Tag Archive for: Developers’

Someone is targeting Roblox developers with info-stealing malware

/in


An unknown party has been targeting developers of the popular online game Roblox, seeding more than a dozen open-source software packages they use with information-stealing malware called “Luna Grabber.”

The campaign, discovered by researchers at ReversingLabs, uses typo-squatting and a number of sophisticated obfuscation tactics to entice users into downloading fake versions of commonly used software on npm, a popular open source software library. While in many cases those packages still contain the legitimate code developers are looking for, they also include a multi-stage malware attack that can deploy Luba Grabber on a victim’s web browser, their Discord application and other sources.

The malware was initially discovered as part of ReversingLabs “routine monitoring” of npm, identifying one such package called noblox.js-vps that was “clearly typo-squatting” the name of a legitimate Roblox API wrapper. In a post published Tuesday, threat researcher Lucija Valentić wrote that the stolen information could potentially be leveraged in future attacks.

“The use of the Luna Grabber ‘turnkey’ open source malware [can] generate malicious executables that act as bait in phishing and supply chain attacks, gathering sensitive information from targeted developers,” wrote Valentić.

Npm is one of the largest open source software repositories in the world, but the observed impact of the campaign thus far has been muted compared with other open source campaigns: just under 1,000 users have downloaded the infostealer across more than a dozen discovered software packages. Many of the identified packages have since been removed, but ReversingLabs noted the campaign remains ongoing.

A screenshot of a since-removed malicious npm package mimicking a legitimate Roblox-related piece of code. (Image Credit: Reversing Labs)
A screenshot of a since-removed malicious npm package mimicking a legitimate Roblox-related piece of code. (Image Credit: Reversing Labs)

Roblox is an online video game platform where, similar to games like Minecraft, users can build virtual worlds and levels for others to play in. Since the COVID-19 pandemic, its popularity has exploded: according to data analytics reporting firm DemandSage, the game currently boasts more than 66 million daily active users and 214 million monthly active users.

It’s not…

Source…

ChatGPT Hallucinations Open Developers to Supply-Chain Malware Attacks

/in


Attackers can exploit ChatGPT’s penchant for returning false information to spread malicious code packages, researchers have found. This poses a significant risk for the software supply chain, as it can allow malicious code and trojans to slide into legitimate applications and code repositories like npm, PyPI, GitHub and others. 

By leveraging so-called “AI package hallucinations,” threat actors can create ChatGPT-recommended, yet malicious, code packages that a developer could inadvertently download when using the chatbot, building them into software that then is used widely, researchers from Vulcan Cyber’s Voyager18 research team revealed in a blog post published today. 

In artificial intelligence, a hallucination is a plausible response by the AI that’s insufficient, biased, or flat-out not true. They arise because ChatGPT (and other large language models or LLMs that are the basis for generative AI platforms) answer questions posed to them based on the sources, links, blogs, and statistics available to them in the vast expanse of the Internet, which are not always the most solid training data. 

Due to this extensive training and exposure to vast amounts of textual data, LLMs like ChatGPT can generate “plausible but fictional information, extrapolating beyond their training and potentially producing responses that seem plausible but are not necessarily accurate,” lead researcher Bar Lanyado of Voyager18 wrote in the blog post, also telling Dark Reading, “it’s a phenomenon that’s been observed before and seems to be a result of the way large language models work.”

He explained in the post that in the developer world, AIs also will also generate questionable fixes to CVEs and offer links to coding libraries that don’t exist — and the latter presents an opportunity for exploitation. In that attack scenario, attackers might ask ChatGPT for coding help for common tasks; and ChatGPT might offer a recommendation for an unpublished or non-existent package. Attackers can then publish their own malicious version of the suggested package, the researchers said, and wait for ChatGPT to give legitimate developers the same recommendation for it.

How to Exploit an…

Source…

Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

/in


Jan 09, 2023Ravie LakshmananSupply Chain / CodeSec

Malicious Visual Studio Extensions

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks.

The technique “could act as an entry point for an attack on many organizations,” Aqua security researcher Ilay Goldman said in a report published last week.

VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows.

“All extensions run with the privileges of the user that has opened the VSCode without any sandbox,” Goldman said, explaining the potential risks of using VS code extensions. “This means that the extension can install any program on your computer including ransomwares, wipers, and more.”

To that end, Aqua found that not only is it possible for a threat actor to impersonate a popular extension with small variations to the URL, the marketplace also allows the adversary to use the same name and extension publisher details, including the project repository information.

While the method doesn’t allow the number of installs and the number of stars to be replicated, the fact that there are no restrictions on the other identifying characteristics means it could be used to deceive developers.

The research also discovered that the verification badge assigned to authors could be trivially bypassed as the check mark only proves that the extension publisher is the actual owner of a domain.

In other words, a malicious actor could buy any domain, register it to get a verified check mark, and ultimately upload a trojanized extension with the same name as that of a legitimate one to the marketplace.

A proof-of-concept (PoC) extension masquerading as the Prettier code formatting utility racked up over 1,000 installations within 48 hours by developers across the world, Aqua said. It has since been taken down.

This is not the first time concerns have been raised about software supply chain threats in the VS Code extensions marketplace.

In May 2021, enterprise security…

Source…

It’s Time to Demand More from IoT Developers

/in


Distributed Denial-of-Service (DDoS) attacks exploit the very foundation of online connectivity. By taking aim at the foundation of your site’s infrastructure, attackers can cause millions in damages, cutting their victim off from their own online presence. Since 2016, Internet of Things (IoT) devices have rapidly bolstered the ranks of DDoS botnets: now, over half a decade later, the number of online devices continues to increase exponentially. The repercussions of this are ricocheting throughout business and governmental organizations, making DDoS protection a vital part of a modern organization’s defenses.

How DDoS Is A Universal Threat

When you attempt to load a webpage, or access an application, your request travels from your browser, via your network, to the hosting server. This server handles the processing of such a request, identifying and returning the precise page you want to see. This cyclical process of request handling is the foundation of the internet: Google alone oversees the processing of 3.5 billion requests per day.

DDoS attacks aim to disrupt the legitimate traffic that a targeted server, organization or network usually relies on by overwhelming its critical infrastructure. Returning a page requires the server to dedicate a small amount of processing power to that task. Each request may only draw small amounts of power, but this directly scales with the number of users requesting a page. When a victim is targeted by the DDoS’ botnet, each bot is individually weaponized to continuously send requests to the victim’s app or site. This sudden influx of requests places incredible strain upon the supporting servers; it’s also impossible to simply block the flood of incoming IP addresses, thanks to the fact that each device looks identical to a legitimate user.

In the days of on-prem server stacks, DDoS attacks could easily wipe out an organization’s online presence: the processing power would exceed the server’s capacity, and simply make the site unavailable for legitimate users. Now, however, cloud computing has unshackled small businesses from local servers. The scalability of cloud-based server providers may mean that your…

Source…