Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Open Source Software. Show all posts

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.

Securing Open Source: A Comprehensive Guide

Open-source software has become the backbone of many modern applications, providing cost-effective solutions and fostering collaborative development. However, the open nature of these projects can sometimes raise security concerns. Balancing the benefits of open source with the need for robust security measures is crucial for organizations leveraging these resources.

In a comprehensive guide by CIO.com, strategies are outlined to ensure organizations get the most out of open source without compromising security. The emphasizes on the importance of proactive measures, such as regular security assessments, vulnerability monitoring, and code analysis. By staying informed about potential risks, organizations can mitigate security threats effectively.

One key aspect highlighted in the guide is the need for a well-defined open-source governance policy. This involves establishing clear guidelines for selecting, managing, and monitoring open-source components. Organizations can reduce the likelihood of introducing vulnerabilities into their systems by implementing a structured approach to open-source usage.

Snyk, a leading security platform, contributes to the conversation by emphasizing the significance of managing open-source components. Their series on open-source security delves into the intricacies of handling these components effectively. The importance of continuous monitoring, regular updates, and patch management to address vulnerabilities promptly.

Furthermore, the guide points out the value of collaboration between development and security teams. This interdisciplinary approach ensures that security considerations are integrated into the development lifecycle. By fostering communication and shared responsibility, organizations can build a culture where security is not an afterthought but an integral part of the development process.

Drift offers a unique perspective on enhancing security through intelligent communication to complement these insights. Their platform enables organizations to streamline interactions, facilitating quick responses to potential security incidents. In a landscape where rapid communication is key, tools like Drift can enhance incident response times, minimizing the impact of security breaches.

It takes careful balance to maximize the benefits of open source while upholding strict security guidelines. The tools offered by Drift, Snyk, and CIO.com address this issue comprehensively. Organizations can optimize the advantages of open source without compromising security by implementing proactive security measures, clearly establishing governance standards, and encouraging team cooperation.






CIA's AI Chatbot: A New Tool for Intelligence Gathering

The Central Intelligence Agency (CIA) is building its own AI chatbot, similar to ChatGPT. The program, which is still under development, is designed to help US spies more easily sift through ever-growing troves of information.

The chatbot will be trained on publicly available data, including news articles, social media posts, and government documents. It will then be able to answer questions from analysts, providing them with summaries of information and sources to support its claims.

According to Randy Nixon, the director of the CIA's Open Source Enterprise division, the chatbot will be a 'powerful tool' for intelligence gathering. "It will allow us to quickly and easily identify patterns and trends in the data that we collect," he said. "This will help us to better understand the world around us and to identify potential threats."

The CIA's AI chatbot is part of a broader trend of intelligence agencies using AI to improve their operations. Other agencies, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), are also developing AI tools to help them with tasks such as data analysis and threat detection.

The use of AI by intelligence agencies raises several concerns, including the potential for bias and abuse. However, proponents of AI argue that it can help agencies to be more efficient and effective in their work.

"AI is a powerful tool that can be used for good or for bad," said James Lewis, a senior fellow at the Center for Strategic and International Studies. "It's important for intelligence agencies to use AI responsibly and to be transparent about how they are using it."

Here are some specific ways that the CIA's AI chatbot could be used:

  • To identify and verify information: The chatbot could be used to scan through large amounts of data to identify potential threats or intelligence leads. It could also be used to verify the accuracy of information that is already known.
  • To generate insights from data: The chatbot could be used to identify patterns and trends in data that may not be apparent to human analysts. This could help analysts to better understand the world around them and to identify potential threats.
  • To automate tasks: The chatbot could be used to automate tasks such as data collection, analysis, and reporting. This could free up analysts to focus on more complex and strategic work.

The CIA's AI chatbot is still in its early stages of development, but it has the potential to revolutionize the way that intelligence agencies operate. If successful, the chatbot could help agencies to be more efficient, effective, and responsive to emerging threats.

However, it is important to note that the use of AI by intelligence agencies also raises several concerns. For example, there is a risk that AI systems could be biased or inaccurate. Additionally, there is a concern that AI could be used to violate people's privacy or to develop autonomous weapons systems.

It is important for intelligence agencies to be transparent about how they are using AI and to take steps to mitigate the risks associated with its use. The CIA has said that its AI chatbot will follow US privacy laws and that it will not be used to develop autonomous weapons systems.

