The PuTTY Secure Shell (SSH) and Telnet client are impacted by a critical vulnerability that could be exploited to recover private keys.

PuTTY tools from 0.68 to 0.80 inclusive are affected by a critical vulnerability, tracked as CVE-2024-31497, that resides in the code that generates signatures from ECDSA private keys which use the NIST P521 curve.

An attacker can exploit the vulnerability to recover NIST P-521 private keys.

“The effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.” reads the advisory. “To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.)”

The vulnerability was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. Bäumer explained that the vulnerability stems from the generation of biased ECDSA cryptographic nonces, which could allow full secret key recovery.

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.” Baumer explained. “The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).”

The following products include an affected PuTTY version and are therefore are also impacted by the flaw:

• FileZilla (3.24.1 – 3.66.5)
• WinSCP (5.9.5 – 6.3.2)
• TortoiseGit (2.4.0.2 – 2.15.0)
• TortoiseSVN (1.10.0 – 1.14.6)

The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.

Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PuTTY Secure Shell (SSH))

Security researchers have uncovered a "credible" takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. "The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS

Researchers warn of a renewed cyber espionage campaign targeting users in South Asia with the Apple iOS spyware LightSpy

Blackberry researchers discovered a renewed cyber espionage campaign targeting South Asia with an Apple iOS spyware called LightSpy.

The sophisticated mobile spyware has resurfaced after several months of inactivity, the new version of LightSpy, dubbed “F_Warehouse”, supports a modular framework with extensive spying capabilities.

LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.

The evidence gathered by the experts, including code comments and error messages, suggests that the creators of LightSpy are native Chinese speakers, prompting concerns regarding potential state-sponsored activity.

LightSpy implements certificate pinning to prevent detection of C2 communication, if the victim is on a network where traffic is being inspected, no connection to the C2 server will be established.

Based on previous campaigns, the attack chain likely commences by visiting compromised news websites carrying stories related to Hong Kong. A first-stage implant is delivered to the visitors, it gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.

“The Loader initiates the process by loading both the encrypted and subsequently decrypted LightSpy kernel. The core of LightSpy functions as a complex espionage framework, designed to accommodate extensions via a plugin system.” reads the report published by BlackBerry. “The Loader is responsible for loading these plugins, each of which extends the functionality of the main LightSpy implant. Each plugin undergoes a process of secure retrieval from the threat actor’s server in an encrypted format, followed by decryption, before being executed within the system environment.”

In March 2020, security experts at Trend Micro observed a campaign aimed at infecting the iPhones of users in Hong Kong with an iOS version of the LightSpy backdoor.

Attackers used malicious links spread through posts on forums popular in Hong Kong, which led users to real news sites that were compromised by injecting a hidden iframe that would load and run malware.

There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that’s distributed via watering hole attacks through compromised news sites.

The latest LightSpy version uses the F_Warehouse framework that supports the following capabilities:

• Exfiltrate files: Systematically search and steal files from the compromised mobile device.
• Record audio: Covertly capture audio through the device’s microphone.
• Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
• Track user activity: Harvest browsing history data to monitor online behavior.
• Application inventory: Gather details about installed applications on the device.
• Capture images: Secretly take pictures using the device’s camera.
• Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
• Device enumeration: Identify and list devices connected to the compromised system.

The researchers noticed that the malware communicates with a server located at hxxps://103.27[.]109[.]217:52202, which also hosts an administrator panel accessible on port 3458.

The panel shows a message in Chinese language saying that the username or password is incorrect when the users enter the wrong credentials.

This report also includes a list of IoCs for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, European railways)

The threat actor tracked as TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others. "The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. "Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in

Amidst rising tensions with China in the SCS, Resecurity observed a spike in malicious cyber activity targeting the Philippines in Q1 2024.

