The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: supply chain attack

Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

June 24, 2022Ravie Lakshmanan
Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down. "Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma  said . The malicious code injected into "loglib-modules" and "pygrata-utils" allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata[.]com:8000/upload." Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secu
How Secrets Lurking in Source Code Lead to Major Breaches

How Secrets Lurking in Source Code Lead to Major Breaches

May 25, 2022The Hacker News
If one word could sum up the 2021 infosecurity year (well, actually three), it would be these: "supply chain attack".  A software supply chain attack happens when hackers manipulate the code in third-party software components to compromise the 'downstream' applications that use them. In 2021, we have seen a dramatic rise in such attacks: high profile security incidents like the SolarWinds, Kaseya, and  Codecov  data breaches have shaken enterprise's confidence in the security practices of third-party service providers. What does this have to do with secrets, you might ask? In short, a lot. Take the Codecov case (we'll go back to it quickly): it is a textbook example to illustrate how hackers leverage hardcoded credentials to gain initial access into their victims' systems and harvest more secrets down the chain.  Secrets-in-code remains one of the most overlooked vulnerabilities in the application security space, despite being a priority target in hack
Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

May 24, 2022Ravie Lakshmanan
Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update. "In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC)  said , one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package. It's worth noting that ctx, prior to the latest release on May 21, 2022, was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012. Both the libraries have been removed from PyPi and GitHub . At its core, the modifications are designed to exfiltrate AWS credentials t
Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

May 20, 2022Ravie Lakshmanan
A case of software supply chain attack has been observed in the Rust programming language's  crate registry  that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack " CrateDepression ." Typosquatting attacks  take place  when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library. In this case, the crate in question is "rustdecimal," a typosquat of the real " rust_decimal " package that's been downloaded over 3.5 million times to date. The package was  flagged  earlier this month on May 3 by Askar Safin, a Moscow-based developer. According to an  advisory  published by the Rust maintainers, the crate is said to have been first pushed on March 25, 2022, attracting fewer than 500 downloads before it was permanently removed from the repository.
Malicious NPM Packages Target German Companies in Supply Chain Attack

Malicious NPM Packages Target German Companies in Supply Chain Attack

May 11, 2022Ravie Lakshmanan
Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent media, logistics, and industrial firms based in Germany to carry out  supply chain attacks . "Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog  said  in a new report. The DevOps company said that evidence points to it being either the work of a sophisticated threat actor or a "very aggressive" penetration test. All the rogue packages, most of which have since been removed from the repository, have been traced to four "maintainers" - bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm — indicating an attempt to impersonate legitimate firms like Bertelsmann, Bosch, Stihl, and DB Sc
NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

May 05, 2022Ravie Lakshmanan
The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. "It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination," NIST said in a statement. The new  directive  outlines  major security controls and practices  that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices. The development follows an Executive Order issued by the U.S. President on " Improving the Nation's Cybersecurity (14028) " las
15-Year-Old Bug in PEAR PHP Repository Could've Enabled Supply Chain Attacks

15-Year-Old Bug in PEAR PHP Repository Could've Enabled Supply Chain Attacks

April 01, 2022Ravie Lakshmanan
A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. "An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server," SonarSource vulnerability researcher Thomas Chauchefoin  said  in a write-up published this week. PEAR, short for PHP Extension and Application Repository, is a framework and distribution system for reusable PHP components. One of the issues, introduced in a  code commit  made in March 2007 when the feature was originally implemented, relates to the use of the cryptographically insecure  mt_rand()  PHP function in the password reset functionality that could allow an attacker to "discover a valid password reset token in les
Over 200 Malicious NPM Packages Caught Targeting Azure Developers

Over 200 Malicious NPM Packages Caught Targeting Azure Developers

March 24, 2022Ravie Lakshmanan
A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire  @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published earlier this week, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such
Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

