Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Code. Show all posts
Malware Attack
Cyber Fraud Cyber Scams cybercriminals data security Financial Fraud Hacking WhatsApp Malicious Code Malware Attack

WhatsApp Image Scam Uses Steganography to Steal User Data and Money

 

With over three billion users globally, including around 500 million in India, WhatsApp has become one of the most widely used communication platforms. While this immense popularity makes it convenient for users to stay connected, it also provides fertile ground for cybercriminals to launch increasingly sophisticated scams. 

A recent alarming trend involves the use of steganography—a technique for hiding malicious code inside images—enabling attackers to compromise user devices and steal sensitive data. A case from Jabalpur, Madhya Pradesh, brought this threat into the spotlight. A 28-year-old man reportedly lost close to ₹2 lakh after downloading a seemingly harmless image received via WhatsApp. The image, however, was embedded with malware that secretly installed itself on his phone. 

This new approach is particularly concerning because the file looked completely normal and harmless to the user. Unlike traditional scams involving suspicious links or messages, this method exploits a far subtler form of cyberattack. Steganography is the practice of embedding hidden information inside media files such as images, videos, or audio. In this scam, cybercriminals embed malicious code into the least significant bits of image data or in the file’s metadata—areas that do not impact the visible quality of the image but can carry executable instructions. These altered files are then distributed via WhatsApp, often as forwarded messages. 

When a recipient downloads or opens the file, the embedded malware activates and begins to infiltrate the device. Once installed, the malware can harvest a wide range of personal data. It may extract saved passwords, intercept one-time passwords, and even facilitate unauthorized financial transactions. What makes this form of attack more dangerous than typical phishing attempts is its stealth. Because the malware is hidden within legitimate-looking files, it often bypasses detection by standard antivirus software, especially those designed for consumer use. Detecting and analyzing such threats typically requires specialized forensic tools and advanced behavioral monitoring. 

In the Jabalpur case, after downloading the infected image, the malware gained control over the victim’s device, accessed his banking credentials, and enabled unauthorized fund transfers. Experts warn that this method could be replicated on a much larger scale, especially if users remain unaware of the risks posed by media files. 

As platforms like WhatsApp continue working to enhance security, users must remain cautious and avoid downloading media from unfamiliar sources. In today’s digital age, even an innocent-looking image can become a tool for cyber theft.
Read more »
Technologies
Antivirus Aux Cyberattacksm Ransomware Attacks CyberCrime CyberThreat JPG Malicious Code malware Software Technologies

Cyberattackers Use JPG Files to Deploy Ransomware Undetected

 


Several cybersecurity experts have recently identified a worrying evolution in ransomware tactics. These actors are now concealing and deploying fully undetectable ransomware payloads using JPEG images, resulting in an outbreak of completely undetectable ransomware. It is a major advance in the methodology of cyberattacks, as it provides threat actors with a way of bypassing conventional antivirus systems as well as signature-based malware detection tools with alarming ease, thereby creating a significant advance in cyberattack methodology. 

With this new method of ransomware delivery, harmful code is embedded within seemingly harmless image files, which are widely trusted, frequently shared, and rarely examined by users or basic security tools. This new method is quite different from traditional ransomware delivery methods. As soon as users open these doctored images, the embedded ransomware starts working. This could compromise entire systems without triggering standard security warnings. 

Cybersecurity researchers discovered this method by monitoring high-level, stealthy-oriented ransomware campaigns. The findings reveal a sophisticated exploitation strategy that indicates a dangerous change in the threat landscape and is a warning that needs to be addressed. By exploiting the inherent trust in commonly used file types such as JPGs, cybercriminals are exploiting a blind spot in existing defence mechanisms, putting individuals, organisations, and infrastructures at increased risk. 

It is evident from this development that there is a critical need for more advanced, behaviour-based threat detection systems and increased user awareness, since traditional security tools may no longer be sufficient to combat such sophisticated and covert attacks. In the exploit, there is an astonishingly sophisticated, multi-stage attack chain that uses common file formats as a means of evading traditional security systems without detection. 