Amidst rising tensions with China in the South China Sea, Resecurity has observed a significant spike in malicious cyber activity targeting the Philippines in Q1 2024, increasing nearly 325% compared to the same period last year. The number of cyberattacks involving hacktivist groups and foreign misinformation campaigns has nearly tripled. In Q2 2024, this growth trajectory continues, with Resecurity observing multiple cyberattacks staged by previously unknown threat actors. These attacks are characterized by the intersection of ideological “hacktivist” motivations and nation-state-sponsored propaganda.

One prolific example of this dynamic is the China-linked Mustang Panda group, which Resecurity observed using cyberspace to stage sophisticated information warfare campaigns. There is a thin line between cybercriminal activity (supported by the state) and nation-state actors engaging in malicious cyber activity. Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online. This tactic is often combined with false-flag attacks originating under publicly known threat-actor profiles to keep a distance from the real intellectual authors of these malign campaigns.

According to experts, the underground scene of actors is represented by the following threat groups accelerating their activity – Philippine Exodus Security (PHEDS), Cyber Operation Alliance (COA), Robin Cyber Hood (RCH), and DeathNote Hackers (Philippines), as well as independent actors and mercenaries recruited to conduct targeted attacks. Notably, some of these groups were also spotted collaborating with Arab Anonymous and Sylnet Gang-SG.

Resecurity interprets this activity as pre-staging for broader malicious, foreign cyber-threat actor activity in the region, including cyber espionage and targeted attacks against government agencies and critical infrastructure. Multiple government resources such as the Department of Interior and Local Government, Bureau of Plant Industry, Philippine National Police, and Bureau of Customs have been targeted.

The full report is available here.

https://www.resecurity.com/blog/article/misinformation-and-hacktivist-campaigns-target-the-philippines-amidst-rising-tensions-with-china

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – misinformation, The Philippines)

For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.

Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.

The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.

“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.

A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.

On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond.

On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.

While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.

But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.

A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus

In today's rapidly evolving digital landscape, organizations face an increasingly complex array of cybersecurity threats. The proliferation of cloud services and remote work arrangements has heightened the vulnerability of digital identities to exploitation, making it imperative for businesses to fortify their identity security measures. Our recent research report, The Identity Underground

Czech transport minister warned that Russia conducted ‘thousands’ of attempts to sabotage railways, attempting to interfere with train networks and signals.

Early this month, the Czech transport minister Martin Kupka warned that Russia has conducted ‘thousands’ of attempts to sabotage European railways.

The Czech Republic’s transport minister told the Financial Times that the attacks aim at destabilizing the EU and sabotaging critical infrastructure.

Kupka confirmed that Russia-linked threat actors conducted “thousands of attempts to weaken our systems” since the beginning of the Russian invasion of Ukraine.

The state-sponsored hackers also targeted signaling systems and networks of the Czech national railway operator České dráhy, Kupka said.

The Czech cyber defense was able to detect and neutralize these attacks; however, the minister highlighted that sabotaging railways could cause serious accidents.

“It’s definitely a difficult point . . .[but] I’m really very satisfied because we are able to defend all systems [from] a successful attack,” Kupka told FT.

The Czech cyber security agency, NUKIB, warns of a surge in cyber attacks, particularly targeting the energy and transportation sectors. The attacks escalated since the approval of a 2022 law allowing measures against foreign entities suspected of human rights violations or cyber crimes.

The attacks were also reported by the European cybersecurity agency ENISA, according to the “ENISA THREAT LANDSCAPE: TRANSPORT SECTOR” published in March 2023

“The railway sector also experiences ransomware and data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia’s invasion of Ukraine.” states the report.

The Czech government is planning to build high-speed railways connecting Berlin, Prague and Vienna, it also announced that it prefers European operators to bid on the tenders.

In August 2023, Poland’s Internal Security Agency (ABW) and national police launched an investigation into a hacking attack on the state’s railway network. According to the Polish Press Agency, the attack disrupted the traffic.

Stanisław Zaryn, deputy coordinator of special services, told the news agency that Polish authorities were investigating an unauthorized usage of the system used to control rail traffic.

