Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerability and Exploits
Malicious Code Package Managers Security Bugs Vulnerabilities and Exploits Vulnerability and Exploits

Multiple Security Bugs Identified in Software Package Managers

 

Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices. 

However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.

"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?" 

Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications. 

Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –

 • Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yarn < 1.22.13 • pnpm < 6.15.1 • Pip (no fix), and • Pipenv (no fix) 

The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.

Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability. 

"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."
Read more »
Wightlink
Cyber Attacks data security Ferry Company Hacking IT Systems Ports User Data User Privacy User Security Wightlink

Wightlink Customers' Details Compromised in Cyber Attack

 

Wightlink, a UK ferry company, has been struck by a highly complex cyber-attack that may have exposed the personal information of "a small number of customers and staff." Wightlink stated, the incident, which occurred in February, reportedly impacted certain back-office IT systems but not its ferry services, booking system, and website.

According to the company, law enforcement and the UK's Information Commissioner's Office (ICO) have been contacted, since they have possible breach victims. Wightlink has three routes between Hampshire in southeast England and the Isle of Wight, an island off the south coast. The company claims to carry 4.6 million passengers each year on over 100 daily sailings.

Wightlink claimed in a statement received by The Daily Swig: “Unfortunately, despite Wightlink taking appropriate security measures, some of its back-office IT systems were affected by a cyber-attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.” 

Wightlink said it hired third-party cybersecurity experts to analyse and analyse the situation as soon as it was detected. The operator stated it was working with the South East Regional Organised Crime Unit in addition to reporting the incident to the ICO. 

The company stated, “Wightlink does not process or store payment card details for bookings. However, the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident. 

Wightlink chief executive Keith Greenfield stated, “I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”
Read more »
saaS
Customer Care Cyber Security cybercriminals Malicious actor Phishing emails saaS

Misconfigured Keys are Tackled in ServiceNow's Guidelines

 

ServiceNow, a $4.5 billion software company assisting businesses with its digital workflows, has released recommendations for its clients regarding Access Control List (ACL) misconfiguration. 

In one of its reports, AppOmni said that the usual misconfigurations are caused by a "combination of customer-managed ServiceNow ACL setups and overprovisioning of access to guest users". 

The general public is a factor in RBAC for public-facing businesses. The capacity to provide public access to the information within your 'database,' which may be a forum, online shop, customer service site, or knowledge base, is one crucial feature of RBAC, according to the paper. When firms upgrade or alter SaaS services or onboard new users, the difficulty is guaranteeing the appropriate level of access.

The researchers found roughly 70% of the ServiceNow instances examined by AppOmni were misconfigured, posing the risk of unauthorized users stealing critical data from businesses who are not even aware of them being at risk. 

Securing SaaS, according to AppOmni CEO Brendan O'Connor, is much more involved in simply checking a few options or enabling strong authentication for users."Because of its flexibility and power, SaaS platforms have evolved into company operating systems. There are numerous good reasons for workloads and applications running on a SaaS platform to interface with the outside world, such as integrating with emails and text messages or hosting a customer care portal" O'Connor further added. 

As per AppOmni Offensive Security Researcher Aaron Costello, ServiceNow external interfaces exposed to the public could allow a hostile actor to take data from records. Meanwhile, Brian Soby, CTO of AppOmni, said "the enormous degree of flexibility in modern SaaS systems has made misconfiguration one of the largest security concerns enterprises face. Our goal is to shine a light on frequent SaaS platform misconfigurations and other potential hazards so customers can guarantee the system posture and configuration matches its business intent."
Read more »
malware
Backdoor BazarBackdoor Cybersecurity malware

Corporate Website Contact Forms Used in BazarBackDoor Malware Campaign

 

BazarBackdoor malware is now spreading via website contact forms instead of typical phishing emails to avoid identification by security software. BazarBackdoor is a stealthy malware made by the TrickBot group, currently under development by the Conti ransomware operation. 

The malware offers threat actors remote access to internal devices, the launchpad can use it for further distribution in the network. The malware is usually spread via phishing emails that consist of documents that download and deploy the malware. 

But, safe email gateways are now more advanced in catching these malware droppers, distributers are now finding new ways of distributing the malware. In the latest report by Abnormal Security, analysts reveal that a new malware campaign started last year is targeting corporate victims with BazarBackdoor, the goal is most probably to deploy Cobalt Strike or ransomware payloads. Rather than sending phishing emails to targets, hackers first use corporate contact forms to start the communication. 

For instance, in many cases observed by cybersecurity experts, the hackers disguised as employees at a Canadian construction firm, submitting a request for a product supply quote. When the employees respond to the phishing emails, the threat actors send back a harmful ISO file related to the organization. 