An inherent component of this strategy is that malicious code is embedded within a JPEG image file, which serves to convey the message silently to an unsuspecting user. When the compromised image is opened, a concealed "loader" is activated, which launches the development of the ransomware process. During Stage One, a stager script is activated, which is hidden within the image file as a means to open the door for the further stages of the attack. This stage script acts as an initial foothold that will prepare the system for the remaining phases. 

There is a second stage of the ransomware infection where the stager reaches out to a remote command-and-control server to download the actual executable that contains the ransomware. There are three stages of ransomware execution. In this stage, the ransomware payload is systematically encrypting the victim's files and demanding payment for decryption, which can be done in cryptocurrencies. 

A unique feature of this attack is the innovative way in which it employs a dual-file delivery method, which consists not only of the tainted JPG image but also of a decoy file, normally a PDF or Word document. As these two files contain both malicious components, antivirus programs find it extremely difficult to detect them. Traditional security software rarely correlates the activities of separate file formats, which allows the exploit to operate undetected by conventional security software. 

Additionally, the payload's advanced obfuscation and encryption techniques have proved to be extremely effective in evading over 90% of known antivirus engines, further complicating detection efforts. By doing so, most of the endpoint protection solutions in use at the moment are effectively invisible to this malware. Besides exploiting the inherent trust users place in familiar formats like JPGs and documents, the attack also relies on social engineering to gain entry into the system. 

There is a high probability that targets will open the files without suspicion, which is why the success of the attack is greatly increased. It is particularly alarming to see how simple and effective the method is. Cybercriminals need only two files to execute a full-scale ransomware attack, making it possible for them to target large targets rapidly with minimal effort. According to a cybersecurity researcher who examined the exploit under the pseudonym Aux Grep, the tactic is "a zero-day-grade attack with 60% success." This indicates that shortly, more polished versions of this exploit will be developed that will be even more dangerous. 

To combat increasingly covert and complex threats, proactive defensive measures and ongoing evolution of cybersecurity strategies are necessary. This insight emphasises how imperative it is for cybersecurity measures to be developed and evolved. Organisations must stay ahead of adversaries by combining advanced detection technologies with informed human vigilance to thrive in an increasingly hostile digital landscape. 

The emergence of ransomware attacks concealed within benign-looking image files is not merely a technical anomaly—it is a clear signal that cyberthreats are evolving in complexity and cunning. Organisations can no longer rely on reactive security measures or outdated assumptions about attack vectors in an environment where the line between legitimate and malicious content continues to blur. To navigate this shifting threat landscape, cybersecurity must be approached as a dynamic, continuous process—one that integrates intelligent automation, rigorous user education, and robust response protocols. 

Decision-makers must invest in cybersecurity not as a compliance necessity, but as a core pillar of operational resilience. From revisiting email attachment policies and revising digital hygiene protocols to deploying real-time threat intelligence and incident response systems, the imperative is clear: defence must evolve faster than the threats themselves. Moreover, fostering a security-first culture—where vigilance is embedded at every level of the organisation—is no longer optional. 

As attackers increasingly weaponise trust and familiarity, even routine file interactions must be viewed through a more critical, informed lens. In the face of adversaries who adapt quickly and operate with surgical precision, success will belong to those who are not only prepared but proactively positioned to detect, contain, and neutralise threats before they manifest as damage. The JPG-based ransomware tactic may be one of the latest threats, but it will not be the last. Organisations that act decisively today will be far better equipped to face the unknowns of tomorrow. 

Defending Against JPEG-Based Ransomware Attacks: Key Strategies for Organisations 


Cybercriminals are increasingly exploiting trusted file formats like JPEGs to spread sophisticated ransomware, putting a lot of pressure on cyber experts to ensure that proactive and layered defence strategies are in place. Various technical safeguards, policy measures, and user awareness initiatives can be used to mitigate the risks posed by these stealthy attack vectors. This can be accomplished by combining technical precautions with policy measures. 

