North Korea Steps Up Attacks on Developers
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: A North Korean APT targets developers. Also: the banking sector is being targeted in supply chain attacks. And: concerns about supply chain risk are holding back Kubernetes adoption.?
This Week’s Top Story
North Korean Hackers Step Up Attacks On Developers
The Lazarus advanced persistent threat (APT) group - a North Korean state-sponsored cybergang - is running yet another impersonation scam. The group is donning the persona of a developer or recruiter to deploy social engineering attacks, funneling tech community members to their repository containing malicious node package manager (npm) dependencies . GitHub is warning that accounts linked to Lazarus have been uncovered on that platform as well as LinkedIn, Telegram, and Slack.?
Lazarus is thought to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. The hacker group is believed to mount financially motivated attacks as part of a program to fund the North Korean state, as well as more traditional cyber espionage campaigns. In this case, Lazarus targeted developer accounts connected to the blockchain, cryptocurrency, or online gambling sectors. The goal was to deploy a two-stage malware attack on each target. First, they connected with a developer or recruiter and invited them to their repository, which houses compromised npm packages that act as the first stage in the attack. These malicious packages then download and deploy the second-stage malware on the victim’s machine.?
GitHub has yet to release details about the second part of the attack. However, Phylum researchers shared a technical overview of the first-stage malware and an attack chain in which the first package fetches a token from a remote server, and the second package uses that token to access the malicious script. The script then executes an action that negates TLS certificate validation, which may open the door to attackers engaging in malicious HTTP requests within corporate environments that have deployed their own root certificates for authenticating such communications, Phylum noted . Beyond this step, however, the second stage malware and its goals are unknown.?
Despite reports that no GitHub or npm systems were compromised and that the accounts linked to the attack have been suspended, this targeted attempt highlights the resourcefulness of the North Korean state actors and their growing interest in targeting developers and development environments.?
Organizations that believe they have been compromised are advised to review their security logs for indicators of compromise. Those include “action:repo.add_member” event correlating with one of the APT repositories that GitHub has listed in their Indicators of Compromise (IoCs ). For organizations that discover they have executed content from one of the listed, malicious repositories, it is prudent to reset or wipe the devices and change any passwords or tokens that could have been exposed.?
News Roundup
Here are the stories we’re paying attention to this week… ???
Cybercriminals finally started to utilize open-source materials when attacking the banking sector, according to a report by Checkmarx. The attackers posed as an employee of the targeted bank - including a fake LinkedIn profile - and uploaded malicious npm packages. The packages contained a pre-installed script that would activate the infection sequence. Once activated, the script determined what host operating system the victim used and downloaded the second-stage malware from a remote server. The second-stage malware was Havoc, an open-source command-and-control (C2) framework. The npm packages have since been removed from the repository, but the names remain unknown, along with the names of the hackers, and the banks. ( The Hacker News )
Concerns around security are hampering organizations' ability to gain value from Kubernetes and cloud-native technology, a new report from Red Hat concludes. The 2023 State of Kubernetes Report found that 67% of respondents have delayed or slowed deployment due to Kubernetes security concerns, and 37% have experienced revenue or customer loss due to a container/Kubernetes security incident. Concerns about the software supply chain are a part of that with survey respondents citing vulnerable application components (32%), insufficient access controls (30%), the lack of software bills of materials (SBOM) and CI/CD pipeline weaknesses (19%), among others, as reasons to delay deployments. ( Dark Reading )
Following attacks against the Norwegian ministries that exploited an Ivanti vulnerability, the U.S Cybersecurity and Infrastructure Security Agency (CISA) warned Federal agencies to secure their systems. Ivanti is a third-party vendor selling mobile device management software that roughly 36 U.S agencies utilize. These agencies have a three-week deadline to patch this issue. However, Ivanti has yet to release any indicators of compromise (IoCs) that can clue-in users about a potential attack. An attack that results in accessing specific API paths remotely to steal personally identifiable information (PII), and occasional privilege escalation. Anyone using Ivanti’s Endpoint Manager Mobile (EPMM) is urged to upgrade to the latest version. (Bleeping Computer )
Developers are increasingly integrating security testing into their development pipelines, but there's room for improvement, according to the Snyk 2023 State of Software Supply Chain Security report. The report found a significant number of companies still are not using security tools during development or before committing code. However, there is evidence of positive changes in software security practices after the Log4j vulnerability incident, with more companies adopting security measures. ( Dark Reading )
Government services provider Maximus Inc. is the latest victim of the Clop ransomware gang’s targeting of a?critical vulnerability ?in Progress Software Corp.’s MOVEit file transfer software, as data belonging to as many as 11 million people was stolen.