The CIA's AI chatbot is a remarkable advancement that might have a substantial effect on how intelligence services conduct their business. To make sure that intelligence services are using AI properly and ethically, it is crucial to closely monitor its use.

ChatGPT's Effective Corporate Usage Might Eliminate Systemic Challenges

 

Today's AI is highly developed. Artificial intelligence combines disciplines that make an effort to essentially duplicate the capacity of the human brain to learn from experience and generate judgments based on that experience. Researchers utilize a variety of tactics to do this. In one paradigm, brute force is used, where the computer system cycles through all possible solutions to a problem until it finds the one that has been proven to be right.

"ChatGPT is really restricted, but good enough at some things to provide a misleading image of brilliance. It's a mistake to be depending on it for anything essential right now," said OpenAI CEO Sam Altman when the software was first launched on November 30. 

According to Nicola Morini Bianzino, global chief technology officer at EY, there's presently no killer use case for ChatGPT in the industry which will significantly affect both the top and bottom lines. They projected that there will be an explosion of experimentation over the next six to twelve months, particularly after businesses are able to develop over the top of ChatGPT utilizing OpenAI's API.

While OpenAI CEO Sam Altman has acknowledged that ChatGPT and other generative AI technologies face several challenges, ranging from possible ethical implications to accuracy problems.

According to Bianzino, this possibility for generative AI's future will have a big impact on enterprise software since companies would have to start considering novel ways to organize data inside an enterprise that surpasses conventional analytics tools. The ways people access and use information inside the company will alter as ChatGPT and comparable tools advance and become more capable of being trained on an enterprise's data in a secure manner.

As per Bianzino, the creation of text and documentation will also require training and alignment to the appropriate ontology of the particular organization, as well as containment, storage, and control inside the enterprise. He stated that business executives, including the CTO and CIO, must be aware of these trends because, unlike quantum computing, which may not even be realized for another 10 to 15 years, the actual potential of generative AI may be realized within the next six to twelve months.

Decentralized peer-to-peer technology mixed with blockchain and smart contracts capabilities overcome the traditional challenges of privacy, traceability, trust, and security. By doing this, data owners can share insights from data without having to relocate or otherwise give up ownership of it.



Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.

Mac Coinminer Employs a Novel Approach to Mask Its Traffic

 

A Mac coinminer has been discovered exploiting customizable open-source software to enhance its malicious activity. This sample incorporates a variety of altered open-source elements which the malicious actor customized to fulfill the agenda. The sample was indeed discovered concealing its network traffic with i2pd (called I2P Daemon). The Invisible Internet Protocol, or I2P client, is constructed in C++ by I2pd. I2P is a worldwide anonymous network layer which enables anonymous end-to-end encrypted communication without revealing the participants' real IP addresses. 

Coinminer is the major malware sample which has been found. MacOS. MALXMR.H is a Mach-O file which was also identified by numerous vendors because it includes XMRig-related strings as sourcing tools like Yara. Its accessibility makes, XMRig to be often utilized by other viruses to execute crypto mining. 

The primary Mach-O sample was discovered to be ad hoc-signed. This indicates the Mach-O binary is difficult to run on Mac systems, and Gatekeeper, a built-in security mechanism for macOS which enforces code signing, may prohibit it. 

The Mach-O sample is suspected to have arrived in a DMG (an Apple image format for compressing installations) of Adobe Photoshop CC 2019 v20.0.6. Apparently, the parent file could not be located. The piece of code was identified in one of its discarded files, which led to the conclusion. The sample attempts to create a non-existent file in the /Volumes path in this code. It's worth noting when double-tapping DMG files on macOS, they get automatically mounted in the /Volumes directory. 

Several embedded Mach-O files were discovered in the core Mach-O sample (detected as Coinminer.MacOS.MALXMR.H). It uses the API to elevate rights by enabling the user for authentication when it is performed. The following files have been deposited into the system by the sample:
  •  /tmp/lauth /usr/local/bin/com.adobe.acc.localhost
  •  /usr/local/bin/com.adobe.acc.network
  •  /usr/local/bin/com.adobe.acc.installer.v1 

As per Trend Micro, the sample used the auth file for persistence. The Mach-O file is in charge of creating the persistence files for the malware:
LaunchDaemons/com.adobe.acc.installer.v1.plist. 

