. Find "Secret Scanning" in push notifications, click enable all. 
6. Finally, click "Automatically enable for private repositories added to secret scanning."

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.

Hackers Can Use a Replay Attack Due to a Honda Vulnerability

 

A 'replay attack' vulnerability has been discovered in specific Honda and Acura automobile models, allowing a nearby hacker to open the car and even start it from a short distance. The threat actor captures the RF signals transferred from the key fob to the automobile and resends them to gain control of the victim's car's remote keyless entry unit. 

A hostile hacker can employ a replay attack to mislead a website or service into giving them access to the user by recycling the information used to identify the user. If a hacker can find and repeat a specific string of information, someone can use it to deceive a website into believing it was there, allowing anyone to get access to the online account.

Attackers might utilize CVE-2022-27254 to perform a Man-in-the-Middle (MitM) attack, or more particularly a replay attack, in which someone intercepted and manipulated the RF signals sent from a remote key fob to the automobile, and then re-transmitted these signals at a later time to unlock the car at his leisure. 

According to analysts, Blake Berry, Hong Liu, and Ruolin Zhou of the University of Massachusetts, as well as Cybereason Chief Security Officer Sam Curry, who discovered the vulnerability, the vulnerability in earlier models is mostly unaddressed. Honda owners, on the other hand, maybe able to defend themselves against such an attack. The remote engine start portion of the problem is also demonstrated in a video supplied by the researchers, however, no technical details or proof-of-concept (PoC) exploit code were published at the time. 

The Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models from 2016 through 2020 are the most afflicted by this issue. In a GitHub repository, Blake Berry explained it was also possible to change the intercepted commands and re-send them to get a completely different result. 

According to the experts' recommendations, automotive manufacturers should include "rolling codes," also known as "hopping codes." This security method responds to each authentication request with a unique code, ensuring the codes cannot be "replayed" by an offender at a later time. However, "At this moment, Honda has no plans to update older vehicles," the company stated. "It's crucial to remember this, while Honda is always improving security features as new models are released, motivated and technologically sophisticated thieves are striving to circumvent those safeguards." 

When not in use, users should store the key fobs in signal-blocking 'Faraday pouches', however, this strategy won't prevent a determined attacker from eavesdropping on signals when the fob is utilized. Consumers should choose Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE), which makes it much tougher for an intruder to clone/read the signal due to the closeness they would need to be at to do so.

 Lazarus APT Cell Exploits the Windows Update Client

 

According to experts at a cyber security agency, Lazarus, a notable hacking organization with ties to the North Korean government, has been utilizing the Windows Update client to spread malware as part of a new spear-phishing effort.

The North Korean nation-state hacking outfit known as the Lazarus Group, formerly as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year. 

The two macro-embedded messages seem to be enticing the targets about new Lockheed Martin job opportunities: 
  • Lockheed Martin JobOpportunities.docx 
  • Salary Lockheed Martin job opportunities confidential.doc 

Both of these documents were created on April 24, 2020, but enough evidence leads us to believe it was leveraged in a campaign between late December 2021 and early 2022. The threat actor's domains are one of the pieces of evidence that this attack took place recently. The attack begins with the malicious macros hidden in the Word document being executed. 

The malware executes a series of implants in order to gain startup persistence on the target computer and inserts code into the computer's restart system to ensure a restart does not knock down the virus.

Researchers discovered evidence that the threat group used GitHub as a command and control (C2) site for its attacks. Lazarus' use of GitHub as a C2 is unusual, according to the researchers, who claim this is the first time a group is seen to be doing so. The threat group was found to be utilizing GitHub as a command and control (C2) site for its attacks. According to the researchers, Lazarus' usage of GitHub as a C2 is uncommon. 

The campaign's attribution to the Lazarus APT is based on different facts as stated below: 
  • The usage of employment opportunities as a template is something Lazarus has done before.
  • Defense industry targets, particularly Lockheed Martin, are well-known targets for North Korean-linked APT. 
  • The metadata utilized in this campaign connects the documents to various other materials used by Lazarus previously.

