Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitLab. Show all posts
Vietnam
Cyberattacks GitLab Info Stealer malware MrTonyScam Phishing Attack Python-based Malware Vietnam

MrTonyScam: Python-based Stealers Deployed via Facebook Messenger


A new phishing attack has recently been witnessed in Facebook Messenger where messages are being transferred with malwares attached to them, hailing from a "swarm of fake and hijacked personal accounts" and their aim is accessing targets’ business accounts. 

The attack, referred to as ‘MrTonyScam,’ executes its attacks by sending messages to their targets compelling them to click on their RAR and ZIP archive attachments, and launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.

Oleg Zaytsev, Guardio Labs researcher states in an analysis published over the weekend, "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods."

This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.

A significantly interesting tactic used by the threat actors is how they delete all cookies once they have stolen them in order to block their victims from their own accounts. They further hack the victim’s session with the help of the stolen cookies, changing passwords and thus acquiring complete control. 

Also, there have been speculations that the threat actors are based in Vietnam, considering the presence of Vietnamese language references in the source code of the Python stealer. For instance, there has been the inclusion of ‘Cốc Cốc,’ which is a Chromium-based browser used popularly in Vietnam. 

Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.

Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.

"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets[…]Those are used to reach a broad audience to spread advertisements as well as more scams," Zaytsev noted.

The aforementioned reveal came in days after WithSecure and Zscaler ThreatLabz reported the newly launched Ducktail and Duckport campaigns that targeted Meta Business and Facebook accounts using ‘malverposting’ tactics.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure noted.  

Read more »
Technology News
Cyber Security GitLab Software Supply Chain supply chain security Technology News

GitLab: Security and Governance Solutions Enhanced to Secure Software Supply Chain

 

GitLab has confirmed new security and compliance features and a number of enhancements in its platform to aid organizations to secure their software supply chain. 

A Global DevSecOps Survey by GitLab in 2022 found that security was amongst the highest priority investment areas for an organization, with 57% of security experts’ surveys indicating that their organizations have already shifted security left or plan to this year. 

GitLab has increased its focus on governance to help teams identify risks by offering visibility into their projects' dependencies, security findings, and user activities with increasing regulatory and compliance needs for the organization. 

The new enhancements on the other hand provide developers with tools that could scan any vulnerability and deploy controls in order to secure applications. Additionally, the developers have access to secure coding guidance involved in the GitLab platform. 

The new capabilities include security policy management, compliance management, events auditing, and vulnerability management. A dependency management capability to help developers track vulnerabilities in dependencies they are using will be available at a later date. Organizations will be able to automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production, says Gitlab. 

These capabilities, along with a broad range of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, aids the organization to acquire security and compliance of their software supply chain constantly, without giving in on speed and agility. 

In regards to the recent enhancement in the security and compliance features, VP of Product at GitLab David DeSanto says, “To stay competitive and propel digital transformation, organizations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought.” 

“Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organization’s software supply chain”, he continued.
Read more »
Vulnerabilities and Exploits
Bug Bounty CSRF vulnerability DDOS Attacks GitLab Vulnerabilities and Exploits

GitLab Fixes Several Vulnerabilities Reported by Bug Bounty

 

With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws. 

GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.

In GitLab's GraphQL API, a cross-site request forgery (CSRF) has developed a mechanism for an attacker to call modifications while they are impersonating as their victims. 

Cross-Site Request Forgery (CSRF) is an attack that causes an end-user in a web application to perform undesirable activities wherein he or she is presently authenticated. Users of a web application may be lured towards carrying out activities of an attacker using some social engineering support (such as delivering a link by email or chat). If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account. 

The Gitlab Webhook feature could be exploited for denial- of service (DoS) attacks because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash.

'Afewgoats' researchers have identified DoS vulnerability and reported it through a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification is not yet assigned. The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services. 

"The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. "It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." 

"So far it's been successful against PHP, Ruby, and Java targets," they added. 

Through updating installations to a new version of GitLab, CRSF and DoS issues and a range of minor errors can be rectified. 

As a security advisory from GitLab, the platform upgrade addresses 15 medium severity and two low-impact issues. These add-on vulnerabilities also include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.
Read more »
spammers
Cyber Attacks GitLab PyPI shady websites spammers

PyPI and GitLab Witness Spam Attacks

 

The GitLab, a source code hosting website, and the Python Package Index (PyPI) portal both are flooded with advertisements for shady websites and assorted services by the spammers. However, both the attacks have no links to each other. 

The PyPI attack in which it is flooded with more than 10,000 listings is the biggest of the two attacks. The Python Package Index (PyPI) is a Python programming language software repository. PyPI allows the user to search and install Python community applications. To deliver their applications, package developers use PyPI. It also hosts tens of thousands of Python libraries. The fact that anybody can create entries in PyPI's website for Python Libraries, which were essentially used as massive SEO advertising for various shady pages, lately has been misused by the spammers. 

These pages typically featured a broth of search-engine-friendly keywords for different topics that varied from games to pornography and films to presents, and a compressed link at the bottom, mostly pointing to a platform attempting to receive data from the payments card. Though the PyPI team has accepted and affirmed that they are aware of the SEO spam flood. "Our admins are working to address the spam," stated Ewa Jodlowska, Executive Director of the Python Software Foundation. She further added, "By the nature of pypi.org, anyone can publish to it, so it is relatively common." 

Although the PyPI spam attack seems to have been going on for at least a month, another new attack has been found at GitLab, a website that allows developers and companies to host and sync the work on source code repositories. A danger that is still unidentified seems to spam the Issues Tracker for thousands of GitLab ventures that each prompted an e-mail to account owners with spam contents. Similar to PyPI spam, these comments have diverted users to shady websites. 

Certainly, GitLab was not prepared for any such attack since the e-mail infrastructure had slackened, interrupted, and queued legit e-mails according to an incident status report published by the company. They said, “We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues.” 

Spamming source code repository seems to be a new strategy for spamming communities, who have generically targeted their comments of shady links on websites, forums, and news portals in recent years. Although spam isn't an attractive attack vector, many businesses frequently struggle to protect servers, web applications and subdomains and often end up exploiting these services to host or actually participate in spam attacks.
Read more »
Subscribe to: Posts (Atom)