NPM JavaScript registry suffers massive influx of malware, report says

Read Time:29 Second

The popular NPM JavaScript package manager and registry has been hit with an influx of malicious packages, the most harmful of which are related to data theft, crypto mining, botnets, and remote code execution, according to research from security company WhiteSource.

WhiteSource’s automated malware detection platform, WhiteSource Diffend, detected a total of 1,300 malicious packages on NPM, within a period of six months ended December 2021. 

All the malicious packages identified by WhiteSource were notified to NPM and were subsequently removed from the package registry.  

To read this article in full, please click here

Read More

How Phishers Are Slinking Their Links Into LinkedIn

Read Time:3 Minute, 30 Second

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linked.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions.

The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks. Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.

Here’s one example from Jan. 31 that uses Linkedin.com links to redirect anyone who clicks to a site that spoofs Adobe, and then prompts users to log in to their Microsoft email account to view a shared document.

A recent phishing site that abused LinkedIn’s marketing redirect. Image: Urlscan.io.

Urlscan also found this phishing scam from Jan. 12 that uses Slinks to spoof the U.S. Internal Revenue Service. Here’s a Feb. 3 example that leads to a phish targeting Amazon customers. This Nov. 26 sample from Urlscan shows a LinkedIn link redirecting to a Paypal phishing page.

Let me be clear that the activity described in this post is not new. Way back in 2016, security firm Fortinet blogged about LinkedIn’s redirect being used to promote phishing sites and online pharmacies. More recently in late 2021, Jeremy Fuchs of Avanan wrote that the use of a LinkedIn URL may mean that any profession — the market for LinkedIn — could click.

“Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective,” Fuchs wrote. “The idea is to create a link that contains a clean page, redirecting to a phishing page.”

In a statement provided to KrebsOnSecurity, Linkedin said it has “industry standard technologies in place for URL sharing and chained redirects that help us identify and prevent the spread of malware, phishing and spam.” LinkedIn also said it uses 3rd party services — such as Google Safe Browsing, Spamhaus, Microsoft, and others — to identify known-bad URLs.

KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question. In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site.

Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.

Linkedin’s parent company — Microsoft Corp — is by all accounts the most-phished brand on the Internet today. A report last year from Check Point found roughly 45 percent of all brand phishing attempts globally target Microsoft. Check Point said LinkedIn was the sixth most phished brand last year.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

Read More

Google adds Python to its differential privacy repertoire

Read Time:42 Second

Google has announced it’s adding Python to the languages supported by one of its open-source projects designed to bolster privacy on the internet. The project includes a library and tools for using differential privacy, a technology designed to preserve an individual’s privacy in large data sets.

“Previously, our differential privacy library was available in three programming languages,” Miguel Guevara, a product manager in Google’s Privacy and Data Protection Office, wrote in the company’s developers blog. “Now, we’re making it available in Python, reaching nearly half of the developers worldwide. This means millions more developers, researchers and companies will be able to build applications with industry-leading privacy technology, enabling them to obtain insights and observe trends from their data sets while protecting and respecting the privacy of individuals.”

To read this article in full, please click here

Read More

Education Provider Infosec Announces New Cybersecurity Scholarships

Read Time:1 Minute, 48 Second

Education Provider Infosec Announces New Cybersecurity Scholarships

Cybersecurity education provider Infosec Institute is offering scholarships to 15 individuals from underrepresented groups in the cybersecurity industry. 

The $225k in scholarship opportunities will be meted out to veterans, people who identify as BIPOC, students, women who are actively pursuing a career in cybersecurity and members of the LGBTQI+ communities.

Infosec said awarding the scholarships was to reduce the cyber skills and diversity gaps in the industry.

The latest opportunities are part of the institute’s Accelerate Scholarship Program , which has awarded over $500k to aspiring cybersecurity professionals since it was set up in 2018. 

Under the program, 15 scholarship recipients are selected each year to receive lifetime subscriptions to the virtual cybersecurity training resource Infosec Skills which includes access to more than 1400 practical courses, certification training and hundreds of virtual labs in the institute’s cloud-hosted cyber ranges. 

“The need for trained cyber professionals continues to grow, and so does our commitment to helping aspiring professionals advance their careers or get started in this industry,” said Jack Koziol, Infosec CEO and founder. 

“Cybersecurity education can be cost and time prohibitive. Our goal with these scholarships is to break down the barrier of entry, helping fill security roles with talent who bring new perspectives and experiences to our industry.”

Applicants must be at least 18 years old to apply and must be resident in the United States. The deadline to apply for the 2022 Infosec Accelerate Scholarship Program is July 31 2022. Successful applicants will be announced in the first week of September.

