Search This Blog

Showing posts with label GitHub. Show all posts

KeePass Vulnerability: Hackers May Have Stolen the Master Passwords

One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.    

GitHub Introduces the AI-powered Copilot X, which Uses OpenAI's GPT-4 Model


The open-source developer platform GitHub, which is owned by Microsoft, has revealed the debut of Copilot X, the company's perception of the future of AI-powered software development.

GitHub has adopted OpenAI's new GPT-4 model and added chat and voice support for Copilot, bringing Copilot to pull requests, the command line, and documentation to answer questions about developers' projects.

'From reading docs to writing code to submitting pull requests and beyond, we're working to personalize GitHub Copilot for every team, project, and repository it's used in, creating a radically improved software development lifecycle,' Thomas Dohmke, CEO at GitHub, said in a statement.

'At the same time, we will continue to innovate and update the heart of GitHub Copilot -- the AI pair programmer that started it all,' he added.

Copilot chat recognizes what code a developer has entered and what error messages are displayed, and it is deeply integrated into the IDE (Integrated Development Environment).

As stated by the company, Copilot chat will join GitHub's previously demoed voice-to-code AI technology extension, which it is now calling 'Copilot voice,' where developers can verbally give natural language prompts. Furthermore, developers can now sign up for a technical preview of the first AI-generated pull request descriptions on GitHub.

This new feature is powered by OpenAI's new GPT-4 model and adds support for AI-powered tags in pull request descriptions via a GitHub app that organization admins and individual repository owners can install.

As per the company, GitHub is also going to launch Copilot for docs, an experimental tool that uses a chat interface to provide users with AI-generated responses to documentation questions, including questions about the languages, frameworks, and technologies they are using.

Meta Announces a New AI-powered Large Language Model

On Friday, Meta introduced its new AI-powered large language model (LLM) named LLaMA-13B that, in spite of being "10x smaller," can outperform OpenAI's GPT-3 model. Language assistants in the ChatGPT style could be run locally on devices like computers and smartphones, thanks to smaller AI models. It is a part of the brand-new group of language models known as "Large Language Model Meta AI," or LLAMA. 

The size of the language models in the LLaMA collection ranges from 7 billion to 65 billion parameters. In contrast, the GPT-3 model from OpenAI, which served as the basis for ChatGPT, has 175 billion parameters. 

Meta can potentially release its LLaMA model and its weights available as open source, since it has trained models through the openly available datasets like Common Crawl, Wkipedia, and C4. Thus, marking a breakthrough in a field where Big Tech competitors in the AI race have traditionally kept their most potent AI technology to themselves.   

In regards to the same, Project member Guillaume’s tweet read "Unlike Chinchilla, PaLM, or GPT-3, we only use datasets publicly available, making our work compatible with open-sourcing and reproducible, while most existing models rely on data which is either not publicly available or undocumented." 

Meta refers to its LLaMA models as "foundational models," which indicates that the company intends for the models to serve as the basis for future, more sophisticated AI models built off the technology, the same way OpenAI constructed ChatGPT on the base of GPT-3. The company anticipates using LLaMA to further applications like "question answering, natural language understanding or reading comprehension, understanding capabilities and limitations of present language models" and to aid in natural language research. 

While the top-of-the-line LLaMA model (LLaMA-65B, with 65 billion parameters) competes head-to-head with comparable products from rival AI labs DeepMind, Google, and OpenAI, arguably the most intriguing development comes from the LLaMA-13B model, which, as previously mentioned, can reportedly outperform GPT-3 while running on a single GPU when measured across eight common "common sense reasoning" benchmarks like BoolQ, PIQA LLaMA-13B opens the door for ChatGPT-like performance on consumer-level hardware in the near future, unlike the data center requirements for GPT-3 derivatives. 

In AI, parameter size is significant. A parameter is a variable that a machine-learning model employs in order to generate hypotheses or categorize data as input. The size of a language model's parameter set significantly affects how well it performs, with larger models typically able to handle more challenging tasks and generate output that is more coherent. However, more parameters take up more room and use more computing resources to function. A model is significantly more efficient if it can provide the same outcomes as another model with fewer parameters. 

