cRyPtHoN™ INFOSEC (EN)

2022-05-25 14:58:40 Malicious Python library CTX removed from PyPI repo.

A suspicious developer appears to have performed a domain hijack to take over the original project

A malicious and potentially hijacked Python package, CTX, has been removed from the Python Package Index (PyPI) repository after social media users alerted the team to its presence.

On May 24, Indian hacker Somdev Sangwan alerted developers on Twitter to a potential security issue impacting Python’s CTX library. In a tweet, Sangwan said:

Python’s CTX library and a fork of PHP’s phpass have been compromised. Three million users combined. The malicious code sends all the environment variables to a Heroku app, likely to mine AWS credentials.

Environmental variables can also include other forms of credentials and API keys.

https://portswigger.net/daily-swig/malicious-python-library-ctx-removed-from-pypi-repo

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:54:42 Google Chrome 102 update patches 32 security issues (one critical)

Google published updates for the company's Chrome web browser on May 24, 2022. The desktop version updates address security issues in the web browser.

The Chrome team is delighted to announce the promotion of Chrome 102 to the stable channel for Windows (102.0.5005.61/62/63), 102.0.5005.61 for Mac and Linux. Chrome 102 is also promoted to our new extended stable channel for Windows and Mac. This will roll out over the coming days/weeks.

Chrome 102 for desktop systems and mobile systems is available already. Google rolls out updates over time to the entire population. Desktop users who use Chrome can speed up the installation of the update to patch the security issues early.

https://www.ghacks.net/2022/05/25/google-chrome-102-update-patches-32-security-issues-one-critical/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:51:36 Yashma Ransomware, Tracing the Chaos Family Tree.

It’s not often that we get to observe the behind-the-scenes drama that can accompany the creation of new malware, but when we do, it gives us a fascinating glimpse into how threat actors operate. One such glimpse, stemming from an online exchange between a ransomware perpetrator and a victim, gave us new insights into the origins of Chaos malware, revealing a twisted family tree that links it to both Onyx and Yashma ransomware variants.

The clues surfaced during a discussion between a recent victim and the threat group behind Onyx, taking place on the threat actor’s leak site. Someone claiming to be the creator of the Chaos ransomware builder’s kit joined the conversation, and revealed that Onyx was constructed from the author’s own Chaos v4.0 Ransomware Builder.

https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:47:20 Russia keeps getting hacked.

Oh, how the tables have turned.

Russia — a nation that has famously been on the offensive when it comes to cyber attacks — is now facing its own barrage of hacks as multiple sanctions hit the country from the West.

In a meeting with the Russian Security Council on Friday, Russian President Vladimir Putin said the number of cyber attacks by foreign "state structures" had increased several times over, Reuters reported.

Putin said the challenges came on the heels of Western suppliers having "unilaterally stopped technical support of their equipment in Russia" in response to Russia's invasion of Ukraine. Since then, there have been data leaks abound, from Russia's second-biggest bank to e-commerce sites, Reuters reported.

https://mashable.com/article/russia-putin-ukraine-cyber-attacks-hacked

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:41:48 747 Hackathon.

As is probably clear from our blog and public talks aviation cyber security is an area of huge interest to us. Some of us are also light aircraft pilots, so the crossover of two of our loves makes for some fascinating research.

Over the last few years we’ve managed to get access to several airplanes that have been recently retired. As the various breakers yards are backed up with planes retired during the pandemic, many fully functional planes are available that will never fly again.

However, a big problem for us is that the planes get dismantled, often between visits. On several occasions we’ve gone to an airframe to figure out the on board systems, go back to the lab to prepare custom connectors and tools, then come back a month later to find out that it’s been taken apart into many many pieces.

https://www.pentestpartners.com/security-blog/747-hackathon/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:39:45 BPFDoor malware uses Solaris vulnerability to get root privileges.

New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.

BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations.

The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.

PwC found BPFDoor during an incident response engagement in 2021.

https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:32:49 Poisoned Python and PHP packages purloin passwords for AWS access.

A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP.

Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an “update”, despite not otherwise being touched since late 2014.

In theory, of course, there’s nothing wrong with old packages suddenly coming back to life.

https://nakedsecurity.sophos.com/2022/05/25/poisoned-python-and-php-packages-purloin-passwords-for-aws-access/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:25:00 GoodWill Ransomware Demands People Help the Most Vulnerable.

'Ransomware with a cause’ has been detected in New Delhi, India. The cryptoviral extortion demands that people donate clothing to the homeless, provide children with food in branded pizza shops and offer financial assistance to those in urgent need of medical care.

The recent news comes from CloudSEK, a digital risk monitoring firm, which warned that Goodwill ransomware could lead to both temporary and permanent loss of company data. In addition, warned CloudSEK, the ransomware could lead to a complete shutdown of operations and revenue loss.

https://www.infosecurity-magazine.com/news/goodwill-ransomware-help-vulnerable/

https://cloudsek.com/threatintelligence/goodwill-ransomware-forces-victims-to-donate-to-the-poor-and-provides-financial-assistance-to-patients-in-need/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:22:47 Predator spyware sold with Chrome, Android zero-day exploits to monitor targets.

Or so says Google after tracking 30+ vendors peddling surveillance malware

Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm's Predator spyware in at least three campaigns in 2021, according to Google's Threat Analysis Group (TAG).

The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware.

Based on CitizenLab's analysis of Predator spyware, Google's bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.

https://www.theregister.com/2022/05/24/predator_spyware_zero_days/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:19:09 Fronton IOT Botnet Packs Disinformation Punch.

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

A fresh look at the Fronton DDoS-focused botnet reveals the criminal tool has more capabilities than previously known.

The Fronton botnet first made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution said it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.

https://threatpost.com/fronton-botnet-disinformation/179721/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment