Search This Blog

Showing posts with label Hijacking. Show all posts

Popular Python and PHP LIbraries Hijacked to Steal AWS Keys


A software supply chain assault has compromised the PyPI module 'ctx,' which is downloaded over 20,000 times per week, with malicious versions collecting the developer's environment variables. The threat actor even replaced older, secure versions of 'ctx' with code that gathers secrets like Amazon AWS keys and credentials by exfiltrating the developer's environment variables. 

In addition, versions of a 'phpass' fork released to the PHP/Composer package repository Packagist had been modified in a similar way to steal secrets. Over the course of its existence, the PHPass framework has had over 2.5 million downloads from the Packagist repository—though malicious variants are thought to have received significantly fewer downloads. 

The widely used PyPI package 'ctx' was hacked earlier this month, with newer released versions leaking environment variables to an external server. 'ctx' is a small Python module that allows programmers to manipulate dictionary ('dict') objects in various ways. Despite its popularity, the package's developer had not touched it since 2014, according to BleepingComputer. Newer versions, which were released between May 15th and this week, contained dangerous malware. 

The corrupted 'ctx' package was initially discovered by Reddit user jimtk. Somdev Sangwan, an ethical hacker, also revealed that the PHP package 'phpass' had been infiltrated, with tainted copies of the library taking developers' AWS secret keys. Although the malicious 'ctx' versions have been removed from PyPI, copies acquired from Sonatype's malware archives show the presence of harmful code in all 'ctx' versions. 

It's also worth noting that the 0.1.2 version, which hadn't been updated since 2014, was replaced this week with a malicious payload. Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked/. At the time of analysis, the endpoint was no longer active. 

In a similar attack, the fork of 'hautelook/phpass,' a hugely popular Composer/PHP package, was hacked with malicious versions released to the Packagist repository. PHPass is an open-source password hashing framework that may be used in PHP applications by developers. The framework was first released in 2005 and has since been downloaded over 2.5 million times on Packagist. 

This week, BleepingComputer discovered malicious commits to the PHPass project that stole environment variables in the same way. The modified 'PasswordHash.php' file in PHPass looks for the values 'AWS ACCESS KEY' and 'AWS SECRET KEY' in your environment. Following that, the secrets are uploaded to the same Heroku endpoint. The presence of similar functionality and Heroku endpoints in both the PyPI and PHP packages suggests that both hijacks were perpetrated by the same threat actor. 

According to the researchers, the attacker's identity is evident. However, this could have been a proof-of-concept experiment gone wrong, and it would be irresponsible to name the individual behind the 'ctx' and 'phpass' hijack until additional information becomes available. Furthermore, while the malicious PyPI package 'ctx' remained active until later today, the impact of malicious 'PHPass' versions appears to have been far more limited after Packagist co-founder Jordi Boggiano marked the hijacked repository as "abandoned" and advised everyone to use bordoni/phpass instead. 

The hijacking of PyPI package 'ctx' is said to have been caused by a maintainer account compromise, but the true cause has yet to be discovered. The attacker claiming a previously abandoned GitHub repository and reviving it to publish altered 'phpass' versions to the Packagist registry has been ascribed to the hack of hautepass/phpass. 

Security Innovation, a cybersecurity organisation, previously dubbed this type of attack "repo jacking." Intezer and Checkmarx recently produced a joint study based on this research and how it can affect Go projects, termed it "chainjacking." This hijacking comes on the back of a PyPI typosquat being detected deploying backdoors on Windows, Linux, and Macs.

Severe Remote Code Execution Flaws Discovered in Motorola Halo+ Baby Monitors


On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two severe flaws in the protocol and remote code execution (RCE) of the Motorola Halo+ that would allow threat actors to hijack the device. 

The Motorola Halo+ comprises an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children that works in Full HD. 

Westergren, engineering director of US financial services company Marlette Funding discovered the flaws when he and his wife were hunting for a suitable monitor for their first child and selected the Motorola Halo+ as their preferred option. 

After securing the device, Westergren started examining its listening services and discovered a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell. Examining system logs made it possible to identify the app’s API requests that gather information regarding its usage. 

The researcher also analyzed HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to identify GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized”.

Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access. He also discovered a flaw in the execution of MQTT (CVE-2021-3787) – an IoT messaging standard. 

Westergren identified that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security. “A number of commands result from various devices. Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands,” the researcher noted. 

While the product belongs to Motorola Mobility, its manufacturing unit was acquired by Lenovo in 2014. According to Westergren, after receiving the initial report, Lenovo’s security team has immediately started working on resolving the issues in Motorola Halo.

According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14., the Official Site for Perl Programming Language Hijacked


The domain was made in 1994 and was the official site for the Perl programming language, it is enlisted with the registrar key-systems(.)net. An admonition went up on the foundation weblog overnight telling clients that was now directed to a parking site and exhorted against visiting "as there are some signals that it may be related to sites that have distributed malware in the past." 