LINE Pay leaked 133,000 Users' Data to GitHub

Yesterday, digital messaging and payment facility platform ‘LINE Pay’ – released a statement in which it said that around 133,000 clients’ payment data was erroneously published on GitHub between September and November this year. The incident affected more than 51,000 Japanese users and around 82,000 Taiwanese and Thai users.

Data detailing individuals in a LINE Pay promotional program that was organized between late December 2020 and April 2021 was accidentally uploaded to the collaborative coding crèche by an employee. After the attack findings, the company has notified its customers and the fintech division of the company has issued an official apology letter and assured its users of future protection. 

The data that has been leaked includes the time, date, amount of transactions, and user and franchise store identification numbers. However, telephone, addresses, credit card, and bank account numbers were not leaked, the names of the customers and other credentials could be accessed with little effort. 

Additionally, many political figures and dignitaries stopped using this app since the July 2021 cyberattack. Also, Japanese government officials have stopped using this app when it was discovered that important information was being leaked to China. Prior to the discovery, Japan extensively used this communication app for many regional official communications. 

GitHub--headquartered in California, USA, has been a subsidiary of Microsoft since 2018. The platform is commonly used for organizing open-source projects for software development (As of November 2021, GitHub reports having over 73 million developers). It provides the distributed version control and source code management (SCM) functionality of Git and its own factors. Besides the aforementioned, it also offers access control and several collaboration features such as feature requests, bug tracking, task management, continuous integration, and wikis for every project.

MyBB CAPTCHA Flaw Breaks Forum Validation Checks

 

MyBB has issued a warning to users that the latest version of the programme contains a CAPTCHA-breaking flaw that may affect forum functioning. 

The popular open-source software serves as the foundation for thousands of online forums. However, in June, version 1.8.27 accidentally introduced a programming vulnerability that affects CAPTCHA verification systems enabled by users. 

The project's developers warned on October 3 that the problem affects reCAPTCHA v3 and hCaptcha invisible, two services meant to prevent harmful bots from flooding web pages with false traffic. According to the MyBB developers, validation efforts performed using CAPTCHAs, when applied on a forum, “appear broken and the verification can reject or accept attempts incorrectly”. 

The problem, which has been reported on GitHub, was caused by the usage of the incorrect template and handlers for the CAPTCHAs. Incorrect pointers in reCAPTCHA v3 have resulted in a faulty image verification prompt, possibly allowing the system to be circumvented. 

In the context of hCaptcha, the incorrect handler may cause the feature to refuse all challenges. MyBB advises that users move to an alternative technique for applying CAPTCHAs on their forums temporarily or manually apply forthcoming updates available on GitHub. 

Version 1.8.27 is presently being stabilized, and a fix will be included in the next maintenance release.

Examine the builds 

In addition to the CAPTCHA fix, MyBB has requested forum managers to check their error logging configurations. A read-only feature released in MyBB 1.8.27 requires XHTML code validation as it is created to give forum administrators a chance to notice any errors in a configuration error report– ahead of the planned full release of this feature. 

Customized MyCodes, plugins, theme templates, or username styles that are incompatible with the next version may cause problems in the next build. 

The developers stated, “After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums.”

GitHub Brings Suite of Supply Chain Security Features to Go

 

GitHub has released a number of supply chain security updates for Go programming language modules.

In a blog post published on July 22, GitHub staff product manager William Bartholomew stated that Go — also known as Golang is now firmly ingrained in the top 15 programming languages on the platform and that as the most famous host for Go modules, GitHub intends to assist the community in discovering, reporting, and preventing security vulnerabilities. 

Go modules were launched in 2019 to help with dependency management. As per the Go Developer Survey 2020, Go is now utilized in the workplace in some form by 76 percent of respondents. 

Furthermore, Go modules are becoming more popular, with 96 percent of those polled indicating they use them for package management, up 7% from 2019, and 87 percent saying they use exclusively Go modules for this reason. 

According to the results of the survey, the usage of other package management solutions is declining. As per GitHub, four major aspects of supply chain security enhancement are now available for Go modules. 