“For the moment, we are ruling nothing out,” Stanislaw Zaryn told PAP. “We know that for some months there have been attempts to destabilise the Polish state,” he added. “Such attempts have been undertaken by the Russian Federation in conjunction with Belarus.”

Since the beginning of the Russian invasion of Ukraine, Poland’s railway system represented a crucial transit infrastructure for Western countries’ support of Ukraine.

Zaryn explained that the attacks are part of a broader activity conducted by Russia to destabilize Poland.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, European railways)

The U.S. Federal Trade Commission (FTC) has ordered the mental telehealth company Cerebral from using or disclosing personal data for advertising purposes. It has also been fined more than $7 million over charges that it revealed users' sensitive personal health information and other data to third-parties for advertising purposes and failed to honor its easy cancellation policies. "Cerebral and

Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird). The U.S. Justice Department (DoJ) said the malware "gave the malware purchasers control over victim computers and enabled them to access victims' private communications, their login credentials, and

The Dark Angels (Dunghill) ransomware group claims the hack of the chipmaker Nexperia and the theft of 1 TB of data from the company.

The Dark Angels (Dunghill) ransomware group claims responsibility for hacking chipmaker Nexperia and stealing 1 TB of the company’s data.

Nexperia is a semiconductor manufacturer headquartered in Nijmegen, the Netherlands. It is a subsidiary of the partially state-owned Chinese company Wingtech Technology. It has front-end factories in Hamburg, Germany, and Greater Manchester, England. The company’s product range includes bipolar transistors, diodes, ESD protection, TVS diodes, MOSFETs, and logic devices.

The chipmaker has 14,000 employees as of 2024.

The Dark Angels ransomware group added Nexperia to the list of victims on its Tor leak site. According to the announcement, the stolen data includes:

- 285 Gb of quality control data
- 24 Gb - 896 client folders, many famous brands like SpaceX, IBM, Apple, Huawei, etc.
- 139 Gb project data, very detailed and highly confidential: NDA, internal documents, trade secrets, design, specifications, manufacturing
- 49 Gb industrial production data and instructions
- Assessment of the product's competitiveness in comparison with competitors
- 45 Gb engineers' experience and studies
- 20 Gb product management
- 201 Gb semiconductor manufacturing technologies
- 70 Gb semiconductor commercial marketing data
- 26 Gb pricing, analysis, price books
- 20 Gb HR department, employee data, personal data, passports, contracts, diplomas, salaries, insurance.
- 18 Gb .dwg - 38295 pcs - drawings and schematics of chips, microchips, transistors, etc. All data is confidential, contains trade secrets.
- 30 Gb user data
- production line settings
- repository with equipment configures
- 26 Gb machine operation logs
- 1.2 Gb AWACS software
- 13 Gb .esm files
- 1.9 Gb .job files
- 3 Gb .svn-base
- 101 Gb - .pst files
- 1.5 Gb - NDA

The group published a set of files as proof of the security breach and threatens leak all the stolen data if the victim will not pay the ransom. 

The chipmaker confirmed it became aware of the unauthorized access to certain Nexperia IT servers in March 2024.

In response to the incident, the company disconnected the affected systems from the internet to prevent the threat from spreading. The Nexperia launched an investigation into the security breach with the help of third-party cybersecurity experts.

“we have reported the incident to the competent Authorities, including the ‘Autoriteit Persoonsgegevens’ and the police, and are keeping them informed of the progress of our investigation.” reads the press statement published by the company. “Together with our external cybersecurity expert FoxIT, Nexperia continues to investigate the full extent and impact of the matter and we are closely monitoring the developments. In the interest of the ongoing investigation, we cannot disclose further details at this point.”

In September 2023, the Dark Angels ransomware group hacked Johnson Controls and demanded a $51 million ransom.