"I'm now thinking that we will be running language models with a sizable portion of the capabilities of ChatGPT on our own (top of the range) mobile phones and laptops within a year or two," according to Simon Willison, an independent AI researcher in an Mastodon thread analyzing and monitoring the impact of Meta’s new AI models. 

Currently, a simplified version of LLaMA is being made available on GitHub. The whole code and weights (the "learned" training data in a neural network) can be obtained by filling out a form provided by Meta. A wider release of the model and weights has not yet been announced by Meta.  

Canadian Telecom Provider Telus is Reportedly Breached


One of Canada's biggest telecommunications companies, Telus, is allegedly investigating a system breach believed to be fairly severe when malicious actors exposed samples of what they claimed to be private corporate information online.

As per sources, the malicious actors posted on BreachForums with the intention of selling an email database that claimed to include the email addresses of every Telus employee. The database has a $7000 price tag. For $6,000, one could access another database purported to provide payroll details for the telecom companies' top executives, including the president.

A data bundle with more than 1,000 private GitHub repositories allegedly belonging to Telus was also offered for sale by the threat actor for $50,000. A SIM-swapping API was reportedly included in the source code that was for sale. SIM-swapping is the practice of hijacking another person's phone by switching the number to one's own SIM card.

Although the malicious actors have described this as a Complete breach and have threatened to sell everything connected to Telus, it is still too early to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.

A TELUS representative told BleepingComputer that the company is looking into accusations that some information about selected TELUS team members and internal source code has leaked on the dark web.

The Telus breach would be the most current in recent attacks on telecom companies if it occurred as the malicious actors claimed. Three of the biggest telecommunications companies in Australia, Optus, Telestra, and Dialog, have all been infiltrated by attackers since the beginning of the year.

Customer data was used in a cyberattack that affected the Medisys Health Group business of Telus in 2020. The company claimed at the time that it paid for the data and then securely retrieved it. Although TELUS is still keeping an eye on the potential incident, it has not yet discovered any proof that corporate or retail customer data has been stolen.

Extortion Attempt by Former Ubiquiti Developer


Former Ubiquiti employee Nickolas Sharp admitted to the company that he stole gigabytes of private data from the company's network while he was overseeing the company's cloud technology team. During this period, he misrepresented himself as an anonymous hacker and whistleblower to avoid detection. Ubiquiti's GitHub repositories and AWS servers were breached in December 2020 by Sharp, a 36-year-old software engineer from Portland, Oregon. 

Sharp agreed that he would plead guilty to three charges, including making false statements to the FBI, wire fraud, and sending a malicious computer program to a protected computer. Those who commit either of these offenses will be punished with a maximum sentence of 35 years in prison as punishment. 

As a consequence of the data theft incident reported by Ubiquiti in January 2021, the company reported a security incident. 

Using the cover of being an anonymous hacker and pretending to target the company, Sharp tried to extort them. There were 50 bitcoins demanded in the ransom note, which was approximately equal to about $1.9 million at the time the note was written. It was a condition of the agreement to recover the data in exchange for disclosing the weakness in the network that allowed the hack to take place. While Ubiquiti could have paid the ransom by paying the ransom, it chose to change every employee's login information rather than pay the ransom. A second security breach was also discovered in the business's systems, which was found and eliminated before the business notified the government of the breach on December 11. 

A single hour after Sharp was identified as the hacker behind the attack, Ubiquiti's UWS infrastructure and GitHub repositories were cloned using his cloud administrator credentials via SSH (on December 10, 2020) and private files were stolen (on December 21 and 22). 

Despite using the Surfshark VPN service to conceal his IP address while collecting data, he could determine the data collector's location. This was after a short outage of the Internet caused his location to be discovered. He also changed the Log Retention Rules on Ubiquiti's servers along with other data that would have revealed his identity during the investigation. This was done to conceal his identity. 