To send these files is impossible as it would trigger security alerts, hackers use file-sharing services like WeTransfer and TransferNow. In a similar case related to the contact form exploit in August, fake DMCA infringement notices were sent via contact forms that installed BazarBackdoor. 

How BazarLoaderMalware Hides

"The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download. The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is, in reality, a BazarBackdoor DLL," reports Bleeping Computer. Stay connected with CySecurity to know more.
Read more »
Vodafone
Cyber Security Cybersecurity Source Code Vodafone

Vodafone Investigates Source Code Theft Claims

Vodafone launched an inquiry after a group of hackers claimed that they stole a hundred GBs of source codes from the telecom company. The cybercrime group calls itself 'Lapsus$," which claims to have obtained around 200 GBs of source code files, representing around 5,000 GitHub repositories. According to a statement in an email, Vodafone confirmed that it knows about the situation, and an investigation has been started. 

The company said that it is currently enquiring about the claim with law agencies to verify its credibility. But, in general, the types of repositories referenced in the claim have proprietary source code and don't contain customer data. 

As of now, the hackers have not exposed any Vodafone source code which they claim to have stolen. However, they are asking tens of thousands of users that subscribed to their Telegram channel to what leak next- Vodafone, e-commerce company MercadoLibre, or Portuguese media company Impresa. The poll ends on March 13. The attack on Impresa resulted in disruption, MercadoLibre confirmed in an SEC filing that source code and 300,000 users' data were leaked. 

Last month, Vodafone Portugal has accused of service problems on a 'malicious cyberattack,' however, it's not clear if the cases are linked. Lapsus$ group has also leaked source codes and other information from NVIDIA and Samsung. 

NVIDIA confirmed that hackers stole employee credentials and signature certificates. Threat actors stole 190 GB of data from Samsung, confirmed the theft of source codes linked to Galaxy devices, however, it said that employee and customer data wasn't compromised. 

The hackers are thinking of getting big ransom payments from affected companies for not publishing the leaked data. From NVIDIA, threat actors asked the company to open-source drivers and delete a feature that restricts Ethereum mining capabilities in a few of the graphics cards. 

"The hackers gained access to the company’s Amazon Web Services account and sent emails and text messages to subscribers, the statement said. The hackers accessed some subscriber information, but Impresa said it had no evidence they got hold of subscribers’ passwords or credit card details," says Security Week.

Read more »
Ransomware Campaign
APT Group Cyber Attacks Open-Source Tool Ransomware Campaign

Threat Actors Modified Open-Source Tool to Target organizations

 

Cybersecurity researchers have unearthed an interesting ransomware campaign in which the malicious actors employed custom tools commonly used by APT (Advanced Persistent Threat) groups.

Earlier this week, Security Joes' researchers published a report highlighting attackers' modus operandi to target one of its clients in the gambling industry. During the attack, the ransomware operators used custom open-source tools. 

The operational strategies, methodology of targeting victims, and malware customization capabilities signify a potential link between APT and ransomware operators, explained the report from Security Joes. However, no concrete evidence has been uncovered till now. 

The attackers employed a modified version of the Ligolo, a reverse tunneling utility available for pentesters on GitHub, and a custom tool to dump credentials from LSASS. According to the Security Joes team, the ransomware campaign showcased excellent ransomware training and knowledge of threat actors. The stolen SSLVPN credentials of one of the employees helped attackers to penetrate the victim's systems, followed by admin scans and RDP brute-force, and then credential harvesting efforts.

At the final stage of the campaign, threat actors deployed proxy tunneling for a secure connection and installed the famous Cobalt Strike. Security Joes' team believes that the attackers would launch the ransomware as the next step since the methods followed match those of typical ransomware gang operations. However, it did not come to this, so it is impossible to say with certainty.

The attackers employed multiple off-the-shelve open-source tools typically used by numerous adversaries, like Mimikatz, SoftPerfect, and Cobalt Strike. One notable differentiation was the installation of ‘Sockbot’, a GoLang-written utility based on the Ligolo open-source reverse tunneling tool. The attackers modified Ligolo with meaningful additions that removed the need to use command-line parameters and included several execution checks to avoid running multiple processes.

Additionally, the malicious actors took into their arsenal a custom tool "lsassDumper", also written in GoLang. It was used to automatically steal data from the LSASS process. As experts noted, they observed lsassDumper in real attacks for the first time. 

