Tag Archive for: discovered

Ethical hackers discovered 65,000 software vulnerabilities this year

/in


Check out all the on-demand sessions from the Intelligent Security Summit here.

Vulnerabilities are everywhere. Every device, application and API presents new entry points for attackers to exploit and gain access to privileged information. However, more and more organizations are turning to ethical hackers to help keep up with potential exploits.

In fact, according to HackerOne’s 2022 Hacker-Powered Security Report released today, ethical hackers discovered more than 65,000 software vulnerabilities in 2022, an increase of 21% since 2021. 

The report found that digital transformation projects had helped contribute to an increase in misconfigurations by 150% and improper authorization by 45%. 

At a high level, the research shows that ethical hacker communities have the capacity to identify vulnerabilities at scale, while highlighting that in-house security teams can’t afford to rely on traditional manual approaches to vulnerability management. 

Event

Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.


Watch Here

Scaling vulnerability management with ethical hackers  

The research comes as more and more organizations are feeling the pressure of managing an ever-growing number of exploits, with 66% of security leaders reporting a backlog of over 100,000 vulnerabilities, and 54% saying they’re able to patch less than 50% of vulnerabilities in their backlog. 

This high volume of vulnerabilities has created the need for a more scalable approach to managing vulnerabilities, which ethical hacking and bug bounty vendors like HackerOne are providing. 

“Insights from the hacking community about their experience and expectations teach organizations how to run a best-in-class program that will attract the top hackers,” said HackerOne’s CISO and chief hacking officer, Chris Evans. 

“HackerOne’s vulnerability data, sourced from our 3,000 customer programs, shows organizations which…

Source…

42,000 phishing domains discovered masquerading as popular brands

/in


Security researchers at Cyjax have uncovered a highly sophisticated and large scale phishing campaign in which the threat actors used as many as 42,000 phishing domains to distribute malware and gain ad revenue.

Campaign Details

Cyjax researchers noted that the threat actors have links to China and have been active since 2017. So far, the attackers, identified as the Fangxiao group, have spoofed over 400 brands from the banking, retail, travel, transport, pharmaceutical, energy, and finance sectors.

The group operates an extensive network comprising 42,000 domains used for impersonating famous brands. Their latest campaign aims to generate revenue from users who pay for traffic. At least 24,000 survey/landing domains have been used by the attackers to promote this scam since March 2022.

How does the Attack Works?

Fangxiao lures unsuspecting users to the malicious domains through WhatsApp messaging, informing them that they have won a prize. The users are redirected to fake dating sites, Amazon via affiliate links, adware, and giveaway sites. These sites appear convincing enough to the user. This brand impersonation campaign spoofs well-reputed names like McDonald’s, Unilever, Emirates, Knorr, and Coca-Cola.

Once visitors access the spoofed version of authentic brand sites, they are redirected to ad sites created by Fangxiao to generate money through fake surveys, promising the victim to win a prize upon completing it. Sometimes, the attacker may force Triada malware to be downloaded on the device when the victim clicks the Complete Registration button.

42,000 phishing domains discovered masquerading as popular brands
  1. Brand Protection is Essential for Cybersecurity
  2. Microsoft, PayPal & Facebook most targeted brands in phishing scams
  3. 240 top Microsoft Azure-hosted subdomains hacked to spread malware
  4. Hundreds of counterfeit branded shoe stores hacked with web skimmer

“As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections,” Cyjax’s report (PDF) read.

Domain Analysis

The group uses 42,000 domains registered in 2019 through GoDaddy, Namecheap, and Wix….

Source…

This Week in Malware – Over 50 Packages Discovered

/in


This week in malware, we discovered and analyzed nearly five dozen packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.

Malicious packages caught by Sonatype
We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