"The file is an XMRig command-line app which has been modified. When launching the app, enter help or version in the variables to see what it's about. The help argument displays a list and overview of the parameters which can be utilized, whereas the version parameter reveals the version of the XMRig binary," according to the experts.

It is suggested to update the products and keep up with the latest patterns. Users should avoid downloading apps from shady websites and exercise excellent digital hygiene.

Linux Foundation Expert Advices, Open Source Deployment, Fighting Against Vulnerabilities

 

The Census II study's preliminary findings strongly suggest that open source initiatives require supporting toolsets, infrastructure, people, and good governance in order to function as a stable and healthy upstream project for your company. It's not nearly as horrible as it sounds, because not all flaws can be exploited.

Wheeler cited a report from Synopsys, a software security and IoT (Internet of Things) company – each application has an average of 528 open source components, 84% of codebases have at least one vulnerability, and that the average number of vulnerabilities per codebase is 158. An audit of 1,546 codebases was conducted, with a codebase being defined as "the code and accompanying libraries that make up an application or service." "If you're concerned about security, you'll inspect the software." Nonetheless, open-source is possibly safer, because of the long-standing secure software design principle that "the protective method must not rely on attacker ignorance," as outlined in a 1974 work by Jerome Saltzer and Michael Schroeder.

This is a benefit of open-source software. "The many eyes theory works," Wheeler added. Vulnerable software does not get updated, which is a big part of the problem. Many apps and systems do not update all of the components that they use. This is also true for closed source, although "open source software is used a lot more." 

Developers should "learn how to design and acquire secure software," according to the report, which lists a number of free courses, best practices, and tools. A flaw in test-driven development, according to Wheeler, is that the model of writing a test and then writing the code to make the test pass does not include negative tests, implying that there is a need to test to ensure that things that should not happen do not happen. A failure to include negative tests is one of the major issues in many test suites today. It's how the Apple goto fail vulnerability came to be, according to Wheeler, who was referring to this problem. Use caution while dealing with software that hasn't been utilized in a long time. "There will very certainly be no reviewers if there are no users. It's not a problem if you don't utilize it " If it is still required, the remedy is to "look at it yourself." 

In summation, although the problem is difficult to solve, there are several initiatives that may help. The SPDX project, which specifies the "bill of materials" utilized by a software library or application, and the Open Source Security Metrics (OpenSSF) dashboard, which, though still in its early stages, assists developers and users in assessing the security of specific packages. 

Alibaba Cloud Punished for Not Sharing Log4j Vulnerability First with the Government

 

China’s Ministry of Industry and Information Technology (MIIT) has suspended its collaboration with Alibaba Cloud for six months to mark their protest after the company failed to inform the government regarding the discovery of Log4Shell vulnerability. 

Chen Zhaojun of Alibaba cloud security discovered the flaw and reported Apache Software Foundation (ASF), developer of Log4j, on November 24 regarding the critical flaw in the open-source software tool. But MIIT, China’s leading internet regulator, only became aware of the bug 15 days later on Dec. 9 via a cybersecurity report, likely not submitted by Alibaba.

Tracked as CVE-2021-44228, the vulnerability can be abused to gain full control over susceptible systems, and it has been exploited by both attackers and state-sponsored threat groups, likely even before an official patch was released on December 6.

According to the Chinese outlet, the 21st Century Herald, Chinese authorities were displeased with the fact that they were not informed first about the Log4j vulnerability. As a punishment, the MIIT, which has been operating a threat intelligence sharing platform since late 2019, said it would suspend its partnership with Alibaba Cloud for six months, after which it will reassess the firm’s corrective measures and suitability. 

"Recently, after discovering serious security vulnerabilities in the Apache Log4j2 component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management," the local media report said. 

A law passed this year in China makes it mandatory for all companies to report vulnerabilities to state regulators within two days. While security flaws can be revealed to the affected vendor, they cannot be sold or passed on to third parties outside of China. Additionally, the Cyberspace Administration of China disclosed a new set of laws that reclassified data and presented multiple sets of fines for violations of cybersecurity policy.

Earlier this year, Alibaba was hit with a record antitrust fine of 18.2 billion yuan, for violating government monopoly regulations. The Chinese State Administration described the firm’s behavior as having “eliminated and restricted competition in the online retail platform service market” as well as having “infringed on the business of the merchants on the platform.”