(SecurityAffairs – hacking, Nexperia )

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

Cisco Duo warns that a data breach involving one of its telephony suppliers exposed multifactor authentication (MFA) messages sent by the company via SMS and VOIP to its customers. 

Cisco Duo warns of a data breach involving one of its telephony suppliers, compromising multifactor authentication (MFA) messages sent to customers via SMS and VOIP.

The security breach occurred on April 1, 2024, the threat actors used a Provider employee’s credentials that illicitly obtained through a phishing attack. Then they used the access to download a set of MFA SMS message logs belonging to customers’ Duo accounts.

“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” reads the data breach notification send to the impacted individuals. “The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs.”

Threat actors had access to phone numbers, phone carriers, countries, and states to which each message was sent. Attackers also obtained other metadata, including the date and time of the message, type of message, etc.. 

Once discovered the incident, the Provider immediately launched an investigation and implemented mitigation measures. The Provider invalidated the employee’s credentials and analyzed the logs. The

“Provider also started implementing measures to prevent similar incidents from occurring in the future and additional technical measures to further mitigate the risk associated with social engineering attacks. The Provider confirmed that they will also require employees to undergo additional social engineering awareness training.” continues the notification.

Affected users whose phone numbers were in the logs are recommended to remain vigilant and promptly report any suspected activities.

(SecurityAffairs – hacking, Cisco Duo)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.

Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an internet provider and a military infrastructure.

The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure. 

The website ruexfil.com provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.

The site also hosts password dumps allegedly stolen from the Russian company.

Below is the timeline of the attack published on ruexfil.com:

Initial access June 2023.
- Access to 112 Emergency Service. 
- 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...).
- Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
  (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
  control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
  the admins workstations) have been deleted.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.

“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.

Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.

“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.

Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.

Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.

Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting. 

“In order to ensure the sensor does not reboot again, the malware rewrites the UBI volume. First, the malware uses the IOCTL interface UBI_IOCVOLUP allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”  

The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.

The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.

“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.

(SecurityAffairs – hacking, Fuxnet)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal. While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.

“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”

Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”

Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.

Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.

Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.

Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.

Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.

Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”

“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”

In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”

“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”

Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.

In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog:

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 19, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CISA)

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data. "Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week. "The threat

Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since March 26, 2024.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The UPSTYLE backdoor was hosted at hxxp://144.172.79[.]92/update.py, but Unit42 observed a similar backdoor hosted at nhdata.s3-us-west-2.amazonaws[.]com. According to the HTTP headers, the threat actor last modified it on April 7, 2024.

The first Python payload creates and executes another Python script (“system.pth”), which then decrypts and launches the embedded backdoor component, that executes the attackers’s command in a file named “sslvpn_ngx_error.log.”

After execution, the script records the command output in the file:

• [snip]/css/bootstrap.min.css

A noteworthy aspect of the attack sequence is that both the files used for command extraction and result logging are authentic files linked with the firewall:

• /var/log/pan/sslvpn_ngx_error.log
• /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

“The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.” continues the report. “The point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the threat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before the backdoor overwrites the file.“

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”

“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion.” concludes Volexity. “The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives.”

(SecurityAffairs – hacking, Palo Alto Pan-OS)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy. "The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root

A joint investigation conducted by U.S. and Australian authorities led to the arrest of two key figures behind the Firebird RAT operation.

A joint law enforcement operation conducted by the Australian Federal Police (AFP) and the FBI resulted in the arrest and charging of two individuals suspected of creating and selling the Firebird RAT, which was later renamed as Hive.

Australian Federal Police reported that an Australian man and a man based in the US will appear in court, following the international investigation that began in 2020. The Australian man faces twelve counts of computer offenses.

The Australian man developed and sold Firebird to customers on a dedicated hacking forum.

The RAT allowed customers to access and control their victims’ computers remotely, its author advertised its stealing capabilities.