The first is GitHub's Advisory Database, an open-source repository of vulnerability information that presently has over 150 Go advisories at the time of publication. Developers can also use the database to get CVE IDs for newly identified security flaws. 

"This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones," Bartholomew added. 

GitHub has also released its dependency graph, which can be used to track and evaluate project dependencies using go.mod, as well as warn users when risky dependencies are discovered. In this version, GitHub has also introduced Dependabot, which will notify developers when new security flaws in Go modules are identified.

To fix vulnerable Go modules, automatic pull requests can be enabled, and notification settings have been enhanced for fine-tuning. According to Bartholomew, repositories are enabled to automatically create pull requests for security updates, dependencies patch up to 40% faster than those that do not.

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

GitHub Releases Key Findings of an Easy-to-Exploit Linux flaw

 

Kevin Backhouse, a researcher at GitHub Security Lab revealed the details of an easy-to-exploit Linux flaw that can be exploited to escalate privileges to root on the targeted system. The vulnerability, classified as highly critical and termed as CVE-2021-3560, affects polkit, a system service installed by default on many Linux distributions.

On Thursday, Kevin published a blog post explaining his findings, as well as a short video detailing the exploit in polkit. A local, unprivileged attacker can use the flaw to escalate privileges to root with only a few commands executed in the terminal. 

Security researchers have admitted the vulnerability termed CVE-2021-3560 impacts some versions of Red Hat Enterprise Linux, Fedora, Debian, and Ubuntu. On June 3, a patch for CVE-2021-3560 was released. 

“The bug I found was quite old. It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently,” Backhouse stated.

“The bug has a slightly different history on Debian and its derivatives (such as Ubuntu) because Debian uses a fork of polkit with a different version numbering scheme. In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable, ”Backhouse further added. 

Polkit is a system service developed for controlling system-wide privileges, creating a way for non-privileged processes to communicate with privileged processes. Backhouse described it as a service that plays the role of a judge, determining whether an action initiated by a user — specifically one that requires higher privileges — can be carried out directly or requires additional authorization, such as entering a password.

The vulnerability identified by the researcher is easy to manipulate, with just a few commands in the terminal. However, due to some timing requirements, it normally takes a few attempts for the exploit to be successful.

CVE-2021-3560 allows an unprivileged local hacker to gain root privileges. It’s very simple and quick to exploit, so users must update their installations as quickly as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

Inadvertently Exposed Secrets and Tokens are promptly Scanned by GitHub

 

GitHub recently updated its insights to include repositories that contain registry secrets for PyPI and RubyGems. This approach protects millions of Ruby and Python programmers' who can unintentionally commit secrets and credentials to their GitHub repository. 

GitHub, Inc. is a software development and version control Internet hosting service utilizing Git. It provides Git's distributed version control, source code management as well as its features. GitHub provides users with Advanced Security licenses with security features available. These functionalities are also available for public repositories on GitHb.com. 

It was recently reported by GitHub that repositories that expose PyPI and RubyGems secrets, such as passwords and API tokens are now routinely scanned. 

To take advantage of this functionality, developers must make sure that GitHub Advanced Security is activated for their repository that is the default situation for public repositories. 

"For public repositories on GitHub.com, these features are permanently on and can only be disabled if you change the visibility of the project so that the code is no longer public," states GitHub. 

Secrets or tokens are strings that one can validate themselves when using a service, comparable to a username and a password. 

Third-party API applications often utilize private secrets in their code to access API services. As being such, one should be careful not to expose secrets, since this can lead to far more attacks in the broader supply chain. 

GitHub might inspect, among other things, for the secrets of the mistakenly committed npm, NuGet, and Clojars. 

As observed the list of GitHub Advanced Security currently supports more than 70 distinct kinds of secrets which are comprehensive. 

The advisory further read, “For other repositories, once you have a license for your enterprise account, you can enable and disable these features at the organization or repository level. For more information, see "Managing security and analysis settings for your organization" and "Managing security and analysis settings for your repository." If you have an enterprise account, license use for the entire enterprise is shown on your enterprise license page. For more information, see "Viewing your GitHub Advanced Security usage”."