Multiple Critical Vulnerabilities Identified in Concrete CMS

 

Fortbridge researchers have unearthed multiple security bugs in a popular open-source content management system (CMS) allowing threat actors to secure full control of the underlying web server.

The vulnerabilities become more threatening when combined with the insecure use of the uniqid() function that allows cybercriminals with low privileges to achieve remote code execution (RCE). 

“The uniqid() function was not cryptographically secure. Instead, it returned a pseudo-random number, allowing us to guess the name of a pseudo-random directory and then upload a web shell on the server,” Adrian Tiron from Fortbridge explained. As of 2021, more than 62,000 live websites are designed with Concrete CMS. 

The first bug discovered is a race condition in the file upload function that allows a Concrete CMS user to upload files from a remote server. Files are downloaded to ‘$temporaryDirectory’ – a class called VolatileDirectory which creates a temporary directory, that gets deleted at the end of each request.

According to cybersecurity researchers, the name designed of the directory will always be random, and so in order to guess the name of it, researchers needed to brute-force this directory to find where it was coming from. A single brute-force request takes 100ms to implement, meaning that researchers needed more time to carry out their attack. As they looked to bypass the 60-second cURL timeout, they turned to the uniqid() function, which returned the time and day to the microsecond. 

“We will add a sleep() for 30-60 seconds in the test.php file which gets downloaded from the remote server. This will basically force the CMS to keep the $temporaryDir directory for 30-60 seconds on the local filesystem before deleting it. Enough time for us to brute-force the directory name with Burp Turbo Intruder,”  researchers added.

How to keep site safe 

Users should always keep software up to date with security patches and new releases. This includes operating systems, web services, server-side parsers, content management systems, databases, and all plug-ins.

Users are advised to uninstall all applications and services that aren't necessary and only run services that are required for their website and CMS to operate. Use a password manager which will help in ensuring that you use unique passwords on every site.

Malicious Code Injected in Popular 'coa' and 'rc' Open Source Libraries

 

Coa, a popular library from npm, a manager for the JavaScript programming language, has been hijacked by hackers who published new versions equipped with password-stealing malware.

The 'coa' library, short for Command-Option-Argument, gets around 9 million downloads a week on npm, and is used by almost 5 million open-source GitHub repositories. The assault on coa will severely impact countless React pipelines around the globe, Bleeping Computer reported. 

Soon after spotting the hijack, security researchers also uncovered another popular npm component- 'rc'- also being impacted. The 'rc' library nets 14 million downloads a week on average. According to the security team of the npm, both packages were compromised simultaneously and were the result of threat actors securing access to a package developer’s account. 

Once inside, the hacker adds a post-installation script to the original codebase, which runs an obfuscated TypeScript used for downloading a Windows batch or Linux bash script depending on the OS of the machine running the software. The compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9

The last stable coa version 2.0.2 was released in December 2018, but developers around the world were left surprised when several suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 began appearing on npm as of a few hours ago, breaking React packages that depend on 'coa'. 

The security team of the NPM has reportedly disabled the compromised versions of coa. “Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the maintainers stated.

Several Critical Flaws Discovered in Telecoms Stack Software FreeSwitch

 

Enable Security researchers have released details regarding a set of five vulnerabilities in telecoms stack software FreeSwitch. 

The vulnerabilities in FreeSwitch lead to denial of service, authentication problems,   and information leakage for systems running FreeSwitch quintet of flaws, as told by the researchers from German telecoms security consultancy Enable Security. FreeSwitch is an open-source communication platform enabling the digital transformation from proprietary telecom switches to a versatile software execution that operates on any commodity hardware.

All five vulnerabilities were patched with FreeSwitch 1.10.7, released on October 25. According to security experts, this particular denial of service needs no authentication to trigger. Companies running the affected software should patch their systems or risk being compromised. 

The critical vulnerability flaw (CVE-2021-41145, CVSS score 8.6) leaves FreeSwitch in danger of denial of service via SIP flooding. If an attacker targets a switch with sufficient malicious SIP messages, then it can exhaust the memory of a device. 

Subsequently, a moderate severity flaw (CVE-2021-41158) allows cybercriminals to carry out a SIP digest leak attack against FreeSwitch and receive the challenge-response of a gateway configured on the FreeSwitch server. This leaked data might be used to determine a gateway password. 

Finally, a failure of previous versions of FreeSwitch to authenticate SIP ‘SUBSCRIBE’ requests, which are used to subscribe to user agent event notifications, created a moderate privacy risk.

