Open Source | Breaking Cybersecurity News | The Hacker News

The legitimate command-and-control (C2) framework known as Sliver is  gaining   more traction  from threat actors as it emerges as an open source alternative to  Cobalt Strike  and Metasploit. The findings come from Cybereason, which  detailed  its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitatio

Google on Tuesday announced the open source availability of  OSV-Scanner , a scanner that aims to offer easy access to vulnerability information about various projects. The  Go-based tool , powered by the Open Source Vulnerabilities ( OSV ) database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News. "The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer's list of packages and the information in vulnerability databases," Pan added. The idea is to identify all the transitive dependencies of a project and highlight relevant vulnerabilities using data pulled from OSV.dev database. Google further stated that the open source platform supports 16 ecosystems, counting all major languages, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and  OSS-Fuzz .

A version of an open source ransomware toolkit called  Cryptonite  has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite , unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the  Fernet module  of the cryptography package to encrypt files with a ".cryptn8" extension. But a  new sample  analyzed by Fortinet FortiGuard Labs has been found to lock files with no option to decrypt them back, essentially acting as a destructive data wiper. But this change isn't a deliberate act on part of the threat actor, but rather stems from a lack of quality assurance that causes the program to crash when attempting to display the ransom note after completing the encryption p

Google on Thursday  announced  the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out  Open Source Insights  as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers can understand how their software is put together and the consequences to changes in their dependencies," the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a  string  of  supply chain   attacks  designed to compromise developer workflows. In December 2021, a critical flaw in the ubiquitous open source  Log4j logging library  left several companies scrambling to patch their systems against potential abuse. The announcement also comes less than

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue — tracked as  CVE-2021-41077  — concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10. Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company's Péter Szilágyi  pointing out  that "anyone could exfiltrate these and gain lateral movement into 1000s of [organizations]." Travis CI is a hosted CI/CD (short for continuous integration and continuous deployment) solution used to build and test software projects hosted on source code repository systems like GitHub and Bitbucket. "The desired b

Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects —  EspoCRM ,  Pimcore , and  Akaunting  — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7  noted. Six of the nine flaws were uncovered in the Akaunting project. EspoCRM is an open-source customer relationship management (CRM) application, while Pimcore is an open-source enterprise software platform for customer data management, digital asset management, content management, and digital commerce. Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and exp

Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project's code, which led to the school being banned from contributing to the open-source project in the future. "While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission," assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki,  said  in an email. "We did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches," they added. The apology comes over a study into what's called "hypocrite commits," which was  published  earlier this February. The project aimed to deliberately add  use-after-free  vulnerabil

Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called " Patch Rewards Program ," was launched nearly 6 years ago, under which Google rewards hackers for reporting severe flaws in many widely used open source software, including OpenSSH, OpenSSL, Linux kernel, Apache, Nginx, jQuery, and OpenVPN. So far, Google has paid hundreds of thousands of dollars as bounty to hackers across the world who helped improve the overall security of many crucial open source software and technologies that power the Internet, operating systems, and networks. The company has now also decided to motivate volunteer work done by the open source community by providing upfront financial help to project teams, using which they can acquire addition

Lodash, a popular npm library used by more than 4 million projects on GitHub alone, is affected by a high severity security vulnerability that could allow attackers to compromise the security of affected services using the library and their respective user base. Lodash is a JavaScript library that contains tools to simplify programming with strings, numbers, arrays, functions, and objects, helping programmers write and maintain their JavaScript code more efficiently. Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11. The vulnerability, assigned as CVE-2019-10744 , potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month. Prototype pollution is a vulnerability t

Developers around the world depend on open source components to build their software products. According to industry estimates, open source components account for 60-80% of the code base in modern applications. Collaboration on open source projects throughout the community produces stronger code, squashing the bugs and catching the vulnerabilities that impact the security of organizations who look to open source components as the key to their application building success. Thanks in part to the "thousand eyeballs" of the community, the number of reported vulnerabilities in open source projects is on the rise, spiking 51% in 2017 from the previous year. This is even more concerning since, as shown in the same study, most vulnerabilities are found in popular projects. Data shows that 32% of the top 100 open source projects have at least one vulnerability, meaning that developers have their work cut out for them, no matter which components they are using in their products.

What just happened would definitely gonna surprise you. Linus Torvalds—father of the Linux open-source operating system—finally admitted his behavior towards other developers in the Linux community was hurting people and Linux. In a surprising move this weekend, Torvalds apologized for insulting and abusing other developers for almost three decades and took a break from the open-source software to work on his behavior. In an email to the Linux Kernel Mailing List (LKML) on Sunday, Torvalds said that he was confronted by people of the Linux community this week about his lifetime of not understanding emotions, and apologized for his personal behavior that has hurt people and possibly has driven some of them away from working in kernel development altogether. Torvalds wrote, "I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely." "I am going to take

Facebook has open sourced Fizz—a library designed to help developers implement TLS 1.3 protocol with all recommended security and performance related configurations. Since late last month, Google Chrome web browser has started marking all non-HTTPS websites as 'Not Secure' in an effort to make the web a more secure place, forcing website administrators to switch to HTTPS. TLS 1.3 is the newest and most secure cryptographic protocol of the Transportation Layer Security (TLS), the successor to Secure Sockets Layer (SSL), which encrypts data in transit between clients and servers to prevent data theft or tampering. To make internet traffic more secure, TLS 1.3 incorporates several new features like encrypting handshake messages to keep certificates private, redesigning the way secret keys are derived, and a zero round-trip (0-RTT) connection setup, making certain requests faster than TLS 1.2. Written in C++ 14, Fizz is a reliable and highly performant TLS library that

A security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year. OpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet. This year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software – one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green. The audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit. Researcher Used Fuzzer to find Bugs in OpenVPN Researcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the secur

The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page. The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlu e that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide. The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program ( TTP ), while some of these are 'coming soon.'

Microsoft has announced to shut down CodePlex -- its website for hosting repositories of open-source software projects -- on December 15, 2017. Launched in 2006, CodePlex was one of the Microsoft's biggest steps towards the world of open source community -- where any programmer, anywhere can share the code for their software or download and tweak the code to their liking. However, Microsoft says that the service has dramatically fallen in usage and that fewer than 350 projects seeing a source code commit over the last 30 days, pointing to GitHub as the "de-facto place for open source sharing." GitHub – 'Facebook for Programmers' In a blog post published Friday, Microsoft Corporate VP Brian Harry wrote that the shutdown of CodePlex is because the open source community has almost entirely moved over to GitHub, which provides similar functionality for sharing code that people can collaborate on. "Over the years, we have seen a lot of amazing opti

Last year Google employees took an initiative to help thousands of Open Source Projects patch a critical remote code execution vulnerability in a widely used Apache Commons Collections (ACC) library. Dubbed Operation Rosehub , the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch over 2600 open source projects on Github, those were vulnerable to "Mad Gadget vulnerability." Mad Gadget vulnerability ( CVE-2015-6420 ) is a remote code execution bug in the Java deserialization used by the Apache Commons Collections (ACC) library that could allow an unauthenticated, remote attacker to execute arbitrary code on a system. The ACC Library is widely deployed by many Java applications to decode data passed between computers. To exploit this flaw, all an unauthorized attacker need to do is submit maliciously crafted input to an application on a targeted system that uses the ACC library. Once the vulnerable ACC libra

WhatsApp and Facebook have so far the largest end-to-end encrypted video calling network of all, but now another popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden is ready to give them a really tough competition. The Signal app, which is widely considered the most secure of all other encrypted messaging apps, released video calling feature on Tuesday for both Android and iOS in a new update. Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specially designed for Android and iOS users to make secure and encrypted messages and voice calls. Even the Signal Protocol powers the end-to-end encryption built into WhatsApp, Facebook Messenger, and Google Allo's Incognito mode as well. Signal has already been providing fully end-to-end encrypted chat and voice calling features, but the newly added feature will make it even easier for privacy conscious people to convey their inf

You won't believe your eyes while reading this, but this is true. Microsoft just joined the Linux Foundation as a high-paying Platinum member. Microsoft's love with open source community is embracing as time passes. At its first Connect event in 2013, the company launched Visual Studio 2013. A year later, Microsoft open sourced .NET, and last year, it open sourced the Visual Studio Code Editor, as well. Not just that, Microsoft partnered with Canonical to bring Ubuntu on Windows 10 , worked with FreeBSD to develop a Virtual Machine image for its Azure cloud , and chosen Ubuntu as the OS for its Cloud-based Big Data services. And the big news for this year is… At its 2016 Connect developer event in New York today, Microsoft announced that the company is joining the Linux Foundation as a Platinum member – the highest level of membership, which costs $500,000 annually. Besides this, Microsoft also announced that tech giant Google has also joined on with the indepen

After TrueCrypt mysteriously discontinued its service, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, as well as privacy conscious people. First of all, there is no such thing as a perfect, bug-free software. Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have flaws. Vulnerabilities are an unfortunate reality for every software product, but there is always space for improvements. Due to the enormous popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) agreed to audit VeraCrypt independently and hired researchers from QuarksLab in August to lead the audit. And it seems like VeraCrypt is not exactly flawless either. Now after one month of the audit, researchers have discovered a number of security issues, including 8 critical, 3 medium, and 15 low-severity vulnerabilities in the popular

OSquery , an open-source framework created by Facebook that allows organizations to look for potential malware or malicious activity on their networks, was available for Mac OS X and Linux environments until today. But now the social network has announced that the company has developed a Windows version of its osquery tool , too. When Facebook engineers want to monitor thousands of Apple Mac laptops across their organization, they use their own untraditional security tool called OSquery. OSquery is a smart piece of cross-platform software that scans every single computer on an infrastructure and catalogs every aspect of it. Then SQL-based queries allow developers and security teams to monitor low-level functions in real-time and quickly search for malicious behavior and vulnerable applications on their infrastructure. In simple words, OSquery allows an organization to treat its infrastructure as a database, turning OS information into a format that can be queried using SQL