The Infosec Accelerate Undergraduate Scholarship is open to college students actively pursuing an associate or bachelor’s degree in a cybersecurity-related field. To apply, students must have a GPA of 3.0 or higher. 

“Now in the fifth year of offering this program, we’re proud to support the growth of our scholarship winners,” said Koziol. 

“We’ve seen many successes with our previous recipients, the motivation and drive they have to learn is inspiring. We will continue to push for and provide opportunities for all types of people to excel in the cybersecurity industry.”

Read More

Iranian APT group uses previously undocumented Trojan for destructive access to organizations

Read Time:48 Second

Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure.

The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.

Who is Moses Staff?

Moses Staff’s malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.

To read this article in full, please click here

Read More

DHS Creates Cyber Safety Review Board

Read Time:1 Minute, 49 Second

DHS Creates Cyber Safety Review Board

The United States Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to investigate “significant cyber incidents.” 

Mandated via President Joe Biden’s May 12 2021 executive order (EO 14028) on improving the nation’s cybersecurity, the board “shall review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.”

The CSRB, which was chartered on September 21 2021, will only operate in an advisory capacity.

Rob Silvers, the DHS’ undersecretary for strategy, policy and plans, has been selected to chair the board for two years. Together with Cybersecurity and Infrastructure Security Agency director Jen Easterly, Silvers will choose up to 20 individuals to serve as board members.

CSRB will be formed by a mixture of government workers and private sector representatives who may need to obtain security clearances. According to instructions included in Biden’s EO, the person chosen to serve as the board’s deputy chair should work in the private sector. 

Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency and the Federal Bureau of Investigation. 

notice published in the Federal Register Thursday stated: “The CSRB will convene following significant cyber-incidents that trigger the establishment of a Cyber Unified Coordination Group as provided by section V(B)(2) of Presidential Policy Directive (PPD) 41; at any time as directed by the President acting through the Assistant to the President for National Security Affairs (APNSA); or at any time the Secretary or CISA Director deems necessary.”

After reviewing a cyber-incident, the CSRB “may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy.”

The notice said that CSRB’s advice on cybersecurity would be made publicly available “whenever possible” but that some information may be redacted to prevent the disclosure of sensitive data.

DHS secretary Alejandro Majorkas has exempted the board from the transparency rules of the Federal Advisory Committee Act “in recognition of the sensitive material utilized in CSRB activities and discussions.” 

Read More

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Read Time:2 Minute, 53 Second

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Malware continues to be one of the most effective attack vectors in use today, and it is often combatted with machine learning-powered security tools for intrusion detection and prevention systems.

According to Nidhi Rastogi, Assistant Professor at the Rochester Institute of Technology, machine learning security tools are not nearly as effective as they could be, as several different limitations often hinder them. Rastogi presented her views on the limitations of machine learning for security and a potential solution known as contextual security at a session on February 2 at the Engima 2022 Conference.

A key challenge for contemporary machine learning security comes from false alerts. Rastogi explained the impact of false alerts is both wasted time by organizations and security gaps that could potentially expose an organization to unnecessary risk.

“It is very difficult to get rid of false positives and false negatives,” Rastogi said.

Why Machine Learning Models Generate False Alerts

Among the primary reasons machine learning models tend to generate false alerts is a lack of sufficient representative data.

Machine learning, by definition, is an approach where a machine learns how to do something that is often enabled by some form of training on a data set. If the training data set doesn’t have all the correct data, it cannot identify all malware accurately.

Rastogi said that one possible way to improve machine learning security models is to integrate a continuous learning model. In that approach, as new attack vectors and vulnerabilities are discovered, the new data is continuously being used to train the machine learning system.

Adding Context to Boost Malware Detection Efficacy

However, getting the right data to train a model is often easier said than done. Rastogi suggests providing additional context as an opportunity to improve malware detection and machine learning models.

The additional context can be derived from third-party and open source threat intelligence (OSINT) sources. Those sources provide threat reports and analysis on new and often novel attacks. The challenge with OSINT is that it is usually in the form of unstructured data, blog posts and other formats that don’t work particularly well to train a machine learning model.

“These reports are written in human-understandable language and provide context which otherwise wouldn’t be possible to capture in code,” Rastogi said.

Using Knowledge Graphs for Contextual Security

So how can unstructured data help to inform machine learning and improve malware detection? Rastogi and her team are attempting to use an approach known as a knowledge graph.

A knowledge graph uses what is known as a graph database, which maps the relationship between different data points. According to Rastogi, the biggest advantage of using knowledge graphs is that it enables an approach to capture and better understand unstructured information written in a language understood by humans.

