Leaderboard

At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service. All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, which discovered the activity, said, "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security." The cybersecurity firm said it first came across the rogue repositories in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down. Besides sharing some of the purported findings on Twitter in an attempt to build legitimacy, the set of accounts have been found to use headshots of actual security researchers from companies like Rapid7, suggesting that the threat actors have gone to great lengths to execute the campaign. The PoC is a Python script that's designed to download a malicious binary and execute it on the victim's operating system, be it Windows or Linux. The list of GitHub repositories and fake Twitter accounts is below - github.com/AKuzmanHSCS/Microsoft-Exchange-RCE github.com/BAdithyaHSCS/Exchange-0-Day github.com/DLandonHSCS/Discord-RCE github.com/GSandersonHSCS/discord-0-day-fix github.com/MHadzicHSCS/Chrome-0-day github.com/RShahHSCS/Discord-0-Day-Exploit github.com/SsankkarHSCS/Chromium-0-Day twitter.com/AKuzmanHSCS twitter.com/DLandonHSCS twitter.com/GSandersonHSCS twitter.com/MHadzicHSCS "The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware," VulnCheck researcher Jacob Baines said. "It's unclear if they have been successful, but given that they've continued to pursue this avenue of attacks, it seems they believe they will be successful." It's currently not known if this is the work of an amateur actor or an advanced persistent threat (APT). But security researchers have previously come under the radar of North Korean nation-state groups, as revealed by Google in January 2021. If anything, the findings show the need for exercising caution when it comes to downloading code from open source repositories. It's also essential that users scrutinize the code prior to execution to ensure they don't pose any security risks. Source: https://thehackernews.com/2023/06/fake-researcher-profiles-spread-malware.html

The threat actors behind the LockBit ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organizations since 2020. That's according to a joint bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies said. LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, per statistics shared by Malwarebytes last week. The Russia-linked cartel has claimed responsibility for at least 1,653 ransomware attacks to date. The cybercrime operation has attacked a wide array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has received three substantial upgrades so far: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023), the last of which is based on leaked source code from the now-disbanded Conti gang. The ransomware strain has since been adapted to target Linux, VMware ESXi, and Apple macOS systems, transforming it into an ever-evolving threat. The RaaS operation is also notable for paying people to get tattoos of its insignia and instituting the first-ever bug bounty program. The business model involves the core developers renting out their warez to affiliates who perform the actual ransomware deployment and extortion. But in a twist, the group allows the affiliates to receive ransom payments before sending a cut to the main crew. Attack chains involving LockBit have leveraged recently disclosed flaws in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers as well as other known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices to obtain initial access. Also used by the affiliates are over three dozen freeware and open-source tools that allow for network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. The intrusions have been found to further abuse legitimate red team software such as Metasploit and Cobalt Strike. "LockBit has been successful through its innovation and continual development of the group's administrative panel (i.e., a simplified, point-and-click interface making ransomware deployment accessible to those with lower degrees of technical skill), affiliate supporting functions, and constant revision of TTPs," the agencies said. The development comes as CISA issued a Binding Operational Directive 23-02, instructing federal agencies to secure network devices like firewalls, routers, and switches that are exposed to the public internet within 14 days of discovery and take steps to minimize the attack surface. "Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise," CISA Director, Jen Easterly, said. "Requiring appropriate controls and mitigations [...] is an important step in reducing risk to the federal civilian enterprise." The developments also follow a new advisory highlighting threats to Baseboard Management Controller (BMC) implementations that could potentially enable threat actors to establish a "beachhead with pre-boot execution potential." "Hardened credentials, firmware updates, and network segmentation options are frequently overlooked, leading to a vulnerable BMC," CISA and the U.S. National Security Agency (NSA) noted in a joint alert. "Additionally, a malicious actor could disable security solutions such as the trusted platform module (TPM) or UEFI secure boot, manipulate data on any attached storage media, or propagate implants or disruptive instructions across a network infrastructure." Source: https://thehackernews.com/2023/06/lockbit-ransomware-extorts-91-million.html

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News. XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site. The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects. This meant that the shortcoming could be abused to embed endpoints within remote servers using the iframe tag and ultimately execute malicious JavaScript code, leading to the compromise of sensitive data. However, in order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies (CSPs). "Once the attacker successfully embeds the iframe in a remote server, they proceed to exploit the misconfigured endpoint," Ben Shitrit explained. "They focus on the postMessage handler, which handles remote events such as postMessages." By analyzing the legitimate postMessages sent to the iframe from portal.azure[.]com, the adversary could subsequently craft appropriate payloads by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and creating a postMessage handler that delivers the malicious payload. Thus when a victim is lured into visiting the compromised endpoint, the "malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker's code within the victim's context." In a proof-of-concept (PoC) demonstrated by Orca, a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload. Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them. No further action is required on the part of Azure users. The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. Source: https://thehackernews.com/2023/06/severe-vulnerabilities-reported-in.html