1. Enable Full File Extension Visibility

It is possible to prevent the threat of malware in a simple but effective way by configuring systems to display the full file extension by default. By providing insight into the complete file name, users can avoid mistakenly opening malicious content and identify deceptive files, for example, those that appear to be images, but contain executable payloads (e.g., “photo.jpg.exe”).

2. Behaviour-Based Threat Detection

 In the age of emerging threats that utilise obfuscation and encryption, traditional antivirus solutions, which are based on signature databases, are increasingly ineffective. As a result, organisations should consider investing in advanced endpoint detection and response (EDR) solutions that use behaviour-based analysis in their organisation. SentinelOne, Huntress, and CrowdStrike Falcon can be used to identify unusual activity patterns and halt attacks before damages are caused–even when a threat was previously unknown. 

3. Isolate and Analyse Suspicious Files

Users must open all attachments to their email particularly ones from unverified sources or unexpected sources, in an isolated or sandboxed environment. By taking this precaution, it will prevent potentially malicious content from reaching critical infrastructure or sensitive data, which will reduce the risk of lateral movement and widening infection within a network.

4. Maintain Regular, Versioned Backups 

A frequent, versioned backup of the data-whether it is stored offline or in a secure cloud environment, is extremely vital for protecting users against ransomware. Organisations must regularly test backup integrity and make sure recovery procedures are clearly defined if a ransomware attack occurs. Having clean backups will help organisations recover quickly without falling victim to ransom demands. 

5. Prioritise Employee Awareness and Phishing Prevention

As a result of human error, companies continue to encounter social engineering attack vectors like phishing emails and suspicious attachments, even when they appear to be from familiar sources. Employees should be trained regularly to recognise such tactics, including phishing emails and suspicious files. The first line of defence against ransomware intrusions is an informed workforce. 

As a result of the wave of image-based ransomware that has been circulating around the world, threat actors have taken advantage of universally trusted file types to bypass traditional defence systems. It is estimated that ransomware damages worldwide will reach $300 billion by the year 2025 (approximately 25 lakh crore), which highlights the urgency for developing a comprehensive and multi-layered cybersecurity posture. 

To thrive in an increasingly hostile digital environment, organisations must utilise advanced detection technologies combined with informed human vigilance to stay ahead of their adversaries. Increasingly, ransomware attacks that are concealed within benign-looking image files are not just a technical anomaly; they are a sign that cyberthreats are becoming more sophisticated and cunning and more sophisticated. 

Increasingly, organisations are finding that the line between legitimate and malicious content has become increasingly blurred. Therefore, organisations should no longer rely solely on reactive security measures or outdated assumptions about attack vectors. A dynamic, continuous cybersecurity process must be implemented to navigate this shifting threat landscape - one that integrates intelligent automation, rigorous user education, and robust response protocols - to effectively respond to threats.

The decision-makers must recognise that cybersecurity is not just a compliance requirement, but rather one of the key pillars of operational resilience. Defences must evolve faster than the threats themselves, so they need to revisit email attachment policies, revise digital hygiene protocols, and deploy real-time threat intelligence and incident response systems. As a result, it is now imperative for organisations to establish a culture of security first, in which vigilance is embedded at every level of their organisation. 

