Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Code. Show all posts
Web Servers
Critical Flaw Malicious Code Ransomware Vulnerabilities and Exploits Web Servers

Ransomware Attackers Are Weaponizing PHP Flaw to Infect Web Servers

 

Security researchers revealed that ransomware attackers have swiftly turned a simple-to-exploit PHP programming language vulnerability—which allows malicious code to be executed on web servers—into a weapon. 

As of Thursday last week, Censys' Internet scans had found 1,000 servers infected with the TellYouThePass ransomware strain, down from 1,800 on Monday. The servers, which are largely based in China, no longer display their typical content; instead, many list the site's file directory, which shows that all files have a.locked extension, indicating that they have been encrypted. The accompanying ransom note demands around $6,500 in exchange for the decryption key. 

The vulnerability, identified as CVE-2024-4577 and assigned a severity rating of 9.8 out of 10, results from flaws in PHP's conversion of Unicode characters to ASCII. Best Fit, a feature integrated into Windows, enables attackers to utilise argument injection to turn user-supplied data into characters that send malicious commands to the main PHP application. Exploits enable attackers to circumvent CVE-2012-1823, a significant code execution vulnerability addressed in PHP in 2012. 

CVE-2024-4577 only affects PHP when it is run in CGI mode, which involves a web server parsing HTTP requests and passing them to a PHP script for processing. Even if PHP is not configured to use CGI mode, the vulnerability may still be exploitable if PHP executables such as php.exe and php-cgi.exe are located in directories accessible to the web server. This setup is fairly uncommon, with the exception of the XAMPP platform, which includes it by default. An extra requirement appears to be that the Windows locale, which is used to personalise the OS to the user's local language, be set to Chinese or Japanese. 

The critical vulnerability was made public on June 6, along with a security fix. The attackers were exploiting it within 24 hours to install TellYouThePass, Imperva researchers disclosed last week. The exploits ran malware that exploited the Windows binary mshta.exe to launch an HTML application hosted on an attacker-controlled server. The use of the programme revealed a strategy known as living off the land, in which attackers employ native OS features and tools to blend in with routine, non-malicious behaviour.

In a post published Friday, Censys researchers stated that the TellYouThePass gang's exploitation began on June 7 and mirrored previous incidents in which opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of affected servers have IP addresses in China, Taiwan, Hong Kong, or Japan, most likely because Chinese and Japanese localities are the only ones verified to be vulnerable, Censys researchers noted in an email.

“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI or XAMPP service stops responding—hence the drop in detected infections,” researchers added. “Another point to consider is that there are currently no observed ransom payments to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or going offline in some other manner.”
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Software
Chain Security CIO Cyber Attacks Cyber Security CyberCrime Malicious Code Software

How Can Developers Win the Data Security Battle?

 


In IT organizations, chief information officers (CIOs) rank security as their top challenge as being one of their biggest weaknesses. It is estimated that 82% of companies are vulnerable to cyber threats in their own software supply chains. 

Because security threats continue to change and become increasingly sophisticated, developers must work closely with security teams. It is done to ensure the development lifecycle is managed effectively throughout the whole process. This is so that all measures are taken to ensure security is baked in from the ground up. 

Several factors, including this and others, have contributed to the emergence of cybersecurity as an issue that is becoming more expensive. A recently released report by McKinsey & Company predicted that in 2025, cybercrime would be worth approximately $10.5 trillion worldwide, an increase of 300% over today's figure. Meanwhile, governments all over the globe are taking note of the risks associated with the software supply chain by assessing the risks. There have been several cyber performance goals set by the Cybersecurity and Infrastructure Security Agency (CISA) to protect critical infrastructure across the country as part of its cyber performance goals. It appears, for now, that these guidelines may serve as a foundation for federal regulations if they are voluntary. There is evidence to support this, but for now, they are voluntary. 

It is encouraging to see that a positive trend is brewing, but as of now, there is one group increasingly strengthening its position on the front lines of defense when it comes to data security: software developers. 