"Each vulnerability has a different impact. The worst one is the DoS due to the SIP flood since in RTC downtime is a huge deal. [It's] hard for me to say how many are affected. There will be more with a custom User-Agent header. And various systems will be internal / not responding to Shodan / hiding behind an SIP router / SBC etc.,” stated Sandro Gauci, the researcher who led the team at Enable Security which carried out the research. 

"We've been advocating for more security research/testing in the area because many security professionals seem to ignore the topic. FreeSwitch developers were very receptive and we were happy to work with them on these issues" Gauci concluded with a hope that Enable's work might inspire other researchers to look into the security. 

TA551 Employs the SLIVER Red Team Tool

 

According to cybersecurity firm Proofpoint, the cybercriminal group known as TA551 has demonstrated a significant shift in tactics with the inclusion of the open-source pentest tool Sliver to its arsenal. 

Proofpoint has been tracking TA551 as a criminal threat actor since 2016. Other security firms refer to it as Shathak. TA551 acquires access to stolen mails or hacked email accounts – commonly known as thread hijacking – which it exploits in email campaigns to disseminate malware, according to Proofpoint. Ursnif, IcedID, Qbot, and Emotet were among the malware payloads released by TA551. For ransomware threat actors, this actor serves as an initial access facilitator. 

The use of SLIVER by TA551 illustrates the actor's versatility. TA551 would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware as an established initial access broker exploiting initial access via email threat campaigns. SLIVER allows TA551 actors to obtain rapid access to victims and engage with them, giving them more direct capabilities for execution, persistence, and lateral mobility. This could eliminate the need for secondary access. 

Proofpoint has discovered that their banking trojan-based operations have resulted in ransomware attacks. Proofpoint examines with a high level of certainty. In 2020, TA551 IcedID implants were linked to the Maze and Egregor ransomware attacks.

Proofpoint discovered emails that seemed to be answers to prior conversations but included password-protected compressed Word documents on October 20, 2021. Sliver, an open-source, cross-platform adversary simulation, and red team platform are downloaded from the attachments. The activity differed significantly from the strategies, techniques, and processes used in TA551. When a victim opens the zipped attachment, they are routed to a Microsoft Word document with macros. SLIVER is downloaded if macros are enabled. 

Information collection, command and control (C2) functionality, token manipulation, process injection, and other functions are all available for free online with SLIVER. Cybercrime threat actors are increasingly relying on red teaming techniques. Between 2019 and 2020, for example, Proofpoint saw a 161% rise in threat actors using the red teaming tool Cobalt Strike. Lemon Tree and Veil are two further offensive frameworks that appear to be employed as first-stage payloads by cybercriminals. 

Cybercriminals' adoption of Sliver comes only months after US and UK government agencies warned that Russian state-sponsored cyberspy organization APT29 had added the pentest framework to their arsenal. However, the move is unsurprising, as security specialists have long warned of the blurring line between nation-state and cybercriminal activity, with each side adopting strategies from the other to better mask their footprints, or engaging in both sorts of operations.

Misconfigured Apache Airflow Servers Expose Thousands of Credentials

 

Researchers from the security firm Intezer uncovered a slew of misconfigured Apache Airflow servers that were exposing sensitive information, including credentials, from a number of IT organizations. 

Apache Airflow is an open-source workflow management software that is used by numerous businesses across the world to automate business and IT activities. 

The post published by Intezer stated, “These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.” 

Researchers examined the dangers of misconfiguration for companies and their customers, as well as the most frequent reasons for data leakage from vulnerable cases. According to Intezer researchers, the majority of the stolen credentials are disclosed due to unsafe coding techniques, with many of the compromised instances having hardcoded passwords inside the Python DAG Code. 

Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys. 

Malicious actors may potentially alter the settings, resulting in unforeseen behaviour. Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys.  

Threat actors may also alter the settings, resulting in unforeseen behaviour. The credentials might likewise be exposed via the Airflow "variables" used in DAG scripts. 

As per experts,  it is quite common to find hardcoded passwords stored in these variables. Threat actors could also exploit Airflow plugins or features to execute malware that could be injected into variables. 

“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.” 

“Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.” 