February 22, 2022Ravie Lakshmanan
An advanced persistent threat (APT) group operating with objectives aligned with the Chinese government has been linked to an organized supply chain attack on Taiwan's financial sector. The attacks are said to have first commenced at the end of November 2021, with the intrusions attributed to a threat actor tracked as  APT10 , also known as Stone Panda, the MenuPass group, and Bronze Riverside, and known to be active since at least 2009. The second wave of attacks hit a peak between February 10 and 13, 2022, according to a  new report  published by Taiwanese cybersecurity firm CyCraft, which said the wide-ranging supply chain compromise specifically targeted the software systems of financial institutions, resulting in "abnormal cases of placing orders." The infiltration activity, codenamed " Operation Cache Panda ," exploited a vulnerability in the web management interface of the unnamed securities software that has a market share of over 80% in Taiwan, usi
New SureMDM Vulnerabilities Could Expose Companies to Supply Chain Attacks

New SureMDM Vulnerabilities Could Expose Companies to Supply Chain Attacks

January 31, 2022Ravie Lakshmanan
A number of security vulnerabilities have been disclosed in 42 Gears' SureMDM device management solution that could be weaponized by attackers to perform a supply chain compromise against affected organizations. Cybersecurity firm Immersive Labs, in a  technical write-up  detailing the findings, said that 42Gears released a series of updates between November 2021 and January 2022 to close out multiple flaws affecting both the platform's Linux agent and the web console. The India-based company's  SureMDM  is a cross-platform mobile device management service that allows enterprises to remotely monitor, manage, and secure a fleet of company-owned systems for dedicated-use and employee-owned devices. 42Gears  claims  that SureMDM is used by over 10,000 companies worldwide. The issues identified in the web dashboard are also of critical in nature, potentially allowing an attacker to gain code execution over individual devices, desktops, or servers. Furthermore, they could
Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

January 21, 2022Ravie Lakshmanan
In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations. "The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, said in a  report  published this week. "The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory." The vulnerability has been assigned the identifier  CVE-2021-24867 . Website security platform Sucuri, in a separate analysis,  said  some of the infected websit
Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack

Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack

January 04, 2022Ravie Lakshmanan
Threat actors leveraged a cloud video hosting service to carry out a supply chain attack on more than  100 real estate websites  operated by Sotheby's Realty that involved injecting malicious skimmers to steal sensitive personal information. "The attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well," Palo Alto Networks' Unit 42 researchers  said  in a report published this week. The skimmer attacks, also called formjacking, relates to a type of cyber attack wherein bad actors insert malicious JavaScript code into the target website, most often to checkout or payment pages on shopping and e-commerce portals, to harvest valuable information such as credit card details entered by users. In the latest incarnation of the Magecart attacks, the operators behind the campaign breached the Brightcove account of Sotheby's and deployed malicious code into the player of the
Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks

Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks

August 18, 2021Ravie Lakshmanan
IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company's clients. The attacks, which occurred in two waves in May and July 2021, have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018, researchers from ClearSky  said  in a report published Tuesday. Infections undertaken by the adversary commenced with identifying potential victims, who were then enticed with "alluring" job offers in well-known companies like ChipPc and Software AG by posing as human resources department employees from the impersonated firms, only to lead the victims to a phishing website containing weaponized files t
Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

July 30, 2021Ravie Lakshmanan
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe  said  Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like  pip  relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (upl
Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

July 21, 2021Ravie Lakshmanan
A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. The package in question, named " nodejs_net_server " and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.  "It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki  said  in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line." While the first version of the package was put out just to test the process of p
Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack

Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack

July 11, 2021Ravie Lakshmanan
Florida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack . Following the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws —  CVE-2021-30116 - Credentials leak and business logic flaw CVE-2021-30119 - Cross-site scripting vulnerability CVE-2021-30120 - Two-factor authentication bypass The security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure ( DIVD ) earlier in April, of which four other weaknesses were remediated in previous releases —
Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly

Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly

July 06, 2021Ravie Lakshmanan
U.S. technology firm Kaseya, which is firefighting the largest ever  supply-chain ransomware strike  on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware. While initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability ( CVE-2021-30116 ) in the software was leveraged to push ransomware to Kaseya's customers. "The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company  noted  in the incident analysis. "This allowed the attackers to leverage the standard VSA pro
REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

July 04, 2021Ravie Lakshmanan
Amidst the massive  supply-chain ransomware attack  that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack. The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday  revealed  it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place. More specifics about the flaws were not shared, but DIVD chair Victor Gevers  hinted  that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indo
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.