Software Supply Chain Security: Four Pillars 

There is a responsibility placed on security teams within their organizations to do whatever they can to protect the data of their company. Software supply chain attacks have been increasing in number and method over the past few years due to the increasing volume and nature of these attacks. Policies need to be enforced across a wide range of operations, in addition, security teams are also expected to implement best practices and compliance standards across these operations. As a result, many organizations have had their supply chain teams overworked, resulting in a "downhill" effect on development teams, who inevitably have been called to resolve and strengthen many of the many supply chain issues that have become backlogs in the process of supply chain integration. 

Unfortunately, most organizations cannot afford to have a person devoted solely to DevSecOps, and there are not enough leaders or engineers who can do so. Due to this fact, it is becoming increasingly common for security and development teams to work together. This is because they include security from the start of the development of applications and processes, thereby ensuring a secure product for users. 

Developers are now playing an increasingly critical role in the fight against data breaches, which means they have four things they need to keep in mind in their efforts to secure the software supply chain in this day and age: 

Increasing the Emphasis on Software Packages

Software packages can simply be described as modules of code that are put together to form a complete application at their most basic level. Among malicious actors today, one of the most common strategies that they employ is to attack compromised packages that include more than just source code - these compromised packages might contain sensitive keys, configuration files, or other aspects that can make a company vulnerable to their attacks. 

To be able to detect issues within packages that cannot be detected solely by source code alone, developers must have both the tools and knowledge required. A full understanding of potential exploits will allow them to be able to determine the full impact of their introduction. 

Knowing the Context in Which Software Operates

In addition to developing software packages, developers must learn and understand the context within which software operates to best protect it from harm. Particularly, they must identify and recognize the misuse of open-source libraries, the ongoing insecurity of services, the exposure of secrets, as well as issues with infrastructure-as-code configurations (IACs). A vulnerability in the application must then be identified to determine whether it is appropriate for them and whether they are likely to exploit it. 

An application's configuration, use of authentication mechanisms, and exposure of keys can all make a difference as to whether common vulnerabilities and exposures (CVEs) can be exploited and exploited successfully. Along with the security team, developers should ensure that the libraries, services, daemons, and IAC they rely on within a software supply chain, such as on-premises, in the cloud, and at the edge, are not misused or misconfigured, regardless of where they are located. 

Assure That all Processes and Tools are Secure

In an ideal situation, all the artifacts and repositories that are needed to support a development project should be managed in one place, creating an all-encompassing point of truth for the organization. The process of securing a product becomes a natural part of the development process when the development team has control over everything in their portfolio - this single source of facts becomes a single source of trust. 

DevOps requirements and tools require and incorporate security as part of their design and implementation when they are managed correctly. It is the goal of the project to unify, accelerate, and secure the delivery of software from the development stage to the deployment stage. Teams involved in the security set policies and strategies, followed by teams involved in development resolving, or managing any codebase issues. A workflow that works for core DevOps teams does not just work for security and developer teams. Instead, it has to work for all teams, whether it is an infrastructure team, an integration team, a release team, or a flow team.

Preventing the Exploitation of Vulnerabilities

To detect vulnerabilities that can be exploited, most organizations should partner with a third-party or open-source community, which has advanced research experience, to assist them in uncovering them before they are exploited by attackers. As a result, businesses can make quick decisions to combat upcoming attacks as they become commonplace in their line of business. This in turn enables them to update databases rapidly with contextual analysis that mimics the work of researchers. 

Innovation Through Facilitation

Security needs to be implemented across the entire development process of an application to allow developers to actually develop. This means that if they follow the strategies above, they won’t spend all their time dealing with security issues that they do not understand. Instead, they can get their work done. In this way, they can solve vulnerabilities easier and faster and make sure that they are fixing everything that is wrong with the vulnerabilities. There is no doubt that security is a real and vital concern. However, to win, organizations must make it a priority throughout the entire software supply chain rather than just in the IT department. This allows developers to develop more innovative software, which in turn allows the business to move forward and innovate.
Read more »
Vulnerabilites and Exploits
Cisco Cisco devices Command injection vulnerability Malicious Code Security Flaws Trellix Vulnerabilites and Exploits

All You Need to Know About the Cisco Command-Injection Bug


A security flaw has been discovered in Cisco gear used in data centers, large enterprises, industrial facilities, and smart city power grids that could give hackers unrestricted access to these devices and wider networks. 

Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices: 

  • Cisco ISR 4431 routers 
  • 800 Series Industrial ISRs 
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways 
  • IOS XE-based devices configured with IOx 
  • IR510 WPAN Industrial Routers 
  • Cisco Catalyst Access points 

One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device. 

The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots. 

According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant. 

“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center. 

The Latest Cisco Security Flaws 

According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface. 

"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained. 

Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment. 

In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September. 

The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications. 

The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing." 

Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." 

However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code. 

Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely. 

They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow. 

Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.  

Read more »
Technology
AI AI tools AI-backed systems Artificial Intelligence ChatGPT Check Point Malicious Campaigns Malicious Code OpenAI Technology

ChatGPT: When Cybercrime Meets the Emerging Technologies


The immense capability of ChatGPT has left the entire globe abuzz. Indeed, it solves both practical and abstract problems, writes and debugs code, and even has the potential to aid with Alzheimer's disease screening. The OpenAI AI-powered chatbot, however, is at high risk of abuse, as is the case with many new technologies. 

How Can ChatGPT be Used Maliciously? 

Recently, researchers from Check Point Software discovered that ChatGPT could be utilized to create phishing emails. When combined with Codex, a natural language-to-code system by OpenAI, ChatGPT can develop and disseminate malicious code. 

According to Sergey Shykevich, threat intelligence group manager at Check Point Software, “Our researchers built a full malware infection chain starting from a phishing email to an Excel document that has malicious VBA [Visual Basic for Application] code. We can compile the whole malware to an executable file and run it in a machine.” 

He adds that ChatGPT primarily produces “much better and more convincing phishing and impersonation emails than real phishing emails we see in the wild now.” 

In regards to the same, Lorrie Faith Cranor, director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems Professor of computer science and of engineering and public policy at Carnegie Mellon University says, “I haven’t tried using ChatGPT to generate code, but I’ve seen some examples from others who have. It generates code that is not all that sophisticated, but some of it is actually runnable code[…]There are other AI tools out there for generating code, and they are all getting better every day. ChatGPT is probably better right now at generating text for humans, and may be particularly well suited for generating things like realistic spoofed emails.” 

Moreover, the researchers have also discovered hackers that create malicious tools like info-stealers and dark web markets using ChatGPT. 

What AI Tools are More Worrisome? 

Cranor says “I think to use these [AI] tools successfully today requires some technical knowledge, but I expect over time it will become easier to take the output from these tools and launch an attack[…]So while it is not clear that what the tools can do today is much more worrisome than human-developed tools that are widely distributed online, it won’t be long before these tools are developing more sophisticated attacks, with the ability to quickly generate large numbers of variants.” 

Furthermore, complications could as well arise from the inability to detect whether the code was created by utilizing ChatGPT. “There is no good way to pinpoint that a specific software, malware, or even phishing email was written by ChatGPT because there is no signature,” says Shykevich. 

What Could be the Solution? 

One of the methods OpenAI is opting for is to “watermark” the output of GPT models, which could later be used to determine whether they are created by AI or humans. 

In order to safeguard companies and individuals from these AI-generated threats, Shykevich advises using appropriate cybersecurity measures. While the current safeguards are still in effect, it is critical to keep upgrading and bolstering their application. 

“Researchers are also working on ways to use AI to discover code vulnerabilities and detect attacks[…]Hopefully, advances on the defensive side will be able to keep up with advances on the attacker side, but that remains to be seen,” says Cranor. 

While ChatGPT and other AI-backed systems have the potential to fundamentally alter how individuals interact with technology, they also carry some risk, particularly when used in dangerous ways. 