As a result of a search by the FBI, Nicholas Sharp's residence was searched on March 24, 2021, and electronic equipment belonging to him was seized. He gave several false statements to FBI officials when he was being interrogated. 

His explanations included that he was not the one who committed the crime and that he had never previously used a VPN service of this type. As per records, Sharp purchased the Surfshark VPN service about six months before the incident occurred, in July 2020. It was obtained three months beforehand. Because of this fraud, he alleged that another party had accessed his PayPal account to complete this transaction, so he made the fraudulent allegation that they did so. 

In a media interview after the extortion attempt failed, Sharp, in the false identity of a whistleblower, alleged that Ubiquiti downplayed the breach to avoid retribution. It was after he challenged Ubiquiti's assertion about the impact of the January hack that the company acknowledged its involvement in an extortion attempt and said that there was no indication that any of its users' accounts had been hacked that the firm acknowledged that it was the target of an extortion attempt following that incident. 

He also claimed that Ubiquiti did not have a logging mechanism to enable them to determine whether or not the "attacker" had accessed any systems or data, and that would have prevented them from determining what had occurred. Despite his assertions, the information provided by the Justice Department indicates that he altered the company's logs and the system was compromised.  

LastPass, Okta, and Slack: Threat Actors Switch to Targeting Core Enterprise Tools

In the beginning of year 2023, CircleCI, a development-pipeline service provider cautioned online users of a security breach, advising companies to take immediate action on the issue by changing the passwords, SSH keys, and other secrets stored on or managed by the platform. 

The security attack on the DevOps services left the organization scrambling in order to assess the extent of the breach, restrict attackers' access to alter software projects and identify which development secrets had been compromised. The company updated configuration settings, rotated authentication tokens, worked with other providers to expire keys, and investigated the situation. 

The company states in an advisory last week, "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well." 

In the past year, identity services like Okta and LastPass have acknowledged system vulnerabilities, and developer-focused services like Slack and GitHub have reacted quickly to successful attacks on their infrastructure and source code. 

According to Lori MacVittie, a renowned engineer and evangelist at cloud security firm F5, the series of attacks on fundamental enterprise tools reflects the fact that organization should anticipate these types of providers turning into frequent targets in the future. 

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface […] We don't think of them as applications that attackers will focus on, but they are," she says. 

Identity & Developer Services Vulnerable to Cyberattacks 

Lately, threat actors have targeted two major categories of services, i.e. identity and access management systems, and developer and application infrastructure. Both of the given services support the critical components of enterprise infrastructure. 

According to Ben Smith, CTO at NetWitness, a detection and response firm, identity is the glue that supports the organizations’ interface in every way, along with connecting the companies to their partners and customers. 

"It doesn't matter what product, what platform, you are leveraging, adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," says Smith. 

Meanwhile, developer services and tools have developed into yet another frequently attacked enterprise service. For example, a threat actor accessed the Rockstar Games creators' Slack channel in September and downloaded videos, pictures, and game codes from the upcoming Grand Theft Auto 6 Title. In regards to this, Slack says "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository." 

Since identity and developer services enable access to a wide range of corporate assets, from application services to operations to source code, compromising these services can be a ‘skeleton key' to the rest of the company, adds Smith. "They are very very attractive targets, which represent low-hanging fruit […] These are classic supply chain attacks — a plumbing attack because the plumbing is not something that is visible on a daily basis."

Protect Yourselves by Managing Secrets Wisely, Establish Playbooks 

In order to administer cyber-defense, one of the tactics suggested by Ben Lincoln, managing senior consultant at Bishop Fox, is to organize a comprehensive management of secrets. Companies should be able to “push the button” and rotate all necessary passwords, keys, and sensitive configurations. 

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," Smith further says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens." 

Organizations can also deceive intruders using traps. Security teams can receive a high-fidelity warning that attackers might be on their network or using a service by employing various honeypot-like tactics. Credential canaries—fake accounts and credentials—help identify when threat actors have access to critical assets. However, in all other ways, the companies must prioritize the need to apply zero-trust principles in order to minimize the attack surface area of — not just machines, software, and services but also operations, according to MacVittie.  

