Developer sabotages own npm module prompting open-source supply chain security questions

Read Time:43 Second

The developer of a popular JavaScript component hosted on the npm repository decided to protest Russia’s invasion of Ukraine by adding code to his own component that would add or delete files on people’s computers in a way they didn’t expect. The component, called node-ipc, is a dependency for a variety of other projects, which had to issue emergency updates to stop the undesired behavior they unwittingly inherited.

It’s the second time something like this has happened this year in the Nodejs community, and some people have started referring to such acts of self-sabotage by developers as protestware. Experts believe that while developers certainly have the right to modify their own software, such acts risk damaging trust in the open-source ecosystem, which has faced increased supply-chain security challenges in recent years.

To read this article in full, please click here

Read More

New Rootkit Used by UNC2891 for ATM Money Heist

Read Time:2 Minute, 34 Second

FortiGuard Labs is aware of a report that a threat actor known as UNC2891 used a previously unknown rootkit to capture banking card and PIN verification data from compromised ATM switch servers. The captured data was used to perform fraudulent transactions. Dubbed Caketap, the rootkit allows the threat actor to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker’s remote server.Why is this Significant?This is significant because the previously unknown Caketap rootkit deployed by the threat actor for Oracle Solaris systems provides stealth for the attacker’s activities and the data it steals can be used for unauthorized financial transactions. The attacks carried out by UNC2891 are financially motivated and could cause great financial damage to the targeted financial institutions. What is Caketap?Caketap is a kernel module rootkit used by UNC2891 on Oracle Solaris systems. The rootkit is used to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker’s remote server.The rootkit is capable of intercepting certain messages sent for the Payment Hardware Security Module (HSM) in order to disable proper banking card verification and return a valid response to approve fraudulent banking cards. It also examines PIN verification messages. If PIN verification messages are not for a fraudulent banking card, then Caketap does not disrupt valid verification but saves the messages. If Caketap detects PIN verification messages for fraudulent banking cards, it replays the previously saved valid messages for PIN verification bypass.Thales, an HSM vendor, describes the Payment Hardware Security Module (HSM) as “a hardened, tamper-resistant hardware device that is used primarily by the retail banking industry to provide high levels of protection for cryptographic keys and customer PINs used during the issuance of magnetic stripe and EMV chip cards (and their mobile application equivalents) and the subsequent processing of credit and debit card payment transactions”.What is UNC2891?UNC2891 is a threat actor whose main motivation is reportedly for financial gain and has been active for several years. The threat actor is known to not only have extensive knowledge on Oracle Solaris systems, but also Linux and Unix systems.What Other Tools does UNC2891 Use?The following tools are reported to have been used by the threat actor:SLAPSTICK – the Pluggable Authentication Module (PAM) based backdoorCustom version of TINYSHELL – backdoorSTEELHOUND – in-memory dropperSTEELCORGI – in-memory dropperSUN4ME – toolkits that contains tools to spy on network, host enumeration, exploit known vulnerabilities and wipe logsWINGHOOK – keylogger for Linux and Unix systemsWINGCRACK – utility that is used to decode and display the information collected by WINGHOOKBINBASH – ELF utility that executes a shell after the group ID and user ID are set to either “root” or specified valuesWIPERIGHT – ELF utility for Linux and Unix systems and is used to clear specific logsMIGLOGCLEANER – ELF utility for Linux and Unix systems that is used to wipe logs or remove certain strings from logsWhat is the Status of Coverage?FotriGuard Labs provide the following AV coverage:Linux/Agent.T!tr

Read More

CVE-2020-25197

Read Time:12 Second

A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system.

Read More

CVE-2020-25193

Read Time:12 Second

By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection.

Read More

CVE-2020-25184

Read Time:17 Second

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.

Read More

CVE-2020-25182

Read Time:14 Second

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects ISaGRAF Runtime when running on Microsoft Windows systems.

Read More