“The domain was hijacked this morning and is currently pointing to a parking site. Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC on 27th January 2021.

The hijack seems to have followed the deeply rooted way of an assailant jumping on a compromised account and swiping the domain instead of a simple expiration. The assailants changed the IP address from to 35.186.238[.]10. After the hackers took control over the site, it was showing a clear page whose HTML contains GoDaddy parked domain scripts. 

Posting on Reddit, Brian Foy, editor on the site and writer of a few books on Perl, said: "It looks like there was an account hack. I don't know how long that would take to rewind. We're looking for people who have actual experience dealing with that situation so we can dispute the transfer." was unaffected by the swipe. 

A look at the domain records shows the contact data is currently "REDACTED FOR PRIVACY". Gordon Lawrie – self-announced cyberlaw, trademark, and domain nerd – said that before the change Tom Christiansen was listed as the domain administrative contact. While the Perl group still can't seem to react to the solicitation for a remark, the hijacking of Christiansen's record appears to be a possibility. The expiry likewise seems to have been extended out to 26 January 2031.

Not long after the hijacking, the domain turned up as accessible to purchase for $190k on, presently recorded as a name server in the domain record at the time of writing. The listing included other expensive domains, including for a simple $125k, from client drawmaster. Afternic is an essential part of the GoDaddy association and, not long after when it was approached, the listing was pulled.

EA Origin Security Flaw Exposed over 300 Million Gamers to Account Takeovers

In the wake of the discovery of an EA based vulnerability, EA origin has been forced to re-examine its module for security and safety as the flaw could have potentially exposed millions of gamers to account takeovers.

As per the findings and research of specialists at Check Point and CyberInt, the vulnerability affected over 300 million gaming enthusiasts playing online games namely FIFA, Madden NFL, NBA Live and Battlefield.

The vulnerability relied on an alternate authentication method known as, Access Tokens which are like passwords; by stealing a Single Sign-On authorization token, the security flaw would have given complete authority into the hands of the hackers, who further would have been able to hijack player's accounts without needing the login or password.

Stealing 'Access Tokens' can be a bit more complex than stealing passwords, however, it still is possible. It's because users have been enlightened against providing passwords on dubious websites, hackers now resort to accessing access tokens rather than the passwords. Moreover, it can be carried out behind the scenes without needing any active participation from the user.

On Wednesday, commenting on the matter, Oded Vanunu, head of products vulnerability research for Check Point, told, "EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts,"

Referencing from the statements given by Alexander Peleg in an email in the regard, "We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix," 

Millions of Peoples’ Data Exposed On The Dark Web Via an Unprotected Database; Hackers At Advantage

Quite recently, a badly secured database fell prey to hijacking by hackers. Millions of users’ data was exposed. It was discovered by “Shodan Search Engine” last month. An infamous hacking group is speculated to be the reason.

A gigantic database containing records of over 275 million Indian citizens was found unprotected and now in the hands of a hacking group.

The database which was exploited comes from a widely used name of “MongoDB”.

The data in it seems to have come from various job portals, in light of the fields that were found out to be of “Resume IDs”, “functional areas” and “industry”.

Along with some not so confidential information some really personal details like name, email ID, gender, date of birth, salary and mobile number were found.
Reportedly, a hacking group which goes by the name of “Unistellar group” happens to be behind the hijacking of this already unprotected database.

Immediately after the unsafe database was discovered the cyber-security expert had informed the Indian Computer Emergency Response Team but in vain.

The database was open and laid bare for anyone to advantage for at least two weeks.

The owner of the database is yet to be known and it seems that it’s owned by an anonymous person or organization.

The details of over 275 million people were out but as it turns out no Indian job portal holds information of members of such a large number. 

A Critical Vulnerability Assisting Attackers in Gaining Access to Live Video Streaming

Researchers discover a rather critical vulnerability in the D-Link cloud camera that enabled attackers to hijack and intercept the camera in order to gain access to the live video streaming as well as recorded videos by means of communicating over unencrypted channel between the camera and the cloud and between the cloud and the client-side viewer app.

The communication request between the application and the camera built up over a proxy server utilizing a TCP tunnel which is the only place the traffic is encrypted. This blemish enables an attacker to play out a Man-in-the-Middle attack and intercept the said connection with the intend to spy on the victims' video streams.

 Rest of the sensitive content, like the camera IP and MAC addresses, version information, video and audio streams, and the extensive camera information are going through the unencrypted tunnel.

The vulnerability dwells in D-Link customized open source boa web server source code file called request.c which is dealing with the HTTP solicitation to the camera. For this situation, all the approaching HTTP demands or requests that handle by this file elevated to admin enabling the attacker to gain a total device access.

According to ESET Research, “No authorization is needed since the HTTP requests to the camera’s web server are automatically elevated to admin level when accessing it from a localhost IP (viewer app’s localhost is tunneled to camera localhost).”

