Tag Archive for: crooks

Crooks manipulate GitHub’s search results to distribute malware

/in


Crooks manipulate GitHub’s search results to distribute malware

Pierluigi Paganini
April 13, 2024

Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.

Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.

Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.

“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”

To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.

GitHub malware

The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.

In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.

The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.

Threat actors padded the executable with numerous zeros…

Source…

Hackers Exploit Interest in Criminal Version of ChatGPT to Scam Other Crooks

/in


A malicious version of ChatGPT designed to assist cybercriminals has ended up scamming crooks interested in buying access to the service.

In July, we wrote about WormGPT, a chatbot built from open-source code that promised to help hackers churn out phishing messages and malware in return for a monthly fee. The news set off concerns that generative AI could lower the bar for computer hacking, thus fueling cybercrime.

But in a bit of irony, it looks like the WormGPT brand has become more of a threat to hackers than to the public. Antivirus provider Kaspersky noticed several websites that claim to offer access to WormGPT, but seem designed to scam would-be customers into giving up their funds, without actually getting access to WormGPT.

The sites, which can be found on the open internet and through a Google search, have been dressed up with official-looking information about WormGPT. However, Kaspersky suspects the pages are really just phishing pages, designed to trick users in submitting their credit card information or forking over their cryptocurrency to access the malicious chatbot. 

The websites are also likely fake because the creator of WormGPT apparently abandoned the project last month after his identity was exposed. According to security journalist Brian Krebs, WormGPT’s creator is a 23-year-old Portuguese programmer named Rafael Morais, who has since backtracked on marketing his chatbot for malicious purposes. 

Following the report, the user account promoting WormGPT announced in a hacking forum that their team was bailing on the project. “With great sadness, I come to inform everyone about the end of the WormGPT project. From the beginning, we never thought we would gain this level of visibility, and our intention was never to create something of this magnitude,” the account wrote

Weeks before the shutdown, the official WormGPT account on Telegram also warned about scammers impersonating the chatbot’s brand. “We don’t have any website and either any other groups in any platform,” the post said. “The rest are resellers or scammers!”

“Can’t believe how people still getting scammed in 2023,” the same account later added. 

But even though WormGPT…

Source…

Cisco security appliance 0-day is under attack by ransomware crooks

/in


Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023. Cisco Systems Inc. is scheduled to release earnings figures on August 16. Photographer: David Paul Morris/Bloomberg via Getty Images
Enlarge / Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023. Cisco Systems Inc. is scheduled to release earnings figures on August 16. Photographer: David Paul Morris/Bloomberg via Getty Images

Cisco on Thursday confirmed the existence of a currently unpatched zero-day vulnerability that hackers are exploiting to gain unauthorized access to two widely used security appliances it sells.

The vulnerability resides in Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense, which are typically abbreviated as ASA and FTD. Cisco and researchers have known since last week that a ransomware crime syndicate called Akira was gaining access to devices through password spraying and brute-forcing. Password spraying, also known as credential stuffing, involves trying a handful of commonly used passwords for a large number of usernames in an attempt to prevent detection and subsequent lockouts. In brute-force attacks, hackers use a much larger corpus of password guesses against a more limited number of usernames.

Ongoing attacks since (at least) March

“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials,” Cisco officials wrote in an advisory. “A successful exploit could allow the attacker to achieve one or both of the following:

  • Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.
  • Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).

The ASA is an all-in-one security device that provides firewall, antivirus, intrusion prevention, and virtual private network protections. The FTD is Cisco’s next-generation device that combines the ASA capabilities with a finer-grained management console and other more advanced features. The vulnerability, tracked as CVE-2023-20269, stems from the devices’ improper separation of authentication, authorization, and accounting in remote access among their VPN, HTTPS management, and site-to-site…

Source…

Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

/in


Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

“Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986,” company researchers wrote. “In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.”

According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the…

Source…