Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
Background:
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Takeaway:
Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
Analysis of FG-IR-22-398 – FortiOS – Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
Background:
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Takeaway:
Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behaviour analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
Learn about our Penetration Testing Services
Malicious JARs and Polyglot Files: “Who Do You Think You JAR?”
(published: January 11, 2023)
Background:
Deep Instinct researchers have detected a number of malicious JAR files appended in the beginning to masquerade as being of a different file type. Some files were functional polyglot files: MSI+JAR and CAB+JAR polyglots. Other files had non-functioning PE or binary junk beginning. Two types of payloads were remote access trojans (RATs): StrRAT and Ratty. It is possible that all studied samples were created by the same actor, as some shared C2, and many shared the same BelCloud LTD hosting.
Takeaway:
Appended JAR files are misidentified by the Linux file command. Network defenders should monitor as JAR all files passed as an argument to the java or javaw process with -jar as an argument.
DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work
(published: January 11, 2023)
Background:
A pro-Russian DDoS group called NoName057(16) has been targeting Poland, Latvia, Lithuania, and Ukraine (in the order of intensity). In September 2022, the group relied on a botnet of infected machines. After it was taken down, NoName057(16) started building a volunteer hacktivist DDoS collective. Their Python-based DDoS tool named DDosia has Linux/macOS and Windows versions. Avast researchers detected 2,200 DDoS targets and estimated the overall success rate at 13% and increasing. To incentivise its followers, the group regularly announces cryptocurrency payments to its top performers in the amount of several hundred US dollars.
Takeaway:
The current DDosia’s capability is relatively low, but it can be enough to take down web services that do not expect heavier network traffic. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.
StrongPity Espionage Campaign Targeting Android Users
(published: January 10, 2023)
Background:
ESET researchers identified a new campaign attributed to the Turkey-sponsored Promethium (StrongPity) APT. The attackers copied a video-chat service website and offered to download an Android app that actually is a trojanized version of the Telegram messenger. An installation leads to modular, fully-functional spyware, similar to the Android spyware used by Promethium in a previous campaign targeting Syria. If a targeted user gives the trojanized app accessibility services permission, it can expand its information-gathering to exfiltrate communication from 17 apps such as Gmail, Messenger, Skype, Tinder, and Viber.
Takeaway:
Always use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Accessibility services and other excessive permission requests from an app should raise concern. Install anti-virus software for your mobile device. Note that rooting your device lowers its protections against malware such as Android/StrongPity.
Security Now! #905: 1
(published: January 10, 2023)
Background:
The LastPass password manager uses Password-based Key Derivation Function 2 (PBKDF2) to store user passwords. In January 2023, Security Now research community revealed that some user vaults in LastPass had PBKDF2 iteration count set to 5000, 500, or just 1. It makes brute-force attacks on the hashed memorized secrets practical, and these numbers are significantly lower than recommendations from OWASP (310,000 iterations for PBKDF2-HMAC-SHA256) and NIST (as large as verification server performance will allow, typically at least 10,000 iterations). Another concern around the previously-disclosed LastPass breach is unencrypted “LastTouch” field containing a time code that shows when the last logon at each stored domain occurred.
Takeaway:
Over the years, threat actors have the ability to accumulate more brute-forcing power through advances in technology and cloud abuse. It is important to follow the current best practices for password storing. If your passwords and secrets were potentially exposed in a breach while not hashed securely according to the modern day standards, it is safe to assume them compromised and change the passwords as soon as possible.
Crypto-Inspired Magecart Skimmer Surfaces via Digital Crime Haven
(published: January 9, 2023)
Background:
A new skimming campaign using the Mr.SNIFFA framework was detected by Malwarebytes researchers. For its domains, the campaign utilizes the theme of cryptocurrency and public figures known in the cryptocurrency industry. Judging from the domain naming and hosting information, the same actor may be involved in crypto giveaway scams. Russian-based hosting provider DDoS-Guard hosts these domains together with other threats including Bitcoin mixers, carding and crimeware sites, fake e-commerce shops, and malware distribution sites
Takeaway:
Site administrators should be aware of supply-chain dependencies and remove ones that are unsupported and/or abandoned. Keep your systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