"Comparing the new variant (Sockbot) to the original source code available online, the threat actors added several execution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a hard-coded string to avoid the need of passing command line parameters when executing the attack and set the persistence via a scheduled task," researchers concluded.
Read more »
Telegram
Botnet C2C Crypto Wallet Fortinet Mallicious URLs malware Russian Hacker Telegram

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.
Read more »
Spectre Attacks
AMD attacks Cyber Attacks Intel Safety Spectre Attacks

New Exploit Circumvents Existing Spectre-V2 Mitigations in Intel and Arm CPUs

 

Researchers have revealed a new technique that might be used to bypass existing hardware mitigations in modern processors from Intel, AMD, and Arm CPUs and stage speculative execution attacks like Spektre to expose sensitive data from host memory. 

Spectre attacks are aimed to disrupt the isolation between different applications by using an optimization technique known as speculative execution in CPU hardware implementations to mislead programmes into accessing arbitrary memory regions and leaking their secrets. While chipmakers have included software and hardware defences such as Retpoline and safeguards such as Enhanced Indirect Branch Restricted Speculation (eIBRS) and Arm CSV2, the latest technique demonstrated by VUSec researchers seek to circumvent all of these measures. 

Branch History Injection (BHI or Spectre-BHB) is a new variant of Spectre-V2 attacks (tracked as CVE-2017-5715) that circumvent both eIBRS and CSV2, according to the researchers, and exposes arbitrary kernel memory on modern Intel CPUs.

"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel," the researchers explained,

"However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (i.e., gadgets) that leak data," the Systems and Network Security Group at Vrije Universiteit Amsterdam added. 

To put it another way, malicious code can use the CPU Branch History Buffer (BHBshared )'s branch history to affect mispredicted branches within the victim's hardware context, leading to speculative execution that can subsequently be used to infer information that would otherwise be inaccessible. All Intel and Arm processors that were previously vulnerable to Spectre-V2, as well as a number of AMD chipsets, are now vulnerable to Spectre-BHB, forcing the three firms to release software upgrades to address the problem. 

Customers should also disable the unprivileged extended Berkeley Packet Filters (eBPF) in Linux, enable both eIBRS and Supervisor-Mode Execution Prevention (SMEP), and apply LFENCE to particularly identified gadgets that are discovered to be susceptible, according to Intel. 

The researchers stated, "The [Intel eIBRS and Arm CSV2] mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed. Nevertheless, finding exploitable gadgets is harder than before since the attacker can't directly inject predictor targets across privilege boundaries. That is, the kernel won't speculatively jump to arbitrary attacker-provided targets, but will only speculatively execute valid code snippets it already executed in the past."
Read more »
Vulnerable Networks
data risks Google Social Media Technology Vulnerable Networks

Android's March 2022 Security Updates Patch 39 Vulnerabilities

 

This week Google has announced the release of security patches for 39 vulnerabilities for the March 2022 security update for Android devices. The most sensitive vulnerability is CVE-2021-39708 which gives a remotely exploitable elevation of privilege to malicious actors. This issue was found in the System component. 

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” Google notes in its advisory. 

The first set of measures arrives on devices as the 2022-03-01 security patch level and addresses CVE-2021-39708 with 17 other bugs. 

According to the data, 10 security issues have been resolved in the System component in which nine issues were elevation of privilege and one was information disclosure vulnerability. Also, six vulnerabilities were resolved in Framework in which four were elevation of privilege and two denials of service bugs. Further, one security measure was patched in Android runtime (elevation of privilege) and the last was in Media Framework (information disclosure). 

Additionally, On Google Pixel devices, the March 2022 Android security measures also have resolved 21 flaws as part of the 2022-03-05 security patch level. Later addresses all of these vulnerabilities along with 41 other security flaws that hit Kernel components (13 flaws), Pixel (26), Qualcomm components (1), and Qualcomm closed-source components (1). 

The March 2022 security measures with patch level 2022-03-05 are released for the Pixel 3a series, Pixel 4 series, Pixel 4a series, Pixel 5, Pixel 5a, however, the Pixel 6 series update is delayed (again). Additionally, the Pixel-specific new measures introduced additional vulnerabilities in the Pixel software, kernel, and both open and closed-source Qualcomm components, the details of which have been given below. 

