Reading view

There are new articles available, click to refresh the page.

Yearlong supply-chain attack targeting security pros steals 390K credentials

A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.

The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

Unusual longevity

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.

Read full article

Comments

© Getty Images

Critical WordPress plugin vulnerability under active exploit threatens thousands

Thousands of sites running WordPress remain unpatched against a critical security flaw in a widely used plugin that was being actively exploited in attacks that allow for unauthenticated execution of malicious code, security researchers said.

The vulnerability, tracked as CVE-2024-11972, is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10, was patched earlier this week. At the time this post went live on Ars, figures provided on the Hunk Companion page indicated that less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.

Significant, multifaceted threat

“This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress security firm WP Scan, wrote. “With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity.”

Read full article

Comments

© Getty Images

Russia takes unusual route to hack Starlink-connected devices in Ukraine

Russian nation-state hackers have followed an unusual path to gather intel in the country's ongoing invasion of Ukraine—appropriating the infrastructure of fellow threat actors and using it to infect electronic devices its adversary’s military personnel are using on the front line.

On at least two occasions this year, the Russian hacking group, tracked under names including Turla, Waterbug, Snake, and Venomous Bear, has used servers and malware used by separate threat groups in attacks targeting front-line Ukrainian military forces, Microsoft said Wednesday. In one case, Secret Blizzard—the name Microsoft uses to track the group—leveraged the infrastructure of a cybercrime group tracked as Storm-1919. In the other, Secret Blizzard appropriated resources of Storm-1837, a Russia-based threat actor with a history of targeting Ukrainian drone operators.

The more common means for initial access by Secret Blizzard is spear phishing followed by lateral movement through server-side and edge device compromises. Microsoft said that the threat actor’s pivot here is unusual but not unique. Company investigators still don’t know how Secret Blizzard obtained access to the infrastructure.

Read full article

Comments

AMD’s trusted execution environment blown wide open by new BadRAM attack

One of the oldest maxims in hacking is that once an attacker has physical access to a device, it’s game over for its security. The basis is sound. It doesn’t matter how locked down a phone, computer, or other machine is; if someone intent on hacking it gains the ability to physically manipulate it, the chances of success are all but guaranteed.

In the age of cloud computing, this widely accepted principle is no longer universally true. Some of the world’s most sensitive information—health records, financial account information, sealed legal documents, and the like—now often resides on servers that receive day-to-day maintenance from unknown administrators working in cloud centers thousands of miles from the companies responsible for safeguarding it.

Bad (RAM) to the bone

In response, chipmakers have begun baking protections into their silicon to provide assurances that even if a server has been physically tampered with or infected with malware, sensitive data funneled through virtual machines can’t be accessed without an encryption key that’s known only to the VM administrator. Under this scenario, admins inside the cloud provider, law enforcement agencies with a court warrant, and hackers who manage to compromise the server are out of luck.

Read full article

Comments

© Getty Images

Backdoor slipped into popular code library, drains ~$155k from digital wallets

Hackers pocketed as much as $155,000 by sneaking a backdoor into a code library used by developers of smart contract apps that work with the cryptocurrency known as Solana.

The supply-chain attack targeted solana-web3.js, a collection of JavaScript code used by developers of decentralized apps for interacting with the Solana blockchain. These “dapps” allow people to sign smart contracts that, in theory, operate autonomously in executing currency trades among two or more parties when certain agreed-upon conditions are met.

The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday.

Read full article

Comments

© Getty Images

Russian court sentences kingpin of Hydra drug marketplace to life in prison

A Russian court has issued a life sentence to a man found guilty of being the kingpin of a dark web drug marketplace that supplied more than a metric ton of narcotics and psychotropic substances to customers around the world.

On Monday, the court found that Stanislav Moiseyev oversaw Hydra, a Russian-language market that operated an anonymous website that matched sellers of drugs and other illicit wares with buyers. Hydra was dismantled in 2022 after authorities in Germany seized servers and other infrastructure used by the sprawling billion-dollar enterprise and a stash of bitcoin worth millions of dollars. At the time, Hydra was the largest crime forum, having facilitated $5 billion in transactions for 17 million customers. The market had been in operation since 2015.

