CyberSecurity news
FlagThis - #opensource
|
drewt@secureworldexpo.com (Drew@SecureWorld News
//
References:
SecureWorld News
, The Hacker News
A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system. Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain. Recommended read:
References :
@securebulletin.com
//
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.
This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence. Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks. Recommended read:
References :
@Wiz Blog | RSS feed
//
A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers. HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization. Recommended read:
References :
@securityonline.info
//
Security researchers are raising alarms about the open-source library 'easyjson,' a Golang package used extensively across cloud-native technologies. A new investigation by cybersecurity firm Hunted Labs has revealed that easyjson is maintained and controlled by developers associated with VK Group, a major Russian internet conglomerate based in Moscow. VK Group's ties to the Kremlin, including its leadership being under U.S. and E.U. sanctions, have ignited concerns about potential supply chain risks for organizations relying on this library. Easyjson is used by the US government and American companies.
The 'easyjson' library is deeply embedded in the software ecosystem, particularly in cloud-native applications, distributed systems, and real-time analytics platforms. It's found to be widely used in projects like Helm, Istio, Kubernetes, ArgoCD, Grafana, Sigstore, and across many US Government and Fortune 500 organizations. This widespread integration makes it difficult to monitor, remove, or replace, according to Hunted Labs. The firm's report warns that "Any compromise of a serializer is extremely dangerous because they are: invisible, deeply integrated, hard to remove, and trusted by default.” Researchers fear that Russia could alter easyjson to steal data or otherwise be abused. Hunted Labs outlines alarming possibilities if easyjson were to be compromised or weaponized, including supply chain backdoors enabling mass compromise, remote code execution via crafted JSON inputs, espionage and covert data exfiltration, and even kill switch activation across critical systems. As Hayden Smith, a cofounder at Hunted Labs, stated, the package is "basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history." Recommended read:
References :
|