Search This Blog

Showing posts with label Malicious Code. Show all posts

GitHub Supply Chain Attack Cloned Thousands of Repositories to Target Developers


GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.

The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem. 

The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names. 

The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones. 

The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware. 

Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned. 

According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.

The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages. 

Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021. 

Thwarting supply chain attacks 

 GitHub has issued an advisory for guarding the code supply chain on its website. 

• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication. 
• Connect to GitHub using secure socket shell (SSH) keys. 
• For enterprises, centralize user authentication. 
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has. 
• Avoid using passwords or API keys within the source code. 
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.

PrestaShop Sites Hit by Severe Security Flaw


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions and later and versions and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.

Attack Against NPM Software Supply Chain Unearthed


Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug


The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.

Multiple Security Bugs Identified in Software Package Managers


Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices. 

However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.

"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?" 

Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications. 

Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –

 • Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yarn < 1.22.13 • pnpm < 6.15.1 • Pip (no fix), and • Pipenv (no fix) 

The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.

Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability. 

"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."

Trend Micro Patches Critical Bugs in its Security Products


Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits. 

The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature. 

The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December. 

The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured. 

Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated. 

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/ The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.

“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.