 CircleCI Breach: Encryption Keys & User Data Seized

A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information. 

After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December. CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.

The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.

According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.

CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.

"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.

PyPl Hosting Malware and AWS Keys 


The Python package repository PyPI was discovered to be hosting malware and AWS keys. Tom Forbes, a software developer, created a Rust-based application that searched all new PyPI packages for AWS API keys. The tool returned 57 successful results, some from Louisiana University, Stanford, Portland, Amazon, Intel, and Stanford.

Forbes explains that his scanner searches for AWS keys in fresh releases from PyPI, HexPM, and RubyGems on a recurring basis using GitHub Actions. If it does, it creates a report containing the pertinent information and commits it to the AWS-cred-scanner repository.

According to Forbes' article, "The report comprises the keys that have been found, as well as public link to the keys and additional metadata regarding the release." Github's Secret Scanning service engages because these keys have been uploaded to a public GitHub repository, alerting AWS that the keys have been compromised.

As per Forbes, "It relies on the specific rights granted to the key itself. Other keys I discovered in PyPI were root keys, which are equally permitted to perform any action. The key I discovered that was leaked by InfoSys in November had full admin access, meaning it can do anything. If these keys were stolen, an attacker would have unrestricted access to the associated AWS account."

He claimed that other keys might have more circumscribed but nonetheless excessive permissions. For instance, he claimed it frequently happens that a key meant to grant access to just one AWS S3 storage bucket has unintentionally been configured to give access to every S3 bucket connected to that account.

GitHub's automated key scanning, which includes keys in npm packages, is cited by Forbes as an effective tool. Expressions that GitHub employs to search for secrets are sensitive and cannot be made public. As a result, PyPI and other third parties are basically unable to leverage this decent infrastructure without providing all of the PyPI-published code to GitHub. Further, Forbes recommended that businesses carefully consider their security procedures.

Cybersecurity firm Phylum reported that it uncovered a remote access trojan dubbed pyrologin in a PyPI package in December. Last month, ReversingLabs, another security company, also discovered a malicious PyPI package: the malware was disguising itself as an SDK from SentinelOne, a different security company. And in November, W4SP malware was discovered in dozens of recently released PyPI packages.3,653 harmful code blocks were eliminated as a result of a large-scale malware culling carried out by PyPI in March 2021. 

As a result, AWS creates a support ticket to alert the guilty developer and implements a quarantine policy to reduce the risk of key misuse. However, the issue is that an unethical person might produce comparable scanning software with the intention of abusing and exploiting others. 

Following a Hack, CircleCI Advises Customers to Rotate all Secrets


Following a breach of the company's systems, CircleCI, whose development products are popular with software engineers, has advised customers to rotate their secrets. This is to prevent a repetition of this incident. 

There are more than one million engineers who use the CI/CD platform as they expect to achieve the "speed and reliability" of their builds by relying on the service. An alert is sent to users about the incident by CircleCI. Currently, CircleCI is investigating a security incident, as indicated by emails that users have received from CircleCI regarding this incident. 
To be on the safe side, users are advised to rotate all secrets stored in CircleCI until the company concludes its investigation. The CircleCI CTO, Rob Zuber, wrote in a succinct advisory published on Wednesday that they will provide you with updates as soon as they become available about this incident. 

