supply chain attack | Breaking Cybersecurity News | The Hacker News

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named  warbeast2000  and  kodiak2k  were published at the start of the month, attracting  412  and  1,281 downloads  before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024. Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k. Both the modules are designed to run a postinstall script after installation, each capable of retrieving and executing a different JavaScript file. While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named "meow," raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. "Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed," Oversecured  said  in an analysis published last week. Successful exploitation of these shortcomings could allow nefarious actors to hijack artifacts in dependencies and inject malicious code into the application, and worse, even compromise the build process through a malicious plugin. The mobile security firm added that all Maven-based technologies, including Gradle, are vulnerable to the attack, and that it sent reports to more than 200 companies, including Google, Facebook, Signal, Amazon, and others. Apache Maven is  chiefly used  for building and managing Java-based projec

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as  Sea Turtle . "The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents," Dutch security firm Hunt & Hackett  said  in a Friday analysis. "The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals." Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was  first documented  by Cisco Talos in April 2019, detailing  state-sponsored attacks  targeting public and private entities in the Middle E

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki  said  in a report shared with The Hacker News. "But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware." Legitimate public services are  known  to be  used  by  threat actors  for hosting malware and acting as  dead drop resolvers  to fetch the actual command-and-control (C2) address. While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that's both inexpensive and reliable. This technique is sneaky

Crypto hardware wallet maker Ledger published a new version of its " @ledgerhq/connect-kit " npm module after unidentified threat actors pushed malicious code that led to the theft of  more than $600,000  in virtual assets. The  compromise  was the result of a former employee falling victim to a phishing attack, the company said in a statement. This allowed the attackers to gain access to Ledger's npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate  crypto drainer malware  to  other applications  that are dependent on the module, resulting in a software supply chain breach. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Ledger  said . Connect Kit , as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger's hardware wallets. According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining pa

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor. "In some cases, the final payload is a variant of the infamous  W4SP Stealer , or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt  said  in a report published earlier this week. The  packages  are estimated to have been downloaded over 10,000 times since May 2023. The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the  __init__.py file . Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, an

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as  APT29 , which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack  targeting SolarWinds  and its customers in 2020. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S.  said . The vulnerability in question is  CVE-2023-42793  (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affec

A North Korean state-sponsored threat actor tracked as  Diamond Sleet  is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team  said  in an analysis on Wednesday. The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products. The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023. The links to North Korea stem from

The North Korea-aligned  Lazarus Group  has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and  LPEClient , a known hacking tool used by the threat actor for victim profiling and payload delivery. "The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park  said . "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques." The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 

The maintainers of Free Download Manager (FDM) have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software. "It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it  said  in an alert last week. "Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed." Less than 0.1% of its visitors are estimated to have encountered the issue, adding it may have been why the problem went undetected until now. The disclosure comes as Kaspersky  revealed  that the project's website was infiltrated at some point in 2020 to redirect select Linux users who attempted to download the software to a malicious site hosting a Debian package. The package was further configured to deploy a DNS-based backdoor and ultimately serve a Bash stealer mal

In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum  said  in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with imp

A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee. The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor known as  PlugX  (aka Korplug) on victim networks. "In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate," the company  said  in a report shared with The Hacker News. The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly APT Activity Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software. The compan

Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry's users. "These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package," Aqua security researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman said in a report shared with The Hacker News. Maintained by Microsoft,  PowerShell Gallery  is a  central repository  for sharing and acquiring PowerShell code, including PowerShell modules, scripts, and Desired State Configuration (DSC) resources. The registry boasts of 11,829 unique packages and 244,615 packages in total. The issues identified by the cloud security firm have to do with the service's lax policy surrounding package names, lacking protections against typosquatting attacks, as a result enabling attackers to upload malicious PowerShell modules that appear genuine to unsuspecting us

An analysis of the indicators of compromise ( IoCs ) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the  supply chain attack targeting 3CX . The findings come from SentinelOne, which  mapped out  the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week,  attributed  the attack to an unnamed "sophisticated nation-state sponsored threat actor." "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments." "They actively seek access to tools and networks that can serve as gateways to more extensive opportunitie

In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said. The attack was first observed in the case of an npm package called  bignum , which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary versions of an addon named node-pre-gyp during installation. "These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer," according to a  GitHub advisory  published on May 24, 2023. An unknown threat actor

The maintainers of Python Package Index (PyPI), the official third-party software repository for the Python programming language, have temporarily disabled the ability for users to sign up and upload new packages until further notice. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the admins  said  in a notice published on May 20, 2023. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum  uncovered  an active m

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called  TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.  While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as  agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their associated vers

A cybercrime enterprise known as  Lemon Group  is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks. "The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro  said . The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with the highest concentration of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. The findings were  presented  by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week. Describing it as a  continuously evolving problem , the cybersecurity firm said the threat actors