What's more, this weakness lets the hackers to supplant the real firmware with their own fixed or backdoored variant.

An attacker, who is sitting amidst the system traffic between the viewer application and the cloud or between the cloud and the camera, can see the HTTP demands or requests for the video and audio packets utilizing the data stream of the TCP connection on the server and accordingly answer and recreate these captured packets whenever wherever.

Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.

Google Warns Users to Update Their Browser Immediately Due To a Disruptive Bug

A security breach revealed by hackers on the desktop version of Chrome has driven Google into warning its users to update Chrome as soon as they can or risk having their system 'hijacked'.

A part of Chrome called FileReader is supposedly thought to have been connected with the exploit, as it clearly lets software incorporated into websites access the information stored on the user's computer.

Being the most commonly utilized internet browser on the planet, with in excess of approximately two billion active users, the search giant is quite guarded about the details of the manner in which the exploit operates so as to keep the copycat hackers from utilizing comparable methods to attempt and break into user's accounts.

The fact that the security risk 'CVE-2019-5786' wasn't identified by Google in the first place accordingly implies that Chrome browsers were 'actively under attack  ' even before a fix could be released for the users, which thusly on the other hand gave hackers a 'head start' and left the user's systems at high risk even before an update is installed.

Google's lead security engineer Justin Schuh writing on Twitter, warned users: 'Seriously update your Chrome installs... like right this minute.'  Adding later that ‘unlike previous bugs found in Chrome which have targeted third-party software linked to the browser, this bug targeted Chrome code directly. 

Therefore he says that it is 'worth' cautioning user's all the more freely as the fix expects them to make the additional stride of manually restarting the browser after the update to invalidate the exploit had been downloaded.

‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix, we will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.’ says Google.

Cybercriminals disturbing air traffic

Travelling via air has always been the most preferred and fastest option available to us at any given time but have we ever given a thought whether it is the safest in every context technical and cyber?

Never mind the technical mishaps that happen when least expected the accidents that occur are rare but shocking and terrible but are we aware of the dangers related to flying in the light of cyber security?

As we probably are aware, cybercriminals are driven for the most part by their thirst for money and power—and disturbing the air traffic and airport regulation helps they satisfy it. While the dominant part of these cyber security occurrences result in data breaks, but: Attacks on this imperative framework could prompt significantly more inauspicious outcomes.

Associations like the ATO and EUROCONTROL deal with the air traffic across continents, connecting with business and military bodies to control the coordination and planning of air traffic in their assigned region. These associations work firmly together, as there are numerous intercontinental flights that move across from one area then onto the next they respond quite rapidly to such episodes.
These Aviation control organisations require immaculate correspondence to work legitimately, as they are essential to keeping up the normal stream of air traffic. 

Along these lines, their related frameworks are intensely computerized which makes them the primary targets for the said cyber-attacks.

However apart from Air Traffic there are a lot more factors as well that have a specific negative effect on the transportation service. Some of the major ones being terrorist attacks, ransomeware attacks, targeted cyber-attacks in addition to the budget concerns.

Terrorists have hijacked Aircrafts before, the most known incident being 9/11, where the terrorists infiltrated onto four different air crafts, disabled the pilots. Anyway these physical, in-person hijacks are the reason behind the broad safety measures that we all experience at each major air terminal.

Despite the fact that these hijackers don't need to be physically present to cause such immense harm. As exhibited before, air crafts can be hacked remotely and malware can contaminate computer frameworks in the air crafts as well.

What's more, similar to some other industry, we likewise find numerous ransomware victims in the avionics and air traffic sector. The most popular one being air and express freight carrier FedEx that surprisingly has been a ransomeware victim twice: once through their TNT division hit by NotPetya, and once in their own conveyance unit by WannaCry.

When turning towards targeted cyberattacks the most fitting precedent is that of the IT system of Boryspil International Airport, situated in the Ukraine, which purportedly incorporated the airport's air traffic regulation system. Because of rough relations among Ukraine and Russia, attribution immediately swerved to BlackEnergy, a Russian APT group considered responsible of numerous cyberattacks on the country.

Lastly, "Where budgets are concerned, cybersecurity is treated reactively instead of proactively.
In 2017, the Air Traffic Control Aviation (ATCA) published a white paper issuing this warning as in a 2016 report by the Ponemon Institute discovered that the associations did not budget for the technical, administrative, testing, and review activities that are important to appropriately operate a  secure framework.

Bearing these factors in mind while the physical security on airports have been increased fundamentally, it appears that the cyber security of this essential framework still needs a considerable amount of work and attention, particularly remembering the sheer number of cyber-attacks on the industry that have occurred over the most recent couple of years.

The excrement will undoubtedly hit the propeller if the air traffic and cargo enterprises yet again fail to incorporate cybersecurity in their financial plan and structure propositions for the coming year.