Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Source Code. Show all posts

GhostSec: Hacktivist Breach Iranian Surveillance Software


Hacking group GhostSec confirmed that they have taken down Fanap Behnama – Iran’s privacy-invading software – and also mentioned details of its surveillance capabilities. 

Apparently, GhostSec exposed 20GB of data that involved source code relating to face recognition and motion detection systems of the Iranian software company – Fanap – which is appointed as a comprehensive surveillance system by the Iranian government, monitoring its citizens.

Following the confirmation, GhostSec revealed the intentions of making the data public and has also made a telegram channel ‘Iran Exposed’ to share further information about the breach. It says it is planning to share pieces of the Behnama code, along with various components including configuration files and API data, and that after all the data has been uploaded, detailed explanations will be given.

"This is not about technology and software, it's about the privacy of the people, civil liberties and a balance of power[…]Also publishing the source code for the public presenting this Fanap's lovely AI face recognition and various other privacy invading features and tools. We're simply making the fight a bit more equal," says GhostSec.

The group claims to have found equipment for facial recognition-based video surveillance, utilized in the Pasargad Bank Car GPS and tracking system, as well as a car numberplate identification system—which may have an impact on hijab alerts—and a facial recognition system used for producing ID cards.

Additionally, it claims that the Single Sign-On (SSO) platform, which the regime uses for online user authentication, is connected to the Fanap system. According to cybersecurity firm Cyberint, "This integration compiles intricate aspects of citizens’ lives, not only to determine access privileges for services but also to construct a virtual profile for facial recognition.”

"The group maintains that this evaluation is rooted in the software code, substantiating indisputable evidence of the software’s capabilities and deployment," adds Cyberint. 

GhostSec initially claimed responsibility for taking down the fanap-infra.com website but later disclosed that a different website connected to the Fanap software company was only accessible within Iran. In addition, the company's primary GitHub repository was made private, probably in response to the GhostSec attack. "That mean[s], they are scared. That mean[s] it's time to hit harder," GhostSec said.

ChatGPT Sparking Security Concerns

 

Cyberhaven, a data security company, recently released a report in which it found and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million employees at its client companies due to the potential leakage of sensitive information to the LLM, including client data, source code, and regulated information.

The appeal of ChatGPT has skyrocketed. It became the fastest-growing consumer application ever released after only two months of release when it reached 100 million active users. Users are drawn to the tool's sophisticated skills, but they are also concerned about its potential to upend numerous industries.ChatGPT was given 300 billion words by OpenAI, the firm that created it. These words came from books, articles, blogs, and posts on the Internet, as well as personally identifiable information that was illegally stolen.

Following Microsoft's $1 billion investment in the parent company of ChatGPT, OpenAI, in January, ChatGPT is expected to be rolled out across all Microsoft products, including Word, Powerpoint, and Outlook.

Employees are providing sensitive corporate data and privacy-protected information to large language models (LLMs), like ChatGPT, which raises concerns that the data may be incorporated into the models of artificial intelligence (AI) services, and that information may be retrieved at a later time if adequate data security isn't implemented for the service.

The growing acceptance of OpenAI's ChatGPT, its core AI model, the Generative Pre-trained Transformer, or GPT-3, as well as other LLMs, businesses, and security experts have started to be concerned that sensitive data consumed as training data into the models could reemerge when prompted by the appropriate queries. Some are acting: JPMorgan, for instance, restricted employees' access to ChatGPT, and Amazon, Microsoft, and Wal-Mart cautioned staff to use generative AI services carefully.

Some AI-based services, outside of those that are GPT-based, have sparked concerns about whether they are risky. For example, Otter.ai, an automated transcription service, converts audio files into text while automatically identifying speakers, allowing for the tagging of crucial words and phrases, and underlining of key phrases. Journalists have raised concerns about the company's storage of that information in its cloud.

Cyberhaven's Ting predicts that the adoption of generative AI apps will continue to grow and be used for a variety of tasks, including creating memos and presentations, identifying security incidents, and interacting with patients. His predictions are based on conversations with the clients of his company.

Because only a few individuals handle the majority of the dangerous requests, education could have a significant impact on whether data leaks from a particular organization. According to Ting of Cyberhaven, less than 1% of employees are accountable for 80% of the instances of providing critical data to ChatGPT.

The LLM's access to sensitive data and personal information is also being restricted by OpenAI and other businesses: Nowadays, when ChatGPT is asked for personal information or sensitive corporate data, canned responses are used as an excuse not to cooperate.


Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories

 

File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
 
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.

Thousands of Secret Keys Discovered in Leaked Samsung Source Code

 

Thousands of secret keys were exposed in the recently stolen Samsung source code, according to an analysis, including several that might be extremely beneficial to nefarious actors. GitGuardian, a business that specialises in Git security scanning and secret detection, conducted the research. 

The firm's analysts examined source code that was recently stolen by a cybercrime outfit known as Lapsus$. In recent weeks, the hackers claim to have hacked into several large corporations, including NVIDIA, Samsung, Ubisoft, and Vodafone. They appear to have acquired source code from the victims in numerous cases, some of which have been made public. Cybercriminals claim to have stolen 190 GB of data from Samsung, and the tech giant has verified that the hacked data contained the source code of Galaxy devices. 