It was found that CircleCI believes that there are no unauthorized actors active in their system at this point; however, in the spirit of being extra cautious, they would encourage all customers to take the necessary precautions to ensure that their data is protected. It is recommended that customers should rotate both the secrets that are stored in project environment variables and within context variables.
CircleCI has invalidated API tokens used in projects, and users will be required to replace these tokens before they can start using CircleCI. During the investigation, Daniel Hückmann, who is an experienced security engineer, reported the presence of one of the IP addresses associated with the attack ( 

As a result of this information, incident responders may be able to increase their ability to investigate their environment in the future. Besides, the DevOps company recommends that users audit their logs for any signs of unauthorized access occurring between December 21st, 2022, and January 4th, 2023. The purpose of this is to prevent the same event from happening again. 
The wording of CircleCI's 'reliability update' seems to suggest that CircleCI was compromised on December 21st - the same day it published the "reliability update" underlining its commitment to improving its services and reaffirming its commitment to enhancing security. 
A series of similar updates, beginning with a reliability update released in April of 2022, preceded its said reliability update, with CircleCI admitting that its reliability was not up to the standards of its users. Zuber wrote in a report that CircleCI is an organization dedicated to managing change to enable software teams to innovate faster. But lately, they have learned that our reliability has not met our customers' expectations. 
Following another unavailability in September 2022 as a result of a "significant portion of a day," CircleCI issued another such update to address the issue. This was causing many teams to struggle with managing their workload as a result of the problem. 

In recent years, CircleCI has faced a series of security issues that threaten its operations. A data breach occurred in mid-2019 at CircleCI due to the compromise of a third-party vendor which resulted in the loss of confidential information. 

In response, the data of some GitHub and Bitbucket users which includes their login credentials and email addresses including their GitHub and Bitbucket accounts were compromised. Further, it gives access to their IP addresses, company names, repositories' URLs, etc. 

An investigation was conducted in 2022 in which threat actors were caught using fake CircleCI email notifications to steal GitHub accounts from users, as a result of these phishing attempts, CircleCI was reassured at the time of their being secure since the fraudulent attempts did not necessarily come from latest compromise. Despite this, threat actors have been known to target customers of affected companies with phishing scams by using email addresses obtained from an earlier breach (such as the one found in 2019). 
In regards to the security incident that CircleCI announced on Wednesday, the company sincerely apologizes to all those who may have faced inconvenience following this announcement. When the investigation is concluded, the company intends to share additional information about the incident in the upcoming days.   

GitHub: Why it's a Hotspot of Attackers & How to Stay Secure?


Okta disclosed a security breach last week in which its GitHub-hosted source code was compromised by an attacker. That is merely the most recent instance in a long line of attacks that have succeeded in accessing corporate source code on GitHub. GitHub accounts for Dropbox, Gentoo Linux, and Microsoft have all previously been targeted. 

GitHub is the most well-liked source code management service for both private enterprise code repositories and open source code repositories, with 90 million active users. It is a significant component of the world's basic infrastructure and the custodian of some of the most sensitive resources and data. It makes sense why source code is becoming a more popular target for attackers. In other circumstances, like Okta, they might be attempting to obtain the source code.

If a hacker has access to private source code, they can review it for security holes and then take advantage of those flaws in subsequent attacks. To access databases and cloud services hosted by Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, attackers can also collect hard-coded keys, passwords, and other credentials that may be stored in GitHub (GCP). Intellectual property, legitimate login credentials, and a nice list of production software vulnerabilities that are ready to be exploited can all be found in a single stolen repository.

Using this method, the hacking organization Shiny Hunters, which is known to target private GitHub repositories in particular, has compromised a number of businesses and sold their data on several Dark Web marketplaces.

GitHub is without a doubt an essential component of the organization's infrastructure, but securing it is a difficult identity security issue. Unrestricted cooperation is one of the GitHub model's greatest strengths, but it also presents one of the largest challenges to contemporary IT security.

Just consider it: By 2022, everyone who is even vaguely technical has a GitHub account. Additionally, you can do everything with your GitHub account. These accounts allow us to work on side projects for ourselves, contribute to open source projects, and contribute to both public and private code repositories that are ultimately owned by our employers. That is a lot of laborious work for just one identity!

The "Sign in with GitHub" function also allows you to utilize your GitHub identity on websites and services other than GitHub itself. There's more, too: Being able to download, push, and clone code from GitHub's servers to your local machine using git operations over HTTPS and SSH, which require your GitHub identity, makes GitHub distinctive. Other services only require you to sign in to their websites.