Increasingly, attackers are weaponising trust and familiarity, forcing even routine file interactions to be viewed from a critical, informed perspective. As adversaries who adapt rapidly and operate with surgical precision continue to grow in strength, success will be determined by those who are prepared, proactively positioned, and able to detect, contain, and neutralise threats before they become a real threat. It may be one of the latest threats-but it won't be the last. Organisations that maintain a proactive posture today will be positioned far better to deal with all of the unknowns that may arise in the future.
Read more »
Ransomwares
agentic AI AI Agent AI technology AI threats AI tools Cyber Security Cybersecurity Threats IABs Malicious Code Ransomwares

Agentic AI and Ransomware: How Autonomous Agents Are Reshaping Cybersecurity Threats

 

A new generation of artificial intelligence—known as agentic AI—is emerging, and it promises to fundamentally change how technology is used. Unlike generative AI, which mainly responds to prompts, agentic AI operates independently, solving complex problems and making decisions without direct human input. While this leap in autonomy brings major benefits for businesses, it also introduces serious risks, especially in the realm of cybersecurity. Security experts warn that agentic AI could significantly enhance the capabilities of ransomware groups. 

These autonomous agents can analyze, plan, and execute tasks on their own, making them ideal tools for attackers seeking to automate and scale their operations. As agentic AI evolves, it is poised to alter the cyber threat landscape, potentially enabling more efficient and harder-to-detect ransomware attacks. In contrast to the early concerns raised in 2022 with the launch of tools like ChatGPT, which mainly helped attackers draft phishing emails or debug malicious code, agentic AI can operate in real time and adapt to complex environments. This allows cybercriminals to offload traditionally manual processes like lateral movement, system enumeration, and target prioritization. 

Currently, ransomware operators often rely on Initial Access Brokers (IABs) to breach networks, then spend time manually navigating internal systems to deploy malware. This process is labor-intensive and prone to error, often leading to incomplete or failed attacks. Agentic AI, however, removes many of these limitations. It can independently identify valuable targets, choose the most effective attack vectors, and adjust to obstacles—all without human direction. These agents may also dramatically reduce the time required to carry out a successful ransomware campaign, compressing what once took weeks into mere minutes. 

In practice, agentic AI can discover weak points in a network, bypass defenses, deploy malware, and erase evidence of the intrusion—all in a single automated workflow. However, just as agentic AI poses a new challenge for cybersecurity, it also offers potential defensive benefits. Security teams could deploy autonomous AI agents to monitor networks, detect anomalies, or even create decoy systems that mislead attackers. 

While agentic AI is not yet widely deployed by threat actors, its rapid development signals an urgent need for organizations to prepare. To stay ahead, companies should begin exploring how agentic AI can be integrated into their defense strategies. Being proactive now could mean the difference between falling behind or successfully countering the next wave of ransomware threats.
Read more »
Malware Attack
Adobe Commerce and Magento Backdoor Attacks Backdoors Cyber Attacks Extensions Global Supply-Chain Attack Magento Malicious Code Malware Attack

Magento Extension Supply Chain Attack Backdoors Hundreds of E-Commerce Sites

 

A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.  

Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.” 

The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include: Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.

Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site. The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for HTTP requests containing special parameters like requestKey and dataSign. 

When matched against hardcoded keys, it grants attackers access to admin-level functionality, including the ability to upload files. These files can then be executed through PHP’s include_once() function, opening the door for data theft, credit card skimming, admin account creation, and complete server control. Earlier variants of the backdoor didn’t require any authentication. 

However, recent versions now rely on a static key for limited protection. Sansec confirmed that this method was used to deploy a web shell on at least one client’s server. When alerted, vendor responses varied. MGS did not respond. Tigren denied any security breach and reportedly continues to distribute the compromised code. Meetanshi acknowledged a server intrusion but denied their extensions were affected. 

BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which is still available for download. Sansec recommends that any site using the listed extensions immediately conduct full server scans and review indicators of compromise. 

Ideally, websites should be restored from a verified, clean backup. The security firm also highlighted the unusual delay between the malware’s insertion and its activation, suggesting the attack was carefully planned over a long timeline. An expanded investigation is ongoing.
Read more »
Web Servers
Critical Flaw Malicious Code Ransomware Vulnerabilities and Exploits Web Servers

Ransomware Attackers Are Weaponizing PHP Flaw to Infect Web Servers

 

Security researchers revealed that ransomware attackers have swiftly turned a simple-to-exploit PHP programming language vulnerability—which allows malicious code to be executed on web servers—into a weapon. 

