What is GitHub?

GitHub is a massive platform for hosting code. Researchers worldwide use it to share PoC exploits with the information security community. This helps others test patches and determine the scale and impact of bugs. Last year, there were 10 million occurrences of secrets being exposed on GitHub, a 67% increase from the previous year.

Fake Security Company Spreads Malware in GitHub

A team of VulnCheck experts is closely monitoring a large number of GitHub repositories as part of an Exploit Intelligence offering. During a routine check in early May, researchers discovered a malicious repository on GitHub that claimed to be Signal 0-day. Then it was removed. The next day, an almost identical repository was discovered under a different account, this time claiming to be WhatsApp Zero Day. But it, too, was deleted by the GitHub team. This process continued for a month.

After that, the attackers created a whole network of accounts, including half a dozen GitHub accounts and several related Twitter accounts. These accounts pretend to be part of a defunct security company called High Sierra Cyber Security. Here is an example of one such account:

According to technical engineers, threat actors now use code repositories to trick unaware developers into doing their work for them. These actors have focused on social engineering tactics to make the repository owner appear legitimate, but their malware on Github is quite easy to identify. Since there’s plenty of room for improvement, these attacks may become much more effective.

All the repositories have a straightforward structure depicted in the image below. Additionally, they use the “hot” CVE tagging to entice potential victims.

How it works?

The code in poc.py downloads a harmful binary and runs it. The Python script will download a particular payload based on the target’s operating system. This Discord “0-day” exploit utilizes the code mentioned above to carry out these tasks.

Afterward, poc.py obtains one of two zip files from GitHub: cveslinux.zip or cveswindows.zip. The program unzips the file, saves it to the computer’s disk, and then runs it. However, the Windows binary has a high detection rate on VirusTotal (43/71). In contrast, the Linux binary has a lower detection rate (3/62) but does contain some strings that suggest its purpose.

Conclusions:

An attacker has put much effort into creating fake identities to spread obvious malware in GitHub. They may have been successful, but since they continue to use this method, they must think it will work. It needs to be clarified if this is an individual with too much free time or a more advanced campaign like the one discovered by Google TAG in January 2021.

Regardless, security researchers should be aware that they are attractive targets for cybercriminals and should exercise caution when downloading code from GitHub. Constantly scrutinize the code you’re about to execute and avoid using anything you don’t understand. Use virtual or dedicated machines on which you do not risk losing your data. There, precautions are never excessive, especially considering the severity of malware on GitHub.

Your security may have been compromised if you’ve interacted with any of the accounts listed:

GitHub Accounts

Malicious Repositories

Twitter Accounts

The post Malware in GitHub Repositories Is Spread From Fake Security Company Name appeared first on Gridinsoft Blog.

The vulnerability is already being exploited in attacks by highly skilled hacker groups.

The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago.

Daba said he chose not to report his discovery to Microsoft because it was very difficult to get money through its vulnerability bounty program.

The vulnerability, identified as CVE-2022-21882, could allow aт attacker to elevate his privileges on the local system.

Microsoft mentioned RyeLv as the researcher who discovered the vulnerability. The researcher submitted his description of the input type mismatch vulnerability in Win32k.sys on January 13, 2022.

Investment in the program was also the top recommendation of RyeLv’s technical analysis for Microsoft. He told how to “kill the bug class”:

Let me remind you that we also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook, and also that Google recruits a team of experts to find bugs in Android applications.

The post 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues appeared first on Gridinsoft Blog.

Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000.

Let me remind you that the Zerodium company, founded in 2015, has been buying up exploits for various zero-day vulnerabilities for a long time, in order to then resell them to governments and law enforcement agencies around the world. To do this, the company has its own bug bounty program, in which researchers can sell exploits for up to $2.5 million (depending on the type and nature of the bug).

In addition, from time to time the company holds “bug-fixing” campaigns, during which it buys exploits for a particular software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, popular VPN products, and so on.

Rewards for bugs in Mozilla Thunderbird and Microsoft Outlook have also been temporarily increased, the company said on Twitter.

Zerodium does not specify which platform the exploits should target, but both email clients have versions for all three major operating systems—Windows, macOS, and Linux.

Many information security experts noted that a successful hack into either of the two email clients would give the attacker access not only to the user’s computer, but also to all mailboxes managed through the compromised client. Since account passwords can be extracted from the client, this also means that the party using the exploit will later be able to access cloud accounts.

You might also be interested to read that Researchers noticed