More than 6,600 secret keys were discovered during GitGuardian's analysis of the exposed Samsung source code, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys. The number of valid keys revealed is yet to be determined by the firm's researchers. However, 90 percent are likely related to internal systems, which may be more difficult for an attacker to use, according to their research. The remaining keys, which number around 600, can give attackers access to a wide range of systems and services. 

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google,” explained Mackenzie Jackson, developer advocate at GitGuardian. 

The exposure of specific keys, according to Casey Bisson, head of product and developer relations at code security firm BluBracket, might lead to the TrustZone environment on Samsung devices being hacked. Researchers are yet to determine whether the revealed keys undermine the TrustZone, which holds sensitive data like fingerprints and passwords and acts as a security barrier against Android malware attacks. 

Bisson told SecurityWeek, “If the leaked data allows the malware to access the TrustZone environment, it could make all data stored there vulnerable. If Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment. Compromised keys would make this a more significant attack than Nvidia, given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.”

GitGuardian reviewed the source code leaked from Amazon's live streaming service Twitch, from which hackers obtained and made public around 6,000 internal Git repositories, a few months ago. AWS keys, Twilio keys, Google API keys, database connection strings, and GitHub OAuth keys were among the secrets found by GitGuardian in those repositories.

Vodafone Investigates Source Code Theft Claims

Vodafone launched an inquiry after a group of hackers claimed that they stole a hundred GBs of source codes from the telecom company. The cybercrime group calls itself 'Lapsus$," which claims to have obtained around 200 GBs of source code files, representing around 5,000 GitHub repositories. According to a statement in an email, Vodafone confirmed that it knows about the situation, and an investigation has been started. 

The company said that it is currently enquiring about the claim with law agencies to verify its credibility. But, in general, the types of repositories referenced in the claim have proprietary source code and don't contain customer data. 

As of now, the hackers have not exposed any Vodafone source code which they claim to have stolen. However, they are asking tens of thousands of users that subscribed to their Telegram channel to what leak next- Vodafone, e-commerce company MercadoLibre, or Portuguese media company Impresa. The poll ends on March 13. The attack on Impresa resulted in disruption, MercadoLibre confirmed in an SEC filing that source code and 300,000 users' data were leaked. 

Last month, Vodafone Portugal has accused of service problems on a 'malicious cyberattack,' however, it's not clear if the cases are linked. Lapsus$ group has also leaked source codes and other information from NVIDIA and Samsung. 

NVIDIA confirmed that hackers stole employee credentials and signature certificates. Threat actors stole 190 GB of data from Samsung, confirmed the theft of source codes linked to Galaxy devices, however, it said that employee and customer data wasn't compromised. 

The hackers are thinking of getting big ransom payments from affected companies for not publishing the leaked data. From NVIDIA, threat actors asked the company to open-source drivers and delete a feature that restricts Ethereum mining capabilities in a few of the graphics cards. 

"The hackers gained access to the company’s Amazon Web Services account and sent emails and text messages to subscribers, the statement said. The hackers accessed some subscriber information, but Impresa said it had no evidence they got hold of subscribers’ passwords or credit card details," says Security Week.

Azure App Service Vulnerability Exposes Source Code Repositories

 

Microsoft has discreetly begun informing certain Azure users that a significant security flaw in the Azure App Service has exposed hundreds of source code repositories. 

Microsoft's disclosure follows more than two months after it had been disclosed by Israeli cloud security startup Wiz, and only weeks after Redmond secretly patched the weakness and notified "a limited subset of customers" who were thought to be in danger. 

The Microsoft Security Response Center highlighted the weakness in an alert as a problem wherein customers can accidentally set the.git folder to be generated in the content root, putting them at risk of unauthorized disclosure of information. 

“This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public. We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications,” Microsoft said. 

App Service Linux users who launched applications utilizing Local Git after files were generated or updated in the content root directory may be affected, according to the business. 

The mix of the.git folder in the content folder and the application that delivers static content renders the program vulnerable to source code leakage, according to Redmond. 

The weakness is described in a different technical note by the Wiz research team as the unsafe default behavior in the Azure App Service that disclosed the source code of client applications built in PHP, Python, Ruby, or Node that have been published employing "Local Git." The vulnerability, called "NotLegit," has existed since September 2017 and has most likely been exploited in the wild, according to the business. 

The Wiz researchers highlighted exploitation as "extremely easy," adding that there are indications that unidentified malicious actors have already been launching exploits. 

“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the company said.

 “As this exploitation method is extremely easy, common, and is actively being exploited, we encourage all affected users to overview their application’s source code and evaluate the potential risk,” Wiz added. 

Wiz researchers in Israel have already been proactively uncovering and publicizing huge security vulnerabilities in Microsoft's flagship Azure cloud computing platform, with ChaosDB and OMIGOD being two instances.

Hacker Can Conceal Flaws in Source Code by Applying Trojan Source Technique

 

Threat actors might use a new class of vulnerabilities to implant aesthetically misleading malware in a fashion that is semantically lawful but modifies the logic described by the source code, essentially opening the door to even more first-party and supply chain dangers. 