The research focused on earlier versions of Apache Airflow and emphasised the hazards associated with using out-of-date software. The majority of the problems highlighted in the study were affected servers using Airflow v1.x; however, subsequent versions of Airflow incorporate security measures that address the aforementioned concerns. 

“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.” 

The security firm advised, "Disruption of clients' operations through poor cybersecurity practices can also result in legal action such as class action lawsuits."

Vulnerabilities Detected in Open Source elFinder File Manager

 

In elFinder, an open-source web file organizer, security researchers from SonarSource identified five flaws that form a severe vulnerability chain.

The elFinder file manager is often used in content management systems and frameworks like WordPress plugins and Symfony bundles to make it easier to manage both local and remote files. It's written in JavaScript with the use of jQuery UI. 

The five flaws, termed CVE-2021-32682 as a group, have a CVSS score of 9.8, which means they're highly dangerous. The vulnerability chain impacts elFinder version 2.1.58. 

According to the researchers, exploiting the vulnerabilities may allow an intruder to run arbitrary code and instructions on the server hosting the elFinder PHP connector. The vulnerabilities have been patched in elFinder version 2.1.59. The five weaknesses in the chain are classified by researchers as "innocuous bugs" that may be combined to acquire arbitrary code execution. 

The researchers noted, "We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data." 

Update to the latest version:

According to Thomas Chauchefoin, the security researcher at SonarSource, all users should immediately upgrade elFinder to the latest upgrade. 

"There is no doubt these vulnerabilities will also be exploited in the wild because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites." 

While the researchers did not announce any publicly available exploits, they claim that exploiting these issues can allow an attacker to run arbitrary PHP code on the server where elFinder is installed, eventually leading to its takeover. Attackers could then delete or remove any files they want, upload PHP files, and so on. 

"All these bug classes are very common in software that exposes filesystems to users and are likely to impact a broad range of products, not only elFinder," Chauchefoin added.

Deadshot: A Tool That Marks Sensitive Content for Developers

Software code repositories might be hiding credentials, sensitive data, and other secrets of an organization without the knowledge of developers. If this information gets in the hands of cybercriminals, it could be an invaluable source for launching cyberattacks, say the cybersecurity experts at Twilio, who have released an open-source tool that alerts the developers if they accidentally attach any personal or sensitive data in their code before uploading it to a repository. 

Known as Deadshot, the tool overlooks real-time GitHub pull requests. It marks the possible addition of any sensitive information in any codes, and it varies to sensitive functionality. As per a senior product security engineer at Twilio, Laxman Eppalagudem, who worked on the project says it's not possible for an individual to manually monitor an entire codebase of an organization, hence, their team developed an automatic monitoring tool to search and mark sensitive data. 

Deploy and Forget 

The software will work as a "deploy and forget" tool, as Deadshot would work the entire codebase, it would alert project handlers if any sensitive data flows out of the organization. The safety teams can differentiate what the tool monitors and the alerts can be sent out using Jira Ticket or Slack. Leaky commits: The unintentional reveals of credentials and secrets to code repositories have always been a major problem, says senior product manager Yashvier Kosaraju. The software is aimed to remove the need to manually reviewing the entire codebase, pulling requests for sensitive data commits, which, we're all aware, don't scale. 

The software is designed in a manner so that it can only be installed on GitHub accounts by company admins. As per Twilio, it reduces the Rick of hackers exploiting Deadshot for malicious purposes. According to The Daily Swig, "GitHub already has security scanning capabilities, Blore noted. Developers could also use the open-source tool Gittyleaks to scan for API keys, passwords, and other sensitive data. Twilio is actively looking for feedback and feature requests from Deadshot users and the open-source community, Kosaraju said." Experts believe it is a good initiative to avoid ransomware attacks.

Open Source Software Vulnerabilities Leads to RCE

 

Various vulnerabilities in open source video platforms YouPHPTube and AVideo could be utilized to accomplish remote code execution (RCE) on a client's gadget. It can take an average of more than four years for vulnerabilities in open-source software to be detected, an area in the security community that needs to be addressed, researchers say. Experts from Synacktiv found various vulnerabilities in the source code-shared by the ventures that were because of an absence of client input sanitization, a related write-up reads. The issues incorporate an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability. 

SQL injection is a code injection technique, used to assault information-driven applications, in which vindictive SQL articulations are embedded into an entry field for execution (for example to dump the database contents to the assailant). 