One-stop cybercrime shop

“The court established that from 2015 to October 2018, the criminal community operated in various regions of the Russian Federation and the Republic of Belarus,” the state prosecutor’s office of the Moscow Region said. “The well-covered activities of the organized criminal group were aimed at systematically committing serious and especially serious crimes related to the illegal trafficking of drugs and psychotropic substances.”

Read full article

Comments

© Getty Images | Charles O'Rear

Code found online exploits LogoFAIL to install Bootkitty Linux backdoor

Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models.

The critical vulnerability is one of a constellation of exploitable flaws discovered last year and given the name LogoFAIL. These exploits are able to override an industry-standard defense known as Secure Boot and execute malicious firmware early in the boot process. Until now, there were no public indications that LogoFAIL exploits were circulating in the wild.

The discovery of code downloaded from an Internet-connected web server changes all that. While there are no indications the public exploit is actively being used, it is reliable and polished enough to be production-ready and could pose a threat in the real world in the coming weeks or months. Both the LogoFAIL vulnerabilities and the exploit found on-line were discovered by Binarly, a firm that helps customers identify and secure vulnerable firmware.

Read full article

Comments

© Getty Images

Found on VirusTotal: The world’s first UEFI bootkit for Linux

UPDATE: November 28, 3:20 PM California time. The headline of this post has been changed. This update is adding the following further details: this threat is not a UEFI firmware implant or rootkit, it's a UEFI bootkit attacking the bootloader. The Bootkitty sample analyzed by ESET was not unkillable. Below is the article with inaccurate details removed.

Researchers at security firm ESET said Wednesday that they found the first UEFI bootkit for Linux. The discovery may portend that UEFI bootkits that have targeted Windows systems in recent years may soon target Linux too.

Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to many Windows UEFI bootkits, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Read full article

Comments

© Getty Images

Spies hack Wi-Fi networks in far-off land to launch attack on target next door

One of 2024's coolest hacking tales occurred two years ago, but it wasn't revealed to the public until Friday at the Cyberwarcon conference in Arlington, Virginia. Hackers with ties to Fancy Bear—the spy agency operated by Russia’s GRU—broke into the network of a high-value target after first compromising a Wi-Fi-enabled device in a nearby building and using it to exploit compromised accounts on the target’s Wi-Fi network.

The attack, from a group security firm Volexity calls GruesomeLarch, shows the boundless lengths well-resourced hackers will go to hack high-value targets, presumably only after earlier hack attempts haven’t worked. When the GruesomeLarch cabal couldn’t get into the target network using easier methods, they hacked a Wi-Fi-enabled device in a nearby building and used it to breach the target’s network next door. After the first neighbor’s network was disinfected, the hackers successfully performed the same attack on a device of a second neighbor.

Too close for comfort

“This is a fascinating attack where a foreign adversary essentially conducted a close access operation while being physically quite far away,” Steven Adair, a researcher and the president of Volexity, wrote in an email. “They were able to launch an attack that historically had required being in close proximity to the target but found a way to conduct it in a way which completely eliminated the risk of them being caught in the real world.”

Read full article

Comments

© Getty Images

5 charged in “Scattered Spider,” one of the most profitable phishing scams ever

Federal prosecutors have charged five men with running an extensive phishing scheme that allegedly allowed them to compromise hundreds of companies nationwide, gain non-public information, and steal millions of dollars in cryptocurrency.

The charges, detailed in court documents unsealed Wednesday, pertain to a crime group security researchers have dubbed Scattered Spider. Members were behind a massive breach on MGM last year that cost the casino and resort company $100 million. MGM preemptively shut down large parts of its internal networks after discovering the breach, causing slot machines and keycards for thousands of hotel rooms to stop working and slowing electronic transfers. Scattered Spider also breached the internal network of authentication provider Twilio, which allowed the group to hack or target hundreds of other companies.

Not your father’s phishing campaign

Key to Scattered Spider’s success were phishing attacks so methodical and well-orchestrated they were hard to detect even when sophisticated defenses were implemented. Microsoft researchers, who track the group under the name Octo Tempest, declared it “one of the most dangerous financial criminal groups.”

Read full article

Comments

© Getty Images

❌