Tag Archive for: GitHub

Teams, Slack, and GitHub, oh my! – How collaborative tools can create a security nightmare

/in


When building Teams security, first determine the level of risk your organization is willing to accept. For example, do you want Teams to be open to anonymous users or limit it strictly to internal users?

To adjust this setting, perform the following steps:

If you decide that guest access is to be allowed on your network, you need to be aware of the potential for Teams to be used as a means for attack. You can improve security by deploying more phishing-resistant authentication methods, such as number matching, rather than merely allowing automatic approval of the prompt.

Next, consider implementing Conditional Access rules. This requires additional licensing to implement but may be wise, as attackers turn more and more to using the cloud as a launching point for attacks.

Conditional access rules will allow you to restrict Microsoft 365 logins by using stronger authentication techniques as well as increasing the various strengths of built-in authentication: Multifactor authentication strength, Passwordless MFA strength, and Phishing-resistant MFA strength.

You may decide to limit your Teams interactions to approved domains rather than leaving it open to new and anonymous users. And of course, educating end users only to accept files from trusted partners is crucial.

Source…

GitHub, NPM registry abused to host SSH key-stealing malware

/in


Malicious NPM packages designed to upload stolen SSH keys to GitHub were discovered by software threat researchers this month.

GitHub removed two packages from the NPM registry in early January  — warbeast2000 and kodiak2k  — both of which were designed to grab private SSH keys from machines they are installed on and store the keys on an attacker-controlled GitHub repository.

The SSH key-stealing malware tools were first discovered by researchers at ReversingLabs using the company’s Software Supply Chain Security platform. The malicious packages were found during the first week of January 2024 and removed by the GitHub-owned NPM registry shortly after they were reported.

The details of warbeast2000 and kodiak2k were first disclosed by ReversingLabs in a blog post on Jan. 23.

“Since there are instructions in the code’s comments, the [package] author’s intention is possibly to share malicious code with other malicious actors,” Lucija Valentić, a software threat researcher at ReversingLabs and author of the blog post, told SC Media. “They may also be hoping for developers and users to download and install warbeast2000 and kodiak2k.”

Software developers at risk from dangerous NPM packages

The warbeast2000 and kodiak2k packages both use a postinstall script to retrieve additional JavaScript code from an external source and execute it on a victim’s machine. At least one of the packages (warbeast2000) retrieves this second malicious script from a Pastebin address.

The payload installed and executed by warbeast2000 targets the id_rsa file located at /.ssh within the victim’s home directory to grab the private SSH key stored within this file. “Id_rsa” is the default file name for SSH keys generated by ssh-keygen, which is standard on Unix, Linux and macOS systems as well as Git for Windows.

After reading the private SSH key, warbeast2000’s final payload copies the key, encodes it in Base64 and uploads it to a GitHub repository controlled by the attacker. Warbeast2000 has no other functions and does not appear to imitate other legitimate packages.

Kodiak2k’s payload works similarly to warbeast2000’s, but instead of going after id_rsa, it searches (home…

Source…

Attackers set up rogue GitHub repos with malware posing as zero-day exploits

/in


Credit: BrownMantis

In an unusual attack campaign, a hacker has been setting up rogue GitHub repositories that claim to host zero-day exploits for popular applications but which instead deliver malware.

The attacker also created fake GitHub and Twitter accounts posing as security researchers and even used real photos of researchers from well-known cybersecurity firms.

“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” researchers from security firm VulnCheck, who found the rogue repositories, said in a report.

“It’s unclear if they have been successful but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”

While attacks that target security researchers are not a new development, they are relatively rare and more likely to be the work of advanced persistent threat (APT) groups looking to gain access to sensitive information that researchers have access to.

This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 where a government-backed North Korean entity created a web of fake accounts posing as security researchers on Twitter, Telegram, LinkedIn, and other social media platforms and used them to promote proof-of-concept exploits for existing vulnerabilities that were posted on a blog and in YouTube videos.

How the GitHub fake account campaign works

The fake accounts were used to contact other real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but this project also included a malicious DLL that deployed malware on the victim’s computer.

Separately, some researchers who visited the blog had their up-to-date systems exploited suggesting the attackers had access to some zero-day exploits.

Source…

Slack Discloses Breach of Its Github Code Repository

/in


Ever since Elon Musk spent $44 billion on Twitter and laid off a large percentage of the company’s staff, there have been concerns about data breaches. Now it seems a security incident that predates Musk’s takeover is causing headaches. This week, it emerged that hackers released a trove of 200 million email addresses and their links to Twitter handles, which were likely gathered between June 2021 and January 2022. The sale of the data may put anonymous Twitter accounts at risk and heap further regulatory scrutiny on the company.

WhatsApp has launched a new anti-censorship tool that it hopes will help people in Iran to avoid government-enforced blocks on the messaging platform. The company has made it possible for people to use proxies to access WhatsApp and avoid government filtering. The tool is available globally. We’ve also explained what pig-butchering scams are and how to avoid falling into their traps.

Also this week, cybersecurity firm Mandiant revealed that it has seen Russian cyberespionage group Turla using innovative new hacking tactics in Ukraine. The group, which is believed to be connected to the FSB intelligence agency, was spotted piggybacking on dormant USB infections of other hacker groups. Turla registered expired domains of years-old malware and managed to take over its command-and-control servers.  

We also reported on the continued fallout of the EncroChat hack. In June 2020, police across Europe revealed they had hacked into the encrypted EncroChat phone network and collected more than 100 million messages from its users, many of them potentially serious criminals. Now thousands of people have been jailed based on the intelligence gathered, but the bust is raising wider questions around law enforcement hacking and the future of encrypted phone networks.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

On December 31, as millions of people were preparing for the start of 2023, Slack posted a new security update to its blog. In the post, the company says it detected a “security issue involving unauthorized access to…

Source…