Last week, the FBI arrested Edmond Chakhmakhchyan, 24, of Van Nuys, on charges of marketing and selling the RAT. Chakhmakhchyan, aka “Corruption,” was apprehended by FBI agents and pleaded not guilty to two charges. He is accused of advertising and selling the Hive remote access trojan (RAT) on the “Hack Forums” website. The man was accepting Bitcoin payments for licenses and offering customer service to buyers.

“Customers purchasing the malware “would transmit Hive RAT to protected computers and gain unauthorized control over and access to these computers, which allowed the RAT purchaser to close or disable programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets, all without the victims’ knowledge or permission,” according to the indictment.” reported the DoJ. “Chakhmakhchyan allegedly began working with the creator of the Hive RAT, previously known as “Firebird,” approximately four years ago, and advertised online the RAT’s many features, including features that allowed the owner to remotely access victim computers and intercept communications and data without the victim knowing.“

According to the indictment, Chakhmakhchyan engaged in electronic communication with buyers after advertising the Hive RAT. He explained to one buyer that the malware allowed access to another person’s computer without their knowledge. When informed that the target had significant cryptocurrency and project files, Chakhmakhchyan agreed to sell the Hive RAT.

“After this purchaser told Chakhmakhchyan that “the point” of using the Hive RAT was because the victim had “20k in bitcoin on a blockchain wallet” and “project files worth over 5k,” Chakhmakhchyan agreed to sell the Hive RAT, the indictment alleges.” continues DoJ.

The DoJ states that the man allegedly sold a license to an undercover law enforcement agent. Chakhmakhchyan faces charges of conspiracy and advertising a device as an interception device, each carrying a maximum penalty of five years in federal prison.

Chakhmakhchyan could face up to ten years in prison, while the maximum penalty for the Australian man is three years imprisonment.

(SecurityAffairs – hacking, malware)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

A threat actor claimed the hack of the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.

A threat actor, who goes online with the moniker ShopifyGUY, claimed responsibility for hacking the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.

Giant Tiger is a Canadian discount store chain that operates over 260 stores across Canada. The threat actor responsible for the post claims to have uploaded the complete database of the company that was stolen in March 2024.

The threat actor behind the post claims to have uploaded the “full” database of Giant Tiger customer records stolen in March 2024. The compromised data include email addresses, names, phone numbers, physical addresses, and website activity. Financial data was not impacted in the alleged incident.

“In March 2024, the Canadian discount store chain Giant Tiger Stores Limited (https://www.gianttiger.com/) suffered a data breach that exposed over 2.8 million clients. The breach includes over 2.8 million unique email addresses, names, phone numbers and physical addresses. The data was breached by @ShopifyGUY” reads the announcement published by ShopifyGUY on Breachforums.

Every member of the forum can download the archive for 8 credits.

Customers of the Canadian retail chain can check for the presence of their data in the leaked archive by querying the data breach monitoring service HaveIBeenPwned.

New breach: Canadian retailer Giant Tiger had 2.8M records breached last month. Impacted data included email and physical address, name and phone. 46% were already in @haveibeenpwned. Read more: https://t.co/71a7YAVQvl

— Have I Been Pwned (@haveibeenpwned) April 12, 2024

BleepingComputer reached the retail company that confirmed they became aware of security concerns related to a third-party vendor.

(SecurityAffairs – hacking, Giant Tiger)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Crooks manipulate GitHub’s search results to distribute malware

BatBadBut flaw allowed an attacker to perform command injection on Windows

Roku disclosed a new security breach impacting 576,000 accounts

LastPass employee targeted via an audio deepfake call

TA547 targets German organizations with Rhadamanthys malware

CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog

US CISA published an alert on the Sisense data breach

Palo Alto Networks fixed multiple DoS bugs in its firewalls

Apple warns of mercenary spyware attacks on iPhone users in 92 countries

Microsoft fixed two zero-day bugs exploited in malware attacks

Group Health Cooperative data breach impacted 530,000 individuals

AT&T states that the data breach impacted 51 million former and current customers

