Cybersecurity agencies share tips on how to secure software supple chain
The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released a 64-page guidance containing recommendations for developers on how to prevent software supple chain attacks.
The guidance is designed to help developers achieve security through industry and government-evaluated recommendations and consolidates valuable resources already published for developers to put to use.
Apple releases security updates to address an iOS zero-day in older iPhones, iPads
Apple has rolled out new security updates for older iPhones and iPads addressing a remotely exploitable WebKit zero-day patched last month that allows attackers to execute arbitrary code on unpatched devices.
The bug (CVE-2022-32893) affects the WebKit component and could be abused for arbitrary code execution via a specially crafted website. The vulnerability was addressed with the release of iOS 12.5.6.
REvil ransomware gang claims to have hit Chinese electrical manufacturer Midea Group
It appears that the notorious REvil ransomware gang thought to be defunct has returned to business with new attacks. The gang claims to have breached Midea Group, a major Chinese electrical appliance manufacturer. The REvil operators have posted screenshots of data on their dark web data leak site allegedly stolen from Midea Group. As they claim, the stolen data includes “a lot of source code, git and svn which we will publish soon.” At the time of writing, it’s not clear what ransom amount the hackers have demanded from the company.
Government agencies in Montenegro, Latin America hit with ransomware
The Parliament of Montenegro’s (Skupstina) digital infrastructure has been targeted in a Cuba ransomware attack, with hackers claiming to have stolen financial documents, correspondence with banks, balance sheets, tax documents, compensation, and source code. The attack that has been described as an “unprecedent” disrupted government services and prompted the country’s electrical utility to switch to manual control. According to Public Administration Minister Maras Dukaj, the attackers demanded a $10 million ransom.
In related news, a ransomware attack has disrupted operations and online services of a Chile’s government agency. The attack impacted the agency’s Windows and VMware ESXi servers, with ransomware encrypting files on compromised systems and renaming them with the extension .crypt.
The malware involved in the attack also had functions for stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts.
US Army is recruiting nation-state hackers for offensive and defensive ops
The US military is hiring nation-state hackers both for offensive and defensive operations. According to the information on the US Army’s website, new recruits will gain the skills and training needed to defend the nation from the growing number of cybersecurity threats, as well as receive training in defensive and offensive systems protection to recognize adware, ransomware, and spyware aimed at key government facilities and financial centers.
Iran-based hackers are exploiting Log4j vulnerabilities in attacks against Israeli orgs
An Iran-linked state-backed hacker group known as MuddyWater (Mercury) has been leveraging Log4j (Log4Shell) vulnerabilities in SysAid software in attacks targeting organizations in Israel.
The exploitation of SysAid allows the threat actor to drop and leverage web shells to execute commands, most of them related to reconnaissance, but one downloads more hacking tools. Once gaining access, the hackers establish persistence, dump credentials, and move laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.
Nitrokod cryptomining campaign potentially infected thousands of machines worldwide
Researchers at Check Point Research discovered a Turkish-based cryptomining campaign, dubbed “Nitrokod”, which potentially has infected thousands of machines across the globe since 2019.
The campaign served the malware disguised as legitimate-looking applications, such as Google Translate via popular free software websites, and through Google searches.
Once the new software is run, an actual Google Translate app is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is downloaded. Upon execution, the malware connects to its command and control server to fetch a configuration for the XMRig crypto miner and starts the mining activity.
Cybercrime groups lost interest in Russia-Ukraine cyberwar, a study says
Since the beginning of Russia’s invasion of Ukraine there have been growing fears that a surge of cybercrime underground and volunteer hackers from around the globe, battling on the digital frontline with Moscow, could provoke more serious attacks by nation-state hackers and set a dangerous precedent for cyber norms.
However, a new research that analyzed hundreds of thousands of web defacement attacks, DDoS attacks, announcements in Telegram channels, and interviews with the hacktivists participating in the attacks, indicates that there’s no evidence that “the cybercrime underground is making any real ‘hard’ contribution to a conflict,” and that “these are trivial acts of solidarity, teenage competition, and expressive delinquency, not a contribution to the armed conflict in any real sense.”
Italian firm caught spying on people all over the world
Tykelab, a subsidiary of Italy-based company RCS Lab, has reportedly been spying on behalf of its clients, including in countries with a record of human rights abuse, on citizens of countries across the globe.
The company reportedly has been using a tracking system that involves the exploitation of vulnerabilities in global phone networks which make it possible for third parties to see phone users’ locations, and potentially intercept their calls, without any record of compromise being left on their devices.
It was also revealed that spyware used and marketed by Tykelab includes Ubiqo, a tool which can “track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent”, as well as offering more sophisticated behavior analysis.
Google launches bug bounty program for open source projects
Search engine giant Google has announced a new open source bug bounty program to reward researchers who will discover and report vulnerabilities in its open-source projects like Bazel, Angular, Golang, Protocol Buffers, and Fuchsia. The aim of the program is to combat a rising threat of supply chain attacks.
The new bug bounty program covers bugs that lead to supply chain compromise, design issues that cause product vulnerabilities, and other security issues such as such as sensitive or leaked credentials, weak passwords, or insecure installations. The payouts will range from $100 to $31,337 depending on the severity of the security issue and project’s importance.
Hundreds of mobile apps leak hard-coded AWS credentials
A new study from Symantec highlights how software supply chain issues can make mobile applications vulnerable. The researchers examined over 1,800 Android and iOS apps that contained hard-coded Amazon Web Services (AWS) credentials and found that 77% of them contained valid AWS access tokens allowing access to private AWS cloud services, 47% contained valid AWS tokens that also gave full access to numerous private files via the Amazon Simple Storage Service (Amazon S3), and 53% of the apps (often from different app developers and companies) were using the same AWS access tokens found in other apps.
Earlier this week, researchers at Cybernews released a similar report, according to which thousands of Android apps are leaking hard-coded credentials that could have huge repercussions for both app developers and their customers.
It was found that more than half out of 30,000 apps analyzed had hard-coded secrets, including different API keys and even links to open databases exposing sensitive corporate and user data. In total, researchers identified over 124,000 strings potentially leaking sensitive data. The most hard-coded secrets were found in apps within five categories: health and fitness, education, tools, lifestyle, and business.