When GitHub announced the deprecation of usernames and passwords for git operations last year, it was clear that they were aware of the security concerns. This was a positive step.

Tips for Securing Your GitHub

While GitHub offers tools to secure the environment, businesses must understand how to employ them. Unfortunately, GitHub Enterprise is necessary for some of the most crucial security features. Nonetheless, it's crucial to take measures like:
  • Don't allow personal accounts for work
  • Don't allow outside collaborators
  • Require authentication via company SSO
  • Require 2FA on all accounts
  • Audit, analyze, and audit again
Although not the first instance, the hack of Okta's GitHub repository is a potent illustration of how difficult it is to safeguard identities within businesses. We witness account takeover incidents involving workers and contractors on a daily basis. Weak authentication, lenient rules for personal email accounts, and the identity attack surface's constant expansion all have an impact.

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain


GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Drizly Sued by FTC Over Data Breach Which Affected 2.5 Million Customers

According to claims that Drizly's security lapses resulted in a data breach that exposed the personal information of roughly 2.5 million customers, the Federal Trade Commission is taking legal action against the company and its CEO James Cory Rellas.

The FTC claims that the Uber-owned booze delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. The digital alcohol retailer Drizly and its CEO James Cory Rellas are being investigated by the Federal Trade Commission over claims that the company's security flaws caused a data breach that exposed the private data of around 2.5 million customers.

Drizly, an Uber subsidiary, runs an online marketplace where local shops can sell alcohol to customers who are of legal drinking age. The complaint alleges that Drizly gathered and stored users' email addresses, passwords, geolocation data, and postal addresses on Amazon Web Services (AWS) cloud computing service while negotiating deals.

According to the FTC, Drizly's lax security procedures, such as not forcing employees to utilize two-factor authentication for GitHub, where it stored login information, allowed those occurrences to occur. The FTC further notes that Drizly has no senior executive in charge of its security practice and did not restrict employees' access to consumers' personal information.

According to Samuel Levine, Director of the FTC's Bureau of Consumer Protection, "our proposed order against Drizly not only limits what the firm can retain and collect going ahead but also ensures the CEO suffers penalties for the company's negligence."

In its lawsuits and rulings, the FTC has been naming firm officials more frequently. As CEO of Drizly, Rellas was accused by the FTC of failing to appoint a senior executive to manage the security procedures. Companies may wish to make sure they hire a senior official in charge of security to help reduce the potential of individual liability for CEOs.

These draft orders will be published by the FTC soon, and the public will have 30 days to comment on them until the commission chooses whether to make them public.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits


Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.

U.S. Bans Crypto Mixing Service Tornado Cash

A 29-year-old man was detained in Amsterdam on Friday, per the Dutch tax authorities investigative department, who suspects him of working as a developer for Tornado Cash, a cryptocurrency mixing business that the US had earlier in the week sanctioned. 

The Dutch agency's action further demonstrates the increasing interest that governments are showing in so-called crypto mixers. Another cryptocurrency mixing service, Blender, received approval from the Office of Foreign Asset Control earlier this year. 

Sanctions against the service were imposed by the US Treasury Department on Monday. According to reports, North Korean state hackers used Tornado Cash to hide billions of dollars.

The Block identified the Tornado Cash engineer as Alexey Pertsev despite FIOD concealing his name. Tornado Cash, as per FIOD, "has been utilized to mask large-scale criminal money flows, particularly from data thefts of cryptocurrencies so-called crypto hacks and scams," the organization claimed.

The platform works by pooling and scrambling different digital assets from thousands of addresses, including money that might have been obtained illegally as well as money that might have been obtained legally, to hide the trail back to the asset's original source, giving criminals a chance to hide the source of the stolen money.  

After the U.S. sanction, a variety of companies have banned or deleted accounts connected to Tornado Cash, including GitHub, Circle, Alchemy, and Infura.

On the news, the Tornado Cash token TORN fell from $16.5 to $13.7, furthering this month's fall. According to CoinMarketCap, the token's decline during the past seven days has exceeded 50%.