CVE-2021-42574 and CVE-2021-42694 impact compilers for all common programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python. 

Compilers are programs that convert high-level human-readable source code into lower-level forms like assembly language, object code, or machine code, which may subsequently be performed by the OS. 

The technique "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper. 

The matter revolves around Unicode's bidirectional (or Bidi) algorithm, which also supports both left-to-right (e.g., English) and right-to-left (e.g., Arabic or Hebrew) languages, and also includes what is known as bidirectional overrides, that also permits writing left-to-right words inside a right-to-left sentence, or vice versa, allowing the text of a different reading path to be embedded inside massive blocks of text. 

While a compiler's outcome is anticipated to correctly implement the source code provided to it, discrepancies introduced by implanting Unicode Bidi override characters into comments and strings could indeed facilitate a situation in which the display sequence of characters tries to present reasoning that differs from the logical reasoning. 

To look at it another way, the attack specifically targets the encoding of source code files to construct targeted security flaws, instead of deliberately introducing logical bugs, so that it can visually rearrange tokens in source code which, while resolved in a completely appropriate sense, deceives the compiler into uniquely processing the code and changing drastically the program flow — for example, trying to remark appear as though it were code. 

"In effect, we anagram program A into program B," the researchers surmised. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected." 

"The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses," the researchers noted. "As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses."

Babuk Ransomware Full Source Code Leaked On A Russia-Speaking Hacking Forum



The complete source code for the Babuk ransomware has been leaked by a threat actor on a Russian-speaking hacking forum, this week. It allows easy access to a sophisticated ransomware strain to competitors and threat actors planning to sneak into the ransomware realm with little effort. 

The full source code of Babuk ransomware posted on the hacking forum comprises all things that one would require for a functional ransomware executable. The leaked file contains "various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors," as per Xiarch Security. The leak has been confirmed to be legitimate by various ransomware experts. Apparently, the leak also includes decryption keys for the gang's past victims. 

Babuk ransomware gang made certain changes into their operations as they announced they will longer encrypt information on networks, but will rather "get to you and take your data" they said on hacker-forum. "..we will notify you about it if you do not get in touch we make an announcement." They announced in advance that their source code will be publically available as Babuk changes direction and plans to shut down. "We will do something like open-source RaaS, everyone can make their own product based on our prouduct." They further told. 

In April, earlier this year, the Babuk group attacked Washington D.C police with a ransomware attack wherein they stole over 250 gigabytes of data from the Metropolitan Police Department of the District of Columbia (MPD). It included police reports, internal memos, and PII of confidential informants, and employees. Following the attack, the gang heavily criticized MPD for huge security gaps and threatened the law enforcement agency to publish the data if the ransom demand is not met. 

MPD acknowledged the unauthorized access on their server, and it started working with the FBI to investigate the matter. Meanwhile, the U.S. law enforcement agency reviewed the activity to determine the full impact of the attack. 

Post MPD attack, there are reports of strife within the group members of Babuk. The 'Admin' wished to leak the data stolen from the MPD attack for advertising, however, the other members were against the idea as they felt it was too much even for them (the bad guys). As a result, the group disintegrates and the initial 'Admin' went on to launch the 'Ramp' cybercrime forum while others began Babuk V2, where they continue carrying out ransomware attacks with little or no difference. After a while, the original admin accused his gang members of attempting to make his new site unusual by subjecting it to a series of DDoS attacks. 

"One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS." A user going by the Twitter handle @vxunderground tweeted.

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

Nissan Source Code Compromised Online Due to Exposed Git Server

 

Nissan's source code got compromised online after the company left an uncovered Git server secured with default access credentials. This leak was learned by a Swiss-based software engineer Tillie Kottmann who shared with ZDNet in an interview that she discovered the leak from an unknown source and analyzed the company’s data. 

The source code repository contained ‘critical information regarding the company’s source code of Nissan mobile apps, components of the Nissan ASIST diagnostics tool, dealer business systems and dealer portal, company’s internal core mobile library, vehicle logistics portal, market research tools, and data, client acquisition and retention tools, vehicle connected services and multiple back ends and internal tools. 

After the data was exposed and began to be shared on telegram via torrent links and hacking platforms, the company took the precautionary step to shut down the Git server yesterday. Mercedes Benz was also the victim of the data breach in May 2020 when the Swiss cybersecurity experts discovered the company misconfigured GitLab server that exposed the source code of multiple Mercedes Benz apps and tools. 

Nissan's spokesperson admitted the incident and further stated, “Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers, or employees were accessible with this security incident. The affected system has been secured, and we are confident that no information in the exposed source code would put consumers or their vehicles at risk”.

The attackers were able to lay their hands on the company’s public repository on GitLab which contains folders with sensitive information from leading companies such as Toyota, SunTech, Pepsi, Motorola, Mediatek, Sierra Nevada Corporation, and the U.S. Air Force Research Laboratory but fortunately all folders do not contain sensitive information that could guide attackers to the secured assets.