Global: Pixel 3a: SP2A.220305.012 Pixel 3a (XL): SP2A.220305.012 Pixel 4: SP2A.220305.012 Pixel 4 (XL): SP2A.220305.012 Pixel 4a: SP2A.220305.012 Pixel 4a (5G): SP2A.220305.012 Pixel 5: SP2A.220305.012 Pixel 5a (5G): SP2A.220305.012 Pixel 6: Waiting Pixel 6 Pro: delayed.
Read more »
Vulnerability and Exploits
Security Bug User Security Vulnerabilities and Exploits Vulnerability and Exploits

Unit 42 Publishes New Techniques to Mitigate Vulnerabilities in GKE Autopilot

 

Last year in June, the Unit 42 threat research team discovered multiple bugs in Google Kubernetes Engine (GKE). The vulnerabilities primarily impacted GKE Autopilot, and the latest offering by Google Cloud for managing Kubernetes clusters.

Earlier this week, Unit 42 researchers published details regarding these vulnerabilities and attack techniques to help organizations understand potential threats in securing Kubernetes and how they can be patched.

Kubernetes also known as K8s, is an open-source system for automating deployment, managing, and scaling of containerized applications. The yearly survey conducted by the Cloud Native Computing Foundation highlighted that the majority of firms (83% percent) run Kubernetes in production.

The shift to the cloud benefited multiple organizations but also attracted threat actors. Researchers at Unit 42 discovered several pieces of malware designed to attack Kubernetes. Therefore, it is vital that organizations, cloud security vendors, and the cybersecurity industry continue to work together to address issues like vulnerabilities and misconfigurations in order to help secure work in the cloud. 

The bugs in GKE Autopilot permitted malicious attackers with a restricted initial foothold to escalate privileges and gain access to an entire cluster. This allowed threat actors to covertly exfiltrate secrets, install malware and cryptominers, or disrupt workloads, while the victim remains unknown of the attacker’s activity.

As the adoption of Kubernetes continues to rise, simple misconfigurations and flaws are becoming less common, forcing attackers to launch more sophisticated assaults. According to Unit 42, even a small bug in Kubernetes can amount to very impactful attacks. Only a comprehensive cloud-native security platform can empower defenders and protect clusters against similar threats. 

How to mitigate the risks? 

Following the discovery of vulnerabilities and attack techniques in Google Kubernetes Engine, Google automatically pushed patches across GKE to Autopilot clusters. No customer action is needed. Researchers encourage Kubernetes administrators to enable policy and audit engines that monitor for, detect and prevent suspicious activity and privilege escalation in their clusters.

Powerful pods are still common in production clusters and are usually installed by the underlying Kubernetes platform or introduced through popular open-source add-ons. Unit 42 researchers recommend using Taints, NodeAffinity, or PodAntiAffinity rules to separate powerful pods from untrusted or publicly exposed ones, ensuring they do not run on the same node. 
Read more »
War
malware Ransomware RURansom Russia Ukraine War

New RURansom Wiper Targets Russia

 

The new RURansom malware, according to Trend Micro researchers, is not what it appears to be. Initially assumed to be a new strain of ransomware, the bug's developers appear to have reasons other than financial gain, as the name implies. 

So far, no active targets have been discovered, according to security experts. However, this could be as the wiper is targeting specific Russian companies. The malware's creators are open about their motivations for distributing it. A message is stored in the RURansom code variable that is responsible for the ransom note. 

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian. 

The malware, as per Trend Micro, was written in the .NET programming language. The worm transmits by copying itself under the name "Russia-Ukraine war update" in Russian. To have the most impact, the file replicates itself to all removable media and mapped network shares. The malware encrypts the files once it has been deployed. The encryption is applied to all files and even though .bak files are not encrypted, the malware deletes them. Each file is given a unique encryption key by the encryption algorithm. There's no way to decrypt the files because the keys aren't kept anywhere, therefore the malware is classified as a wiper rather than ransomware. Some variants of the malware, according to researchers, first check if the user's IP address is in Russia. 

"In cases where the software is launched outside of Russia, these versions will stop the execution, showing a conscious effort to target only Russian-based computers," the authors claimed in the report. 

Wiper Warfare: 

This isn't the first time a wiper malware has been used in this war. Just before Russian soldiers invaded Ukraine, security experts discovered a disk-wiping malware. The wiper contains driver files that gradually corrupt the infected computer's Master Boot Record (MBR), rendering it inoperable. The attackers allegedly utilized official EaseUS Partition Master drivers to acquire raw disc access and modify the disc to render the machine inoperable, according to Crowdstrike. 

Since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company, the wiper was dubbed HermeticWiper. The new malware has been dubbed 'DriveSlayer' by other researchers. CISA issued a warning about malware that was targeting Ukrainian businesses, along with tips and strategies for preparing and responding to the attack. Later, security researchers fleeing Ukraine claimed that the wiper software was used to hinder refugees fleeing Ukraine's civil war, forcing officials to resort to pen and paper.
Read more »
Subscribe to: Comments (Atom)