The latest findings point to the greater attention of bitcoin mixing services for what is believed to be a means of paying out illicitly obtained cryptocurrency. 

This includes the indebted North Korean government, which is known to rely on cyberattacks on the cryptocurrency industry to steal virtual money and circumvent trade and economic sanctions placed on the country. 


Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach


According to GitHub, the attackers were able to obtain the credentials of over 100K NPM users during the April incident. GitHub discovered threat actors in April who were utilising stolen OAuth user credentials to get access to their repositories and take confidential data from other companies.

The attackers utilised stolen OAuth user tokens granted to Heroku and Travis-CI, two third-party OAuth integrators, to extract data from dozens of firms, including npm. The attacker did not gain these tokens through a compromise of GitHub or its systems, according to GitHub. The stolen tokens used to access the repositories are not kept by GitHub in their original, useable formats. 

On April 12, the business initiated an inquiry into a series of unlawful accesses to data kept in hundreds of organisations' repositories. On April 12, the experts discovered the incident when the company's security team discovered unauthorised access to their npm production infrastructure via a hacked AWS API key. Using the stolen OAuth token from one of the two compromised OAuth applications, the threat actors reportedly got the AWS API key by downloading a series of unnamed private NPM repositories. The access tokens connected with the impacted applications were revoked by GitHub. 

 According to an update released by the Microsoft-owned firm, the attackers were able to elevate access to npm infrastructure and view the following files exfiltrated from npm cloud storage: 
  • A backup of containing data from April 7, 2021, with the following information:An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
  • All private npm package manifests and package metadata as of April 7, 2021. 
  • A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022. 
  • Private packages from two organizations. 
According to the log analysis and package hash verification, the attackers did not edit any packages in the repository or post any new versions of existing packages. 

A separate investigation uncovered a number of plaintext user credentials for the npm registry that were acquired in internal logs as a result of the integration of npm with GitHub logging systems. The organisation is changing impacted users' passwords and contacting them through email.

“Passwords belonging to the impacted users of the accessed database backup have been reset and these users are being notified. The two organizations that had private packages stolen were notified immediately after analysis confirmed the activity. Over the next few days, we will directly notify those with exposed private package manifests, metadata, and private package names and versions.” concludes the announcement.


GitHub Brings Auto-Blocking Feature Including API Keys and Tokens

GitHub announced this Monday that it widened its code hosting platform's secret scanning features for GitHub Advanced Security customers to automatically restrict secret leaks. Secret scanning is a premium security feature provided to companies that use GitHub's Advanced Security license. Organizations can use this feature for extra repository scanning. The feature works via matching patterns mentioned by the organization or provided by a service partner or provider. 

Every match is defined as a security alert in the repos' Security tab or to providers if it connects with a provider pattern. The latest feature is called as push protection, it is made to protect against accidental exposure of creds before implementing code to remote repositories. The new feature attaches secret scanning within the developers' workflow and works using 69 token types (API keys, management certificates, access tokens, private creds, secret keys, noticed with a less "false positive" identification rate. 

"With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified. High-confidence secrets have a low positive rate, so security teams can protect their organizations without compromising developer experience," GitHub reports. If the GitHub Enterprise Cloud is able to find a secret before implementing the code, the git push is restricted to let the developers recheck and delete the secrets from the code they tried to shift towards remote repos. 

"GitHub Advanced Security helps secure organizations around the world through its secret scanning, code scanning, and supply chain security capabilities, including Dependabot alerts and Dependabot security updates that are forever free," says the GitHub blog. 

How to enable Push Protection for your company? 

1. Go to GitHub, and find the page of the company. 
2. Under the organization name, open settings. 
3. In the sidebar section, find "Security," open Code security and analysis. 
4. After that, find "GitHub Advanced Security." 
5. Find "Secret Scanning" in push notifications, click enable all. 
6. Finally, click "Automatically enable for private repositories added to secret scanning."