GitHub tells the administrator when it spots a password, an API token, private SSH keys, or any other secrets that have been disclosed in public repositories. For instance, recently introduced PyPI and RubyGems, the registry maintainers would then remove the disclosed authorization and email the developer as to why. 

"If we find one, we notify the registry, and they automatically revoke any compromised secrets and notify their owner," explains GitHub software engineer Annie Gesellchen in a blog post. The benefit of GitHub's RubyGems and PyPI cooperation is that it revokes disclosed secrets automatically in seconds instead of waiting for the developer to take manual action. 

Automated secrecy scanning takes the user one inch ahead to protecting the developer's infrastructure from inadvertent leakage and increasing security in the supply chain.

Deadshot: A Tool That Marks Sensitive Content for Developers

Software code repositories might be hiding credentials, sensitive data, and other secrets of an organization without the knowledge of developers. If this information gets in the hands of cybercriminals, it could be an invaluable source for launching cyberattacks, say the cybersecurity experts at Twilio, who have released an open-source tool that alerts the developers if they accidentally attach any personal or sensitive data in their code before uploading it to a repository. 

Known as Deadshot, the tool overlooks real-time GitHub pull requests. It marks the possible addition of any sensitive information in any codes, and it varies to sensitive functionality. As per a senior product security engineer at Twilio, Laxman Eppalagudem, who worked on the project says it's not possible for an individual to manually monitor an entire codebase of an organization, hence, their team developed an automatic monitoring tool to search and mark sensitive data. 

Deploy and Forget 

The software will work as a "deploy and forget" tool, as Deadshot would work the entire codebase, it would alert project handlers if any sensitive data flows out of the organization. The safety teams can differentiate what the tool monitors and the alerts can be sent out using Jira Ticket or Slack. Leaky commits: The unintentional reveals of credentials and secrets to code repositories have always been a major problem, says senior product manager Yashvier Kosaraju. The software is aimed to remove the need to manually reviewing the entire codebase, pulling requests for sensitive data commits, which, we're all aware, don't scale. 

The software is designed in a manner so that it can only be installed on GitHub accounts by company admins. As per Twilio, it reduces the Rick of hackers exploiting Deadshot for malicious purposes. According to The Daily Swig, "GitHub already has security scanning capabilities, Blore noted. Developers could also use the open-source tool Gittyleaks to scan for API keys, passwords, and other sensitive data. Twilio is actively looking for feedback and feature requests from Deadshot users and the open-source community, Kosaraju said." Experts believe it is a good initiative to avoid ransomware attacks.

GitHub Announced Security Key Support for SSH Git Operations

 

When using Git over SSH, GitHub, the ubiquitous host for software creation and version control (and unfortunate victim of a relentless stream of attacks targeting the same), now supports encryption keys.

GitHub security engineer Kevin Jones said in a blog post on Monday that this is the next step in improving security and usability. These portable FIDO2 fobs are used for SSH authentication to protect Git operations and avoid the havoc that can occur when private keys are misplaced or stolen, or when malware attempts to execute requests without user permission. For instance, in 2019, the TrickBot data-stealing malware was updated to include a password grabber that could attack data from OpenSSH applications. 

These security keys, which include the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are easy to carry around in your pocket and attach to computers via USB, NFC, or Bluetooth. They can be used instead of one-time passwords generated by apps or sent via SMS. SMS SSH codes sent via text can currently be intercepted.

Strong passwords are still relevant, but because of the proliferation of data breaches and cyberattacks, they are becoming less useful as a single security mechanism, prompting the development of password managers that often check for credential leakage online, biometrics, and security keys. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain." 

Since keys are one of the variables in multi-factor authentication (MFA), users can treat them with the same care as any other credential. You should have your security key plugged in if you're the only one that has access to it. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.” 

When you use a security key, neither ransomware nor unintended private-key leakage will reveal your keys, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”

OpenBullet Exploited for Credential Stuffing

 

Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.