As of Thursday last week, Censys' Internet scans had found 1,000 servers infected with the TellYouThePass ransomware strain, down from 1,800 on Monday. The servers, which are largely based in China, no longer display their typical content; instead, many list the site's file directory, which shows that all files have a.locked extension, indicating that they have been encrypted. The accompanying ransom note demands around $6,500 in exchange for the decryption key. 

The vulnerability, identified as CVE-2024-4577 and assigned a severity rating of 9.8 out of 10, results from flaws in PHP's conversion of Unicode characters to ASCII. Best Fit, a feature integrated into Windows, enables attackers to utilise argument injection to turn user-supplied data into characters that send malicious commands to the main PHP application. Exploits enable attackers to circumvent CVE-2012-1823, a significant code execution vulnerability addressed in PHP in 2012. 

CVE-2024-4577 only affects PHP when it is run in CGI mode, which involves a web server parsing HTTP requests and passing them to a PHP script for processing. Even if PHP is not configured to use CGI mode, the vulnerability may still be exploitable if PHP executables such as php.exe and php-cgi.exe are located in directories accessible to the web server. This setup is fairly uncommon, with the exception of the XAMPP platform, which includes it by default. An extra requirement appears to be that the Windows locale, which is used to personalise the OS to the user's local language, be set to Chinese or Japanese. 

The critical vulnerability was made public on June 6, along with a security fix. The attackers were exploiting it within 24 hours to install TellYouThePass, Imperva researchers disclosed last week. The exploits ran malware that exploited the Windows binary mshta.exe to launch an HTML application hosted on an attacker-controlled server. The use of the programme revealed a strategy known as living off the land, in which attackers employ native OS features and tools to blend in with routine, non-malicious behaviour.

In a post published Friday, Censys researchers stated that the TellYouThePass gang's exploitation began on June 7 and mirrored previous incidents in which opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of affected servers have IP addresses in China, Taiwan, Hong Kong, or Japan, most likely because Chinese and Japanese localities are the only ones verified to be vulnerable, Censys researchers noted in an email.

“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI or XAMPP service stops responding—hence the drop in detected infections,” researchers added. “Another point to consider is that there are currently no observed ransom payments to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or going offline in some other manner.”
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Software
Chain Security CIO Cyber Attacks Cyber Security CyberCrime Malicious Code Software

How Can Developers Win the Data Security Battle?

 


In IT organizations, chief information officers (CIOs) rank security as their top challenge as being one of their biggest weaknesses. It is estimated that 82% of companies are vulnerable to cyber threats in their own software supply chains. 

Because security threats continue to change and become increasingly sophisticated, developers must work closely with security teams. It is done to ensure the development lifecycle is managed effectively throughout the whole process. This is so that all measures are taken to ensure security is baked in from the ground up. 

Several factors, including this and others, have contributed to the emergence of cybersecurity as an issue that is becoming more expensive. A recently released report by McKinsey & Company predicted that in 2025, cybercrime would be worth approximately $10.5 trillion worldwide, an increase of 300% over today's figure. Meanwhile, governments all over the globe are taking note of the risks associated with the software supply chain by assessing the risks. There have been several cyber performance goals set by the Cybersecurity and Infrastructure Security Agency (CISA) to protect critical infrastructure across the country as part of its cyber performance goals. It appears, for now, that these guidelines may serve as a foundation for federal regulations if they are voluntary. There is evidence to support this, but for now, they are voluntary. 

It is encouraging to see that a positive trend is brewing, but as of now, there is one group increasingly strengthening its position on the front lines of defense when it comes to data security: software developers. 

Software Supply Chain Security: Four Pillars 

There is a responsibility placed on security teams within their organizations to do whatever they can to protect the data of their company. Software supply chain attacks have been increasing in number and method over the past few years due to the increasing volume and nature of these attacks. Policies need to be enforced across a wide range of operations, in addition, security teams are also expected to implement best practices and compliance standards across these operations. As a result, many organizations have had their supply chain teams overworked, resulting in a "downhill" effect on development teams, who inevitably have been called to resolve and strengthen many of the many supply chain issues that have become backlogs in the process of supply chain integration. 

