Pro-Ukraine ‘Protestware’ Pushes Antiwar Ads, Geo-Targeted Malware

Read Time:3 Minute, 10 Second

Researchers are tracking a number of open-source “protestware” projects on GitHub that have recently altered their code to display “Stand with Ukraine” messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several code packages that were recently modified to erase files on computers that appear to be coming from Russian or Belarusian Internet addresses.

The upstart tracking effort is being crowdsourced via Telegram, but the output of the Russian research group is centralized in a Google Spreadsheet that is open to the public. Most of the GitHub code repositories tracked by this group include relatively harmless components that will either display a simple message in support of Ukraine, or show statistics about the war in Ukraine — such as casualty numbers — and links to more information on the Deep Web.

For example, the popular library ES5-ext hadn’t updated its code in nearly two years. But on March 7, the code project added a component “postinstall.js,” which checks to see if the user’s computer is tied to a Russian Internet address. If so, the code broadcasts a “Call for peace:”

A message that appears for Russian users of the popular es5-ext code library on GitHub. The message has been Google-Translated from Russian to English.

A more concerning example can be found at the GitHub page for “vue-cli,” a popular Javascript framework for building web-based user interfaces. On March 15, users discovered a new component had been added that was designed to wipe all files from any systems visiting from a Russian or Belarusian Internet address (the malicious code has since been removed):

Readers complaining that an update to the popular Vue-Cli package sought to wipe files if the user was coming from a Russian IP address.

“Man, I love politics in my APIs,” GitHub user “MSchleckser” commented wryly on Mar. 15.

The crowdsourced effort also blacklisted a code library called “PeaceNotWar” maintained by GitHub user RIAEvangelist.

“This code serves as a non-destructive example of why controlling your node modules is important,” RIAEvangelist wrote. “It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite. To include this module in your code, just run npm i peacenotwar in your code’s directory or module root.”

Alex Holden is a native Ukrainian who runs the Minneapolis-based cyber intelligence firm Hold Security. Holden said the real trouble starts when protestware is included in code packages that get automatically fetched by a myriad of third-party software products. Holden said some of the code projects tracked by the Russian research group are maintained by Ukrainian software developers.

“Ukrainian and sadly non-Ukrainian developers are modifying their public software to trigger malware or pro-Ukraine ads when deployed on Russian computers,” Holden said. “And we see this effort, which is the Russians trying to defend against that.”

Commenting on the malicious code added to the “Vue-cli” application, GitHub user “nm17” said a continued expansion of protestware would erode public trust in open-source software.

“The Pandora’s box is now opened, and from this point on, people who use opensource will experience xenophobia more than ever before, EVERYONE included,” NM17 wrote. “The trust factor of open source, which was based on good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought ‘was the right thing they to do.’ Not a single good came out of this ‘protest.’”

Read More

openvpn-2.5.6-1.el9

Read Time:19 Second

FEDORA-EPEL-2022-7a48f758c5

Packages in this update:

openvpn-2.5.6-1.el9

Update description:

This is a maintenance release of OpenVPN 2.5 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

Read More

Fortress creates center for security information on energy suppliers

Read Time:22 Second

A new library designed to be a centralized source of security information and communication for energy company suppliers was announced Tuesday by Fortress Information Security. The Asset to Vendor Library Trust Center is a project of Fortress, American Electric Power and Southern Company, and offers a way for suppliers to connect with their customers and provide information about their supply chain security practices.

To read this article in full, please click here

Read More

openvpn-2.4.12-1.el8

Read Time:29 Second

FEDORA-EPEL-2022-883139a5ce

Packages in this update:

openvpn-2.4.12-1.el8

Update description:

This is a security and bugfix release of OpenVPN 2.4 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

WARNING: OpenVPN 2.4 will from now only receive security and critical bug fixes for the next 12 months. Please consider to upgrade to OpenVPN 2.5 via Fedora Copr builds.

Read More

openvpn-2.4.12-1.el7

Read Time:29 Second

FEDORA-EPEL-2022-3f443e2e1e

Packages in this update:

openvpn-2.4.12-1.el7

Update description:

This is a security and bugfix release of OpenVPN 2.4 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

WARNING: OpenVPN 2.4 will from now only receive security and critical bug fixes for the next 12 months. Please consider to upgrade to OpenVPN 2.5 via Fedora Copr builds.

Read More

USN-5333-2: Apache HTTP Server vulnerabilities

Read Time:57 Second

USN-5333-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Chamal De Silva discovered that the Apache HTTP Server mod_lua module
incorrectly handled certain crafted request bodies. A remote attacker could
possibly use this issue to cause the server to crash, resulting in a denial
of service. (CVE-2022-22719)

James Kettle discovered that the Apache HTTP Server incorrectly closed
inbound connection when certain errors are encountered. A remote attacker
could possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-22720)

It was discovered that the Apache HTTP Server incorrectly handled large
LimitXMLRequestBody settings on certain platforms. In certain
configurations, a remote attacker could use this issue to cause the server
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-22721)

Ronald Crane discovered that the Apache HTTP Server mod_sed module
incorrectly handled memory. A remote attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-23943)

Read More

Deepfence revamps ThreatMapper with new scanner, runtime SBOMs

Read Time:32 Second

Deepfence, a security observability and protection company, is releasing ThreatMapper 1.3.0, the latest version of its open-source threat intelligence platform, with two new features — a secret-scanning tool and runtime SBOM (software bill of materials).

The latest version of the software will feature a new open-source scanning tool, SecretScanner, which can be accessed through the ThreatMapper UI and API, and will allow users to scan for and report sensitive “secrets” left inadvertently within production workloads and container images in registries.  Secrets refer to sensitive pieces of information including encryption keys, authentication tokens, and passwords. 

To read this article in full, please click here

Read More

News, Advisories and much more

Exit mobile version