4c656f_react_ui_kit
4ff-lib-foundation
@behemothx00/webpinger
@behemothx00/webpinger1
@ext-scoped/with-export-map
@malware-test-azyme-luted-specs-ovule/test-mlw3-azyme-luted-specs-ovule
@malware-test-chiao-tikka-kicks-betel/test-mlw3-chiao-tikka-kicks-betel
@malware-test-corns-anise-mbira-atimy/test-mlw3-corns-anise-mbira-atimy
@malware-test-fizzy-pivot-knarl-sural/test-mlw3-fizzy-pivot-knarl-sural
@malware-test-mopsy-broke-cloke-boree/test-mlw3-mopsy-broke-cloke-boree
@malware-test-steel-pitch-nurls-babus/test-mlw3-steel-pitch-nurls-babus
@moonactive-innersource/ins-profiles-service-sdk-nodejs
@notlila3821/public
@sbanken/ui-global
@sbanken/ui-global-test
@unity-hub-components/thumbnail
@unity-hub-components/tokens
@unity-hub-components/tooltip
FDKit
bmt-web-common
bxslider-4
discord-selfbot-v11
domain-registry
e2e-testss
ez222
fantastic-ascii
fca-sumi-remake
fortestpak
is-mlcs
khan-exercises
loveyogitajeet
nexusproto
path-core
pg-react-auth
pg-react-footer
pg-react-header
pg-react-navigation
pg-react-spinner
pg-styles
storj-billing
test-mlw1-bayou-eyrir-stirs-feral
test-mlw1-clour-dudes-kills-joule
test-mlw1-fizzy-pivot-knarl-sural
test-mlw1-steel-pitch-nurls-babus
test-mlw2-bayou-eyrir-stirs-feral
test-mlw2-chiao-tikka-kicks-betel
test-mlw2-clour-dudes-kills-joule
test-mlw2-corns-anise-mbira-atimy
test-mlw2-fizzy-pivot-knarl-sural
test-mlw2-plebs-twerp-hause-velds
test-mlw2-steel-pitch-nurls-babus
transversal-logs
truelayer-component-library
wasm-ion-schema-test
webp1nger
webpinger0

These discoveries follow our report last week of over 100 packages discovered.

Turn on Nexus Firewall for automatic protection
As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching…

Source…

This Week in Malware – Over 100 Packages Discovered

/in


This week in malware, we discovered and analyzed more than 100 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.

Malicious packages caught by Sonatype
We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

1inch

4ff-lib-foundation

@malware-test-bises-celts-borel-sneak/test-mlw3-bises-celts-borel-sneak

@malware-test-jelly-poled-trull-tokes/test-mlw3-jelly-poled-trull-tokes

@malware-test-lazar-bales-avows-inkle/test-mlw3-lazar-bales-avows-inkle

@malware-test-merge-agony-whits-blate/test-mlw3-merge-agony-whits-blate

@malware-test-piles-perky-glory-sahib/test-mlw3-piles-perky-glory-sahib

@malware-test-pling-pangs-birks-cubit/test-mlw3-pling-pangs-birks-cubit

@schnux/example

@step-security/malware-simulator

ahahjesus

amitbhai

anis-regex

ansi-ergex

ansi-reegx

ansi-regxe

ansi-rgeex

asni-regex

aynmatch

aypports-color

cis-publishers

cloudflare-plugin-frontend

coveragepublisher

cumul.io-integration

cumul.io-plugin-citybikes

cumul.io-plugin-mysql

d2-collection

darshanno1

dcrdata

demozeel

deubg

dexclient

discord-external

dup-glob

dupport-colors

dypports-color

edbug

esrtaverse

estarverse

estraevrse

estraveres

estravesre

estravrese

estrvaerse

ethereum0etl

ethereum2

etsraverse

evernote-sdk-sample-node

example-gke-workload-identity-app

finn-style

futures-sdk

ginore

glob-aprent

ibiza-universe

ignoer

ignroe

imcromatch

ingore

log-status

mciromatch

micormatch

micrmoatch

micro-ed25519-hdkey

microamtch

micromacth

micromtach

mircomatch

navigator-updatertest

naymatch

pip-foo

predpatt

retrap

setraverse

shopify-marketplaces-admin-app

sjesc

soupports-colors

spuports-color

srv-configs

suopport-colors

supoprts-color

supporst-color

supports-cloor

supports-colro

supports-coolr

supports-oclor

suppotrs-color

supprots-color

suypport-colors

sypport-color

syupport-colors

tds-publish

tensorflow-estimator-2.0-preview

test-mlw1-bises-celts-borel-sneak

test-mlw1-goals-roker-elmen-bongo

test-mlw1-karat-jowar-scurs-pearl

test-mlw1-noops-semis-edict-bokes

test-mlw1-ogres-bogle-kakas-bogus

test-mlw1-picky-argal-cried-alloy

test-mlw1-piles-perky-glory-sahib

test-mlw1-pling-pangs-birks-cubit

Source…