Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Typosquatting. Show all posts
VSCode Marketplace vulnerabilities
Cyber Security Cybersecurity malicious extensions Typosquatting Visual Studio Code security VSCode Marketplace vulnerabilities

Israeli Researchers Expose Security Flaws in Visual Studio Code Marketplace

 A team of Israeli researchers investigated the security of the Visual Studio Code (VSCode) marketplace and managed to "infect" over 100 organizations by embedding risky code into a popular theme, revealing significant vulnerabilities in the system. 


VSCode, a source code editor developed by Microsoft, is widely used by professional software developers globally. Microsoft also runs an extensions marketplace for VSCode, offering various add-ons to enhance functionality and customization.

Previous reports have identified security gaps in VSCode, such as the ability to impersonate extensions and publishers, and extensions that steal developer authentication tokens. Some extensions have been confirmed to be malicious.

In their experiment, researchers Amit Assaraf, Itay Kruk, and Idan Dardikman created an extension mimicking the 'Dracula Official' theme, a popular dark mode color scheme with over 7 million installs on the VSCode Marketplace. 

The fake extension, named 'Darcula,' used the legitimate Dracula theme’s code but added a script that collected system information such as hostname, installed extensions, device's domain name, and operating system platform, sending this data to a remote server. The researchers registered a matching domain, 'darculatheme.com,' to become a verified publisher, adding credibility to their fake extension.

The malicious code bypassed endpoint detection and response (EDR) tools because VSCode is generally trusted as a development and testing system. "Traditional endpoint security tools (EDRs) do not detect this activity... VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious extension," explained Amit Assaraf.

The extension was installed by multiple high-value targets, including a publicly listed company with a $483 billion market cap, major security firms, and a national justice court network. The researchers did not disclose the names of the affected companies and ensured their experiment did not cause harm, only collecting identifying information and including a disclosure in the extension's documentation.

Following their experiment, the researchers examined the broader threat landscape of the VSCode Marketplace using a custom tool named 'ExtensionTotal' to identify high-risk extensions. Their findings included:

- 1,283 extensions with known malicious code (229 million installs).
- 8,161 extensions communicating with hardcoded IP addresses.
- 1,452 extensions running unknown executables.
- 2,304 extensions using another publisher's GitHub repository, indicating they are copycats.

The researchers highlighted a significant lack of stringent controls and code review mechanisms on the VSCode Marketplace, allowing rampant abuse of the platform. "VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk," they warned.

All detected malicious extensions were reported to Microsoft for removal, but most remain available for download. The researchers plan to release 'ExtensionTotal' as a free tool to help developers scan their environments for potential threats.

BleepingComputer has reached out to Microsoft to inquire about potential security improvements to the VSCode Marketplace to combat typosquatting and impersonation, but no response has been received as of publication time.
Read more »
Window Admin
Cyber Security fake ads Fraudulent Sites Ransomware attack Typosquatting Window Admin

Windows System Admins Targeted by Hackers Via Fraudulent PuTTy, WinSCP Ads

 

A ransomware attack targets Windows system administrators by using Google advertisements to promote fraudulent download sites for Putty and WinSCP. WinSCP and Putty are popular Windows applications; WinSCP is an SFTP and FTP client, while Putty is an SSH client. 

System administrators typically have more rights on a Windows network, making them prime targets for threat actors looking to quickly propagate over a network, steal data, and get access to a network's domain controller to deliver ransomware. 

According to a recent Rapid7 report, a search engine campaign featured adverts for fake Putty and WinSCP websites when users searched for download winscp or download putty. It's unclear whether this promotion took place on Google or Bing. 

These advertisements employed typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the real one. PuTTY's official website is at https://www.chiark.greenend.org.uk/~sgtatham/putty/. 

These sites include download links that, when clicked, may either redirect you to legitimate websites or download a ZIP archive from the threat actor's servers, depending on whether you were sent by a search engine or another site in the campaign. 

The downloaded ZIP packages contain two executables: Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll, a malicious program.

When the pythonw.exe programme is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL with a malicious version loaded via DLL Sideloading. 

When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and implements an encrypted Python script. 

This script will eventually install the Sliver post-exploitation toolkit, which is a popular tool for gaining access to corporate networks. Rapid7 claims the threat actor utilised Sliver to remotely deploy other payloads, including Cobalt Strike beacons. The hacker utilised this access to steal data and try to install a ransomware encryptor. 

While Rapid7 provided little specifics about the ransomware, the researchers say it is comparable to campaigns detected by Malwarebytes and Trend Micro, which used the now-defunct BlackCat/ALPHV ransomware. 

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," stated Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”
Read more »
Windows
Bitcoin Browser cryptocurrency Cyber Crime Google Chrome Phylum Threat actors Typosquatting Windows

Clipper Virus: 451 PyPI Packages Deploy Chrome Extensions to Steal Crypto


Threat actors have recently released more than 451 distinct Python packages on the official Python Package Index (PyPI) repository in an effort to infect developer systems with the clipper virus. 

The libraries were discovered by software supply chain security firm Phylum, which said the ongoing activity is a continuation of a campaign that was first made public in November 2022. 

How Did Threat Actors Use Typosquatting? 

In an initial finding, it was discovered that popular packages including beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow were being mimicked via typosquatting. 

For each of the aforementioned, the threat actors deploy between 13 and 38 typosquatting variations in an effort to account for a wide variety of potential mistypes that could lead to the download of the malicious package. 

In order to evade detection, the malicious actors deployed a new obfuscation tactic that was not being utilized in the November 2022 wave. Instead, they are now using a random 16-bit combination of Chinese ideographs for function and variable identifiers. 

Researchers at Phylum emphasized that the code makes use of the built-in Python functions and a series of arithmetic operations for the string generation system. This way, even if the obfuscation produces a visually striking outcome, it is not extremely difficult to unravel. 

"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial[…]Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing,” reads a Phylum report. 

Malicious Browser Extensions 

For taking control of the cryptocurrency transactions, the malicious PyPi packages create a malicious Chromium browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks. 

It then looks for Windows shortcuts pertaining to Google Chrome, Microsoft Edge, Brave, and Opera, followed by hijacking them to load the malevolent browser extension using the '--load-extension' command line argument. 

For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension". 

After the web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is found, the browser extension will swap it out for a list of addresses that are hardcoded and under the control of the threat actor. By doing this, any sent cryptocurrency transaction funds will be sent to the wallet of the threat actor rather than the intended receiver. 

By including cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos in this new campaign, the threat actor has increased the number of wallets that are supported. 

These findings illustrate the ever-emerging threats that developers face from supply chain attacks, with threat actors inclining to methods like typosquatting to scam users into installing fraudulent packages.  

Read more »
Subscribe to: Posts (Atom)