“All of this combined data on a knowledge graph can help to identify or infer attack patterns when a malware threat is evolving,” she said. “That’s the advantage of using knowledge graphs, and that’s what our research is pursuing.”

By adding context and data lineage that help track the source of the data and its trustworthiness, Rastogi said that the overall accuracy of malware detection could be improved.

“We need to go beyond measuring the performance of machine learning models using accuracy and precision scores,” Rastogi said. “We want to be able to help analysts by inference with confidence and context.”

Read More

KP Snacks Hit by Cyber-attack

Read Time:1 Minute, 55 Second

KP Snacks Hit by Cyber-attack

Brits could be facing a snack shortage following a cyber-attack on 169-year-old food producer KP Snacks

The German-owned maker of KP Nuts, Hula Hoops, Choc Dips, Nik Naks and Butterkist popcorn was targeted by threat actors on Friday. After gaining access to the company’s network, hackers deployed ransomware and took the snack maker’s data hostage.

“As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation,” said the British-based firm, which is known internationally for its potato chips sold under brands that include McCoy’s, Tyrrell’s and POM-BEAR.

KP Snacks, which is owned by Intersnack, said that its internal IT teams are working with third-party experts to assess the situation.

Shoppers seeking their favorite snacks may go home disappointed as the website Better Retailing, which first published news of the attack, reported that retailers had been warned by KP Snacks of delays to deliveries. 

According to a letter sent out to shop owners and published by Better Retailing, KP Snacks “cannot safely process orders or dispatch goods” because of the cyber-attack.

Disruptions including late deliveries and cancellations could plague the snack maker “until the end of March at the earliest”. 

“While this is causing some disruption to our manufacturing and shipping processes, we are already working on plans to keep our products stocked and on shelves,” said the company in a statement. 

“We have been continuing to keep our employees, customers, and suppliers informed of any developments and apologize for any disruption this may have caused.”

BBC News reported that cyber-criminals have published on the dark net what appear to be personal documents from KP Snacks staff, featuring the company letterhead. The post threatened to publish more data unless a ransom was paid.

Keiron Holyome, vice president UK, Ireland, and Middle East, at BlackBerrycommented: “This attack on KP Snacks underscores that the global cyber risk equally applies to British institutions and their supply chains, with KP Snacks now predicting shortages after a ransomware attack.

“It doesn’t matter whether it’s logistics, fuel or food–these supply chains present unique and complex challenges from a cybersecurity perspective.”

Read More

CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers

Read Time:3 Minute, 48 Second

Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.

Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.

Background

On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.

CVE
Type
CVSSv3
Cisco BugIDs

CVE-2022-20699
Remote Code Execution Vulnerability
10.0
CSCwa13836

CVE-2022-20700
Privilege Escalation Vulnerability
10.0
CSCwa14564, CSCwa14565

CVE-2022-20701
Privilege Escalation Vulnerability
9.0
CSCwa12836, CSCwa13119

CVE-2022-20702
Privilege Escalation Vulnerability
6.0
CSCwa15167, CSCwa15168

CVE-2022-20703
Digital Signature Verification Bypass Vulnerability
9.3
CSCwa12748, CSCwa13115

CVE-2022-20704
SSL Certificate Validation Vulnerability
4.8
CSCwa13205, CSCwa13682

CVE-2022-20705
Improper Session Management Vulnerability
5.3
CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598

CVE-2022-20706
Command Injection Vulnerability
8.3
CSCwa14007, CSCwa14008

CVE-2022-20707
Command Injection
7.3
CSCwa12732

CVE-2022-20708
Command Injection
10.0
CSCwa13900

CVE-2022-20749
Command Injection
7.3
CSCwa36774

CVE-2022-20709
Arbitrary File Upload
5.3
CSCwa13882

CVE-2022-20710
Denial of Service
5.3
CSCvz88279, CSCvz94704

CVE-2022-20711
Arbitrary File Overwrite
8.2
CSCwa13888

CVE-2022-20712
Remote Code Execution
7.3
CSCwa18769, CSCwa18770

Analysis

CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.

CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.

CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.

At least 8,400 RV34X devices are publicly accessible

According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.

Router Model
Results

RV345
1,706

RV345P
616

RV340W
607

RV340
5,472

Total
8,401

*These results were captured on February 2, 2022

Proof of concept

In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.

Solution

Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.

Product Identifier
Vulnerable Version
Fixed Version

RV160, RV160W, RV260, RV260P, RV260W
1.0.01.05 and below
1.0.01.07

RV340, RV340W, RV345 and RV345P
1.0.03.24
1.0.03.26 and above

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Cisco Security Advisory

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More