Feb 14, 2024NewsroomSoftware Security / Vulnerability

Cybersecurity researchers have found that it’s possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system.

“While ‘command-not-found’ serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages,” cloud security firm Aqua said in a report shared with The Hacker News.

Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool (APT) and snap packages.

When the tool uses an internal database (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advise-snap” command to suggest snaps that provide the given command.

Thus, should an attacker be able to game this system and have their malicious package recommended by the command-not-found package, it could pave the way for software supply chain attacks.

Aqua said it found a potential loophole wherein the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.

What’s more, an attacker could claim the snap name related to an APT package and upload a malicious snap, which then ends up being suggested when a user types in the command on their terminal.

“The maintainers of the ‘jupyter-notebook’ APT package had not claimed the corresponding snap name,” Aqua said. “This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named ‘jupyter-notebook.'”

To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package.

As many as 26% of the APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, presenting a substantial security risk, as they could be registered under an attacker’s account.

A third category entails typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are leveraged to suggest bogus snap packages by registering a fraudulent package with the name “ifconfigg.”

In such a case, command-not-found “would mistakenly match it to this incorrect command and recommend the malicious snap, bypassing the suggestion for ‘net-tools’ altogether,” Aqua researchers explained.

Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company is urging users to verify the source of a package before installation and check the maintainers’ credibility.

Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent them from being misused.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua said.

Dec 22, 2023NewsroomSkimming / Web Security

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake “Complete Order” button that’s overlaid on top of the legitimate checkout button.

Europol’s spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. “A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect,” it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers’ credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

“In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide,” the Singapore-headquartered firm added.

That’s not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that’s estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

“By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” ScamSniffer said.