SQL injection should abuse a security vulnerability in an application's product. SQL injection assaults permit attackers to spoof identity, alter existing information, cause repudiation issues, for example, voiding transactions or changing balances, permit the total divulgence of all information on the system, destroy the information or make it in any case inaccessible, and become administrators of the database server.

Numerous reflected XSS vulnerabilities could be utilized to steal administrators' session cookies and perform actions as an administrator. A file write flaw could permit an administrator to execute malevolent code on the server. 

Synacktiv said there is no official workaround right now, but added that clients ought to purify $catName input information appropriately prior to processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added. The vulnerabilities influence AVideo variants 10.0 and below, and YouPHPTube renditions 7.8 and below. 

The open-source community now plays a critical part in the improvement of software, but similarly, as with any other industry, vulnerabilities will exist. GitHub says that project developers, maintainers, and clients should check their dependencies for vulnerabilities consistently and ought to consider implementing automated alerts to remedy security issues in a more efficient and fast manner. 

"Open source is critical infrastructure, and we should all contribute to the security of open-source software," GitHub added. "Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."

Github Escapes from Octopus Malware that Affected its 26 Software Projects


Github, a platform where every malicious software report is equally different in its place, manages to escape from a malware threat.  Github, an organization that united the world's largest community of coders and software developers, revealed that hackers exploited an open-source platform on its website to distribute malware. The hackers used a unique hacking tool that enabled backdoors in each software project, which the hackers used to infiltrate the software systems.


"While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons," said Github on its security blog. Fortunately, the hackers attempt to exploit the open-source platform was unsuccessful. Still, if it were, on the contrary, hackers could've secured a position in the softwares, which were to be used later by corporate applications and other websites.

Since recent times, open-source websites have become a primary target for hackers. It is because once the hackers exploit backdoor vulnerabilities on open-source platforms, thousands of apps are exposed to remote code execution. As for Github, the company's website currently has more than 10 Million users. In the Github incident, 26 software projects were infected through malicious codes, which is a severe warning for the potential threat of the open-source compromises. The experts have identified the malware as "Octopus Scanner," which is capable of stealing data by deploying remote access codes.

The malware spread with the help of projects using software called Apache Beans, tells Github. "On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself," says Github on its blog. These attacks can be highly threatening as the tactics used here gives the hackers access to various systems.

Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More


CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.

The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly 'dangerous'. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.

Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.

The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.

Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm's virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.

While commenting on the matter, Olivier Lambert, Xen Orchestra's founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned...”

“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough."

“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.

Can open source software be bought?


Open-source softwares (OSS) are released under a special license that makes its source code available to the user to inspect, use, modify and enhance. It is a misunderstood term that these are not copyrighted, instead, they are copyrighted under a license that lets it users study, change and use its source code or services (depending upon the software) for commercial use. Some of the common open source softwares are Linux, Red Hat, Ubuntu, GitHub, FreeBSD, and fedora.


Just five years ago the tech world was quite critical and skeptical of open source softwares with Microsoft CEO Steve Ballmer calling Linux as 'cancer' and open source software as 'a communist threat' but OSS since then have come a long way with the success of Red Hat and Linux. Open source has given a silver lining to the underdog developers and defied the monopoly of tech giants giving power to small businesses and individuals to grow using their open-source code.

But what the open-source devotees don't know or don't stress on is that open source softwares can be bought and acquired by other commercial companies. The fix being that if they are open source how could they be bought, but even these have copyrights that can be bought and changed to closed source. And these OSS (open source softwares) are being acquired by lightning speed- IBM acquired Linux and Red Hat. Microsoft is portraying itself as "the open-source leader" by joining the  Open Invention Network (OIN) and acquiring GitHub.

Now, there are advantages if big companies take over these open-source software as these were not established with a business model and will run out but if companies like these buy out OSSs they can stay afloat and provide for their customers. But there's also a dark side to these acquisitions as these could mean the end of open source. With their rights sold, these open-source rights could be closed and their free service comes to an end. Though those who have used the open-source would not be affected as it is already licensed but any future version of the software could be closed.

Now, Microsoft says that “Microsoft is all-in on open source, we have been on a journey with open source, and today we are active in the open-source ecosystem, we contribute to open-source projects, and some of our most vibrant developer tools and frameworks are open source.” the same goes for IBM's Linux but these are big and popular software but what about small software with less distributes and copyrights, the dark cloud still hovers over them.