“ChatGPT is a great technology and has the potential to democratize AI,” adds Shykevich. “AI was kind of a buzzy feature that only computer science or algorithmic specialists understood. Now, people who aren’t tech-savvy are starting to understand what AI is and trying to adopt it in their day-to-day. But the biggest question, is how would you use it—and for what purposes?”  

Read more »
Vulnerabilities and Exploits
Application Security Camera Bug IOT Security Malicious Code Vulnerabilities and Exploits

Multiple Security Bugs Identified in EZVIZ Smart Cams

 

The vulnerabilities allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely. 

Security analysts at Bitdefender have published a detailed analysis on vulnerabilities in several lines of EZVIZ Internet of Things (IoT) cameras, a smart home security brand used across the globe. The vulnerabilities unearthed in at least five EZVIZ camera models could allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.

"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images, and decrypt them," the researchers explained. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras." 

The vulnerabilities spotted in the affected device models are listed below: - 

• CS-CV248 [20XXXXX72] - V5.2.1 build 180403 
• CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719 
• CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208 
• CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731 
• CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 22012 

Threat analysts discovered the first vulnerability (tracked as CVE-2022-2471) in the ‘configMotionDetectArea’ API endpoint. Subsequently, they identified an insecure direct object reference vulnerability at multiple API endpoints that pave a path for hackers to gain access to the camera, and a third remote vulnerability allows hackers to exfiltrate the encryption key for the video. 

The final security bug, tracked under CVE-2022-2472, lets a hacker recover the administrator password and control the device. 

“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to the video feed,” said Dan Berte, director, IoT Security at Bitdefender. One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection.” 

The researchers advised users to apply the patches, update the software immediately, and regularly visit the manufacturer’s website for any EZVIZ camera security-related news. 

Last year in August, BitDefender security experts unearthed multiple zero-day vulnerabilities in a home baby monitor, made by China-based developer Victure. In a security report, researchers disclosed the stack-based buffer flaw present in the ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When exploited, hackers can discover cameras (not owned by them) and command devices to broadcast camera feeds to a third party and exploit the camera firmware.
Read more »
Technology
AWS Malicious Code Repository Supply Chain Attack Technology

GitHub Supply Chain Attack Cloned Thousands of Repositories to Target Developers

 

GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.

The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem. 

The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names. 

The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones. 

The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware. 

Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned. 

According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.

The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages. 

Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021. 

Thwarting supply chain attacks 

 GitHub has issued an advisory for guarding the code supply chain on its website. 

• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication. 
• Connect to GitHub using secure socket shell (SSH) keys. 
• For enterprises, centralize user authentication. 
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has. 
• Avoid using passwords or API keys within the source code. 
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.
Read more »
Zero- day vulnerability
Malicious Code MySQL PHP SQL Injection Vulnerabilities and Exploits. Zero- day vulnerability

PrestaShop Sites Hit by Severe Security Flaw

 


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions 1.6.0.10 and later and versions 1.7.8.2 and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.



Read more »
URL
Data Breach JavaScript Malicious Code NPM Package Open Source Software Supply Chain Attack URL

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.
Read more »
Vulnerability and Exploits
CVE vulnerability Linux Kernel Malicious Code NSA QNAP Vulnerabilities and Exploits Vulnerability and Exploits

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.
Read more »
Vulnerability and Exploits
Malicious Code Package Managers Security Bugs Vulnerabilities and Exploits Vulnerability and Exploits

Multiple Security Bugs Identified in Software Package Managers

 

Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices. 

However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.

"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?" 

Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications. 

Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –

 • Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yarn < 1.22.13 • pnpm < 6.15.1 • Pip (no fix), and • Pipenv (no fix) 

The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.

Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability. 

"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."
Read more »
Vulnerabilities and Exploits
Malicious Code Security Bug Vulnerabilities and Exploits

Trend Micro Patches Critical Bugs in its Security Products

 

Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits. 

The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature. 

The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December. 

The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured. 

Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated. 

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.

“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.
Read more »
Subscribe to: Posts (Atom)