领英推荐
Maximus, which provides services for Medicaid, Medicare, health care reform, welfare-to-work and student loan servicing, disclosed it had been hacked in a U.S. Securities and Exchange Commission filing. The July 26?filing ?states that the company became aware that data could have been compromised after the revelation that the MOVEit file transfer software had been compromised on May 31, but does not give a specific date when it detected that its internal systems had also been compromised. ( SiliconANGLE & theCUBE )
Hundreds of thousands of routers manufactured by MikroTik are vulnerable to a critical bug. This bug - tracked as CVE-2023-30799 - allows attackers to remotely control devices, and functions as a privilege escalation attack. An attacker must be authenticated before escalating privileges from admin to super-admin - the privilege that enables them to execute arbitrary code on the system. However, this requirement is not as tricky as it seems. Roughly 60% of the router users still use the default admin which is accessed through what is essentially a blank password. To add insult to injury this attack is virtually undetectable, unless attackers use brute-force to gain authentication. Users of MiktoTik’s routers should remove the default admin from the system, or at the very least change the blank password to a strong, individual password. (InfoSecurity Magazine )
Early this week news broke about critical vulnerabilities in Terrestrial Trunked Radio (TETRA), that allows for real-time or delayed decryption, message injection, user deanonymization, or session key pinning attacks. There is also the ability to leverage these weak points to listen in on communications, track movements, or manipulate network communications. TETRA is used by many global emergency service providers, militaries, and other critical infrastructure sectors. However, the European Telecommunications Standards Institute (ESTI) denies these claims, especially the vulnerabilities’ label as a ‘backdoor.’ Other users of TETRA have yet to weigh in on the debate, while ESTI maintains that the TETRA standard is sound. (Dark Reading )
The Cybersecurity Executive Order issued by the White House in May 2021 is expected to transform software development practices by standardizing security measures across the industry. The order requires suppliers of software to comply with software composition analysis (SCA), securing the software chain, and software bills of materials (SBOMs). The Cybersecurity and Infrastructure Security Agency (CISA) has released a Secure Software Development Attestation Form (SSDF) for suppliers to self-report their compliance, which has caused some confusion regarding the role of SBOMs. ( Dark Reading )
Resource Round Up
New ReversingLabs Report: Software Supply Chain Security
Tooling Gap Leaves Organizations Exposed - SolarWinds and the more recent 3CX attack put software supply chain security front and center for organizations. While they recognize risk is enterprise-wide, traditional application security tools are not up to the job of taking on software supply chain threats, according to a Dimensional Research survey of more than 300 IT pros. [Read Full Report ]
Webinar with Tag Cyber & ReversingLabs - August 2 @ 11am-12pm ET
Does Your Organization Understand Its Software Supply Chain Risk? Why Modern Tooling & a Mature Approach are Now Requirements
Learn why modern tooling and a mature supply chain security program are now a requirement for managing software risk.
[Register Now ]
Upcoming Software Package Deconstruction Episode: August 3 @ 11am-11:30am ET
In this episode, we will focus on code signing certificates, the role they play in software, and the many ways they can be abused. Understanding these elements will help you define and tune your baselines in that area.
[Register Now ]