Unfortunately, most organizations cannot afford to have a person devoted solely to DevSecOps, and there are not enough leaders or engineers who can do so. Due to this fact, it is becoming increasingly common for security and development teams to work together. This is because they include security from the start of the development of applications and processes, thereby ensuring a secure product for users. 

Developers are now playing an increasingly critical role in the fight against data breaches, which means they have four things they need to keep in mind in their efforts to secure the software supply chain in this day and age: 

Increasing the Emphasis on Software Packages

Software packages can simply be described as modules of code that are put together to form a complete application at their most basic level. Among malicious actors today, one of the most common strategies that they employ is to attack compromised packages that include more than just source code - these compromised packages might contain sensitive keys, configuration files, or other aspects that can make a company vulnerable to their attacks. 

To be able to detect issues within packages that cannot be detected solely by source code alone, developers must have both the tools and knowledge required. A full understanding of potential exploits will allow them to be able to determine the full impact of their introduction. 

Knowing the Context in Which Software Operates

In addition to developing software packages, developers must learn and understand the context within which software operates to best protect it from harm. Particularly, they must identify and recognize the misuse of open-source libraries, the ongoing insecurity of services, the exposure of secrets, as well as issues with infrastructure-as-code configurations (IACs). A vulnerability in the application must then be identified to determine whether it is appropriate for them and whether they are likely to exploit it. 

An application's configuration, use of authentication mechanisms, and exposure of keys can all make a difference as to whether common vulnerabilities and exposures (CVEs) can be exploited and exploited successfully. Along with the security team, developers should ensure that the libraries, services, daemons, and IAC they rely on within a software supply chain, such as on-premises, in the cloud, and at the edge, are not misused or misconfigured, regardless of where they are located. 

Assure That all Processes and Tools are Secure

In an ideal situation, all the artifacts and repositories that are needed to support a development project should be managed in one place, creating an all-encompassing point of truth for the organization. The process of securing a product becomes a natural part of the development process when the development team has control over everything in their portfolio - this single source of facts becomes a single source of trust. 

DevOps requirements and tools require and incorporate security as part of their design and implementation when they are managed correctly. It is the goal of the project to unify, accelerate, and secure the delivery of software from the development stage to the deployment stage. Teams involved in the security set policies and strategies, followed by teams involved in development resolving, or managing any codebase issues. A workflow that works for core DevOps teams does not just work for security and developer teams. Instead, it has to work for all teams, whether it is an infrastructure team, an integration team, a release team, or a flow team.

Preventing the Exploitation of Vulnerabilities

To detect vulnerabilities that can be exploited, most organizations should partner with a third-party or open-source community, which has advanced research experience, to assist them in uncovering them before they are exploited by attackers. As a result, businesses can make quick decisions to combat upcoming attacks as they become commonplace in their line of business. This in turn enables them to update databases rapidly with contextual analysis that mimics the work of researchers. 

Innovation Through Facilitation

Security needs to be implemented across the entire development process of an application to allow developers to actually develop. This means that if they follow the strategies above, they won’t spend all their time dealing with security issues that they do not understand. Instead, they can get their work done. In this way, they can solve vulnerabilities easier and faster and make sure that they are fixing everything that is wrong with the vulnerabilities. There is no doubt that security is a real and vital concern. However, to win, organizations must make it a priority throughout the entire software supply chain rather than just in the IT department. This allows developers to develop more innovative software, which in turn allows the business to move forward and innovate.
Read more »
Vulnerabilites and Exploits
Cisco Cisco devices Command injection vulnerability Malicious Code Security Flaws Trellix Vulnerabilites and Exploits

All You Need to Know About the Cisco Command-Injection Bug


A security flaw has been discovered in Cisco gear used in data centers, large enterprises, industrial facilities, and smart city power grids that could give hackers unrestricted access to these devices and wider networks. 

Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices: 

  • Cisco ISR 4431 routers 
  • 800 Series Industrial ISRs 
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways 
  • IOS XE-based devices configured with IOx 
  • IR510 WPAN Industrial Routers 
  • Cisco Catalyst Access points 

One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device. 

The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots. 

According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant. 

“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center. 

The Latest Cisco Security Flaws 

According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface. 

"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained. 

Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment. 

In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September. 

The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications. 

The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing." 

Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." 

However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code. 

Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely. 

They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow. 

Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.  

Read more »
Technology
AI AI tools AI-backed systems Artificial Intelligence ChatGPT Check Point Malicious Campaigns Malicious Code OpenAI Technology

ChatGPT: When Cybercrime Meets the Emerging Technologies


The immense capability of ChatGPT has left the entire globe abuzz. Indeed, it solves both practical and abstract problems, writes and debugs code, and even has the potential to aid with Alzheimer's disease screening. The OpenAI AI-powered chatbot, however, is at high risk of abuse, as is the case with many new technologies. 

How Can ChatGPT be Used Maliciously? 

Recently, researchers from Check Point Software discovered that ChatGPT could be utilized to create phishing emails. When combined with Codex, a natural language-to-code system by OpenAI, ChatGPT can develop and disseminate malicious code. 

According to Sergey Shykevich, threat intelligence group manager at Check Point Software, “Our researchers built a full malware infection chain starting from a phishing email to an Excel document that has malicious VBA [Visual Basic for Application] code. We can compile the whole malware to an executable file and run it in a machine.” 

He adds that ChatGPT primarily produces “much better and more convincing phishing and impersonation emails than real phishing emails we see in the wild now.” 

In regards to the same, Lorrie Faith Cranor, director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems Professor of computer science and of engineering and public policy at Carnegie Mellon University says, “I haven’t tried using ChatGPT to generate code, but I’ve seen some examples from others who have. It generates code that is not all that sophisticated, but some of it is actually runnable code[…]There are other AI tools out there for generating code, and they are all getting better every day. ChatGPT is probably better right now at generating text for humans, and may be particularly well suited for generating things like realistic spoofed emails.” 

Moreover, the researchers have also discovered hackers that create malicious tools like info-stealers and dark web markets using ChatGPT. 

What AI Tools are More Worrisome? 

Cranor says “I think to use these [AI] tools successfully today requires some technical knowledge, but I expect over time it will become easier to take the output from these tools and launch an attack[…]So while it is not clear that what the tools can do today is much more worrisome than human-developed tools that are widely distributed online, it won’t be long before these tools are developing more sophisticated attacks, with the ability to quickly generate large numbers of variants.” 

Furthermore, complications could as well arise from the inability to detect whether the code was created by utilizing ChatGPT. “There is no good way to pinpoint that a specific software, malware, or even phishing email was written by ChatGPT because there is no signature,” says Shykevich. 

What Could be the Solution? 

One of the methods OpenAI is opting for is to “watermark” the output of GPT models, which could later be used to determine whether they are created by AI or humans. 

In order to safeguard companies and individuals from these AI-generated threats, Shykevich advises using appropriate cybersecurity measures. While the current safeguards are still in effect, it is critical to keep upgrading and bolstering their application. 

“Researchers are also working on ways to use AI to discover code vulnerabilities and detect attacks[…]Hopefully, advances on the defensive side will be able to keep up with advances on the attacker side, but that remains to be seen,” says Cranor. 

While ChatGPT and other AI-backed systems have the potential to fundamentally alter how individuals interact with technology, they also carry some risk, particularly when used in dangerous ways. 