To Mimic Microsoft, Phishing Employs Azure Static Web Pages


Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the * wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by subdomain and genuine TLS certificate.

Hackers Can Use a Replay Attack Due to a Honda Vulnerability


A 'replay attack' vulnerability has been discovered in specific Honda and Acura automobile models, allowing a nearby hacker to open the car and even start it from a short distance. The threat actor captures the RF signals transferred from the key fob to the automobile and resends them to gain control of the victim's car's remote keyless entry unit. 

A hostile hacker can employ a replay attack to mislead a website or service into giving them access to the user by recycling the information used to identify the user. If a hacker can find and repeat a specific string of information, someone can use it to deceive a website into believing it was there, allowing anyone to get access to the online account.

Attackers might utilize CVE-2022-27254 to perform a Man-in-the-Middle (MitM) attack, or more particularly a replay attack, in which someone intercepted and manipulated the RF signals sent from a remote key fob to the automobile, and then re-transmitted these signals at a later time to unlock the car at his leisure. 

According to analysts, Blake Berry, Hong Liu, and Ruolin Zhou of the University of Massachusetts, as well as Cybereason Chief Security Officer Sam Curry, who discovered the vulnerability, the vulnerability in earlier models is mostly unaddressed. Honda owners, on the other hand, maybe able to defend themselves against such an attack. The remote engine start portion of the problem is also demonstrated in a video supplied by the researchers, however, no technical details or proof-of-concept (PoC) exploit code were published at the time. 

The Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models from 2016 through 2020 are the most afflicted by this issue. In a GitHub repository, Blake Berry explained it was also possible to change the intercepted commands and re-send them to get a completely different result. 

According to the experts' recommendations, automotive manufacturers should include "rolling codes," also known as "hopping codes." This security method responds to each authentication request with a unique code, ensuring the codes cannot be "replayed" by an offender at a later time. However, "At this moment, Honda has no plans to update older vehicles," the company stated. "It's crucial to remember this, while Honda is always improving security features as new models are released, motivated and technologically sophisticated thieves are striving to circumvent those safeguards." 

When not in use, users should store the key fobs in signal-blocking 'Faraday pouches', however, this strategy won't prevent a determined attacker from eavesdropping on signals when the fob is utilized. Consumers should choose Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE), which makes it much tougher for an intruder to clone/read the signal due to the closeness they would need to be at to do so.

 Lazarus APT Cell Exploits the Windows Update Client


According to experts at a cyber security agency, Lazarus, a notable hacking organization with ties to the North Korean government, has been utilizing the Windows Update client to spread malware as part of a new spear-phishing effort.

The North Korean nation-state hacking outfit known as the Lazarus Group, formerly as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year. 

The two macro-embedded messages seem to be enticing the targets about new Lockheed Martin job opportunities: 
  • Lockheed Martin JobOpportunities.docx 
  • Salary Lockheed Martin job opportunities confidential.doc 

Both of these documents were created on April 24, 2020, but enough evidence leads us to believe it was leveraged in a campaign between late December 2021 and early 2022. The threat actor's domains are one of the pieces of evidence that this attack took place recently. The attack begins with the malicious macros hidden in the Word document being executed. 

The malware executes a series of implants in order to gain startup persistence on the target computer and inserts code into the computer's restart system to ensure a restart does not knock down the virus.

Researchers discovered evidence that the threat group used GitHub as a command and control (C2) site for its attacks. Lazarus' use of GitHub as a C2 is unusual, according to the researchers, who claim this is the first time a group is seen to be doing so. The threat group was found to be utilizing GitHub as a command and control (C2) site for its attacks. According to the researchers, Lazarus' usage of GitHub as a C2 is uncommon. 

The campaign's attribution to the Lazarus APT is based on different facts as stated below: 
  • The usage of employment opportunities as a template is something Lazarus has done before.
  • Defense industry targets, particularly Lockheed Martin, are well-known targets for North Korean-linked APT. 
  • The metadata utilized in this campaign connects the documents to various other materials used by Lazarus previously.