Fortinet fixed a critical remote code execution bug in FortiClientLinux

Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues

Over 91,000 LG smart TVs running webOS are vulnerable to hacking

Crowdfense is offering a larger 30M USD exploit acquisition program

Over 92,000 Internet-facing D-Link NAS devices can be easily hacked

Cybercrime    

Social Engineering Attacks Targeting IT Help Desks in the Health Sector

DOJ data on 341,000 people leaked in cyberattack on consulting firm

Hackers deploy crypto drainers on thousands of WordPress sites

530k Impacted by Data Breach at Wisconsin Healthcare Organization  

TA547 Targets German Organizations with Rhadamanthys Stealer

Attempted Audio Deepfake Call Targets LastPass Employee  

Malware

Shifting the Lens: Detecting Malware in npm ecosystem with Large Language Models

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins  

Smoke and (screen) mirrors: A strange signed backdoor  

New Technique to Trick Developers Detected in an Open Source Supply Chain Attack

Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla       

Hacking 

Crowdfense Exploit Acquisition Program

Vulnerabilities Identified in LG WebOS  

Roku warns 576,000 accounts hacked in new credential stuffing attacks

BatBadBut: You can’t securely execute commands on Windows 

XZ backdoor story – Initial analysis

PSG: the club’s ticketing system attacked     

Intelligence and Information Warfare 

China tests US voter fault lines and ramps AI content to boost its geopolitical interests

Apple drops term ‘state-sponsored’ attacks from its threat notification policy     

Why we must take seriously China’s mastery and misuse of AI espionage

Messages between Chinese hackers show Australian Strategic Policy Institute is a target       

Top Israeli spy chief exposes his true identity in online security lapse   

Cybersecurity          

The April 2024 security updates review 

Attack on data analytics company Sisense prompts alert from CISA 

Why CISA is Warning CISOs About a Breach at Sisense

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

British DARPA’ to build AI gatekeepers for ‘quantitative safety guarantees      

(SecurityAffairs – hacking, newsletter)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.

Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.

Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.

“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”

To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.

The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.

In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.

The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.

Threat actors padded the executable with numerous zeros to artificially increase the file size surpassing the limit of various security solutions, notably VirusTotal, making it unscannable.

The malware maintains persistence by creating a scheduled task that runs the executable every day at 4AM without user confirmation.

“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.” concludes the report. “These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

A critical vulnerability, named ‘BatBadBut’, impacts multiple programming languages, its exploitation can lead to command injection in Windows applications.

The cybersecurity researcher RyotaK (@ryotkak ) discovered a critical vulnerability, dubbed BatBadBut, which impacts multiple programming languages.

When specific conditions are satisfied, an attacker can exploit the flaw to perform command injection on Windows.

“The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.” wrote the researcher. “CreateProcess() implicitly spawns cmd.exe when executing batch files (.bat, .cmd, etc.), even if the application didn’t specify them in the command line.“

Due to Windows’ default inclusion of .bat and .cmd files in the PATHEXT environment variable, some runtimes inadvertently execute batch files instead of the intended commands. This can lead to arbitrary command executions, even if a snippet like the following one doesn’t explicitly include .bat or .cmd files.

RyotaK explained that OS executes batch files with ‘cmd exe’, which has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly. The majority of programming languages provide their interface to the ‘CreateProcess’ function, however, they fail to escape the command arguments properly passed to the function.

Below is the list of conditions that must be satisfied to exploit BatBadBut:

• The application executes a command on Windows
• The application doesn’t specify the file extension of the command, or the file extension is .bat or .cmd
• The command being executed contains user-controlled input as part of the command arguments
• The runtime of the programming language fails to escape the command arguments for cmd.exe properly²

The researcher already notified the maintainers of the impacted programming languages, who have taken steps to address the flaw.

The CERT/CC from Carnegie Mellon University published an advisory on this issue. Four different CVE identifiers, respectively CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566, have been assigned to this issue.

“Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment.” reads the advisory. “The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)