“ChatGPT is a great technology and has the potential to democratize AI,” adds Shykevich. “AI was kind of a buzzy feature that only computer science or algorithmic specialists understood. Now, people who aren’t tech-savvy are starting to understand what AI is and trying to adopt it in their day-to-day. But the biggest question, is how would you use it—and for what purposes?”  

Read more »
Vulnerabilities and Exploits
Application Security Camera Bug IOT Security Malicious Code Vulnerabilities and Exploits

Multiple Security Bugs Identified in EZVIZ Smart Cams

 

The vulnerabilities allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely. 

Security analysts at Bitdefender have published a detailed analysis on vulnerabilities in several lines of EZVIZ Internet of Things (IoT) cameras, a smart home security brand used across the globe. The vulnerabilities unearthed in at least five EZVIZ camera models could allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.

"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images, and decrypt them," the researchers explained. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras." 

The vulnerabilities spotted in the affected device models are listed below: - 

• CS-CV248 [20XXXXX72] - V5.2.1 build 180403 
• CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719 
• CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208 
• CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731 
• CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 22012 

Threat analysts discovered the first vulnerability (tracked as CVE-2022-2471) in the ‘configMotionDetectArea’ API endpoint. Subsequently, they identified an insecure direct object reference vulnerability at multiple API endpoints that pave a path for hackers to gain access to the camera, and a third remote vulnerability allows hackers to exfiltrate the encryption key for the video. 

The final security bug, tracked under CVE-2022-2472, lets a hacker recover the administrator password and control the device. 

“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to the video feed,” said Dan Berte, director, IoT Security at Bitdefender. One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection.” 

The researchers advised users to apply the patches, update the software immediately, and regularly visit the manufacturer’s website for any EZVIZ camera security-related news. 

Last year in August, BitDefender security experts unearthed multiple zero-day vulnerabilities in a home baby monitor, made by China-based developer Victure. In a security report, researchers disclosed the stack-based buffer flaw present in the ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When exploited, hackers can discover cameras (not owned by them) and command devices to broadcast camera feeds to a third party and exploit the camera firmware.
Read more »
Technology
AWS Malicious Code Repository Supply Chain Attack Technology

GitHub Supply Chain Attack Cloned Thousands of Repositories to Target Developers

 

GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.

The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem. 

The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names. 

The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones. 

The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware. 

Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned. 

According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.

The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages. 

Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021. 

Thwarting supply chain attacks 

 GitHub has issued an advisory for guarding the code supply chain on its website. 

• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication. 
• Connect to GitHub using secure socket shell (SSH) keys. 
• For enterprises, centralize user authentication. 
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has. 
• Avoid using passwords or API keys within the source code. 
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.
Read more »
Zero- day vulnerability
Malicious Code MySQL PHP SQL Injection Vulnerabilities and Exploits. Zero- day vulnerability

PrestaShop Sites Hit by Severe Security Flaw

 


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions 1.6.0.10 and later and versions 1.7.8.2 and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.



Read more »
URL
Data Breach JavaScript Malicious Code NPM Package Open Source Software Supply Chain Attack URL

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.
Read more »
Vulnerability and Exploits
CVE vulnerability Linux Kernel Malicious Code NSA QNAP Vulnerabilities and Exploits Vulnerability and Exploits

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.
Read more »
Vulnerability and Exploits
Malicious Code Package Managers Security Bugs Vulnerabilities and Exploits Vulnerability and Exploits

Multiple Security Bugs Identified in Software Package Managers

 

Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices. 

However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.

"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?" 

Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications. 

Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –

 • Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yarn < 1.22.13 • pnpm < 6.15.1 • Pip (no fix), and • Pipenv (no fix) 

The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.

Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability. 

"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."
Read more »
Vulnerabilities and Exploits
Malicious Code Security Bug Vulnerabilities and Exploits

Trend Micro Patches Critical Bugs in its Security Products

 

Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits. 

The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature. 

The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December. 

The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured. 

Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated. 

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.

“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.
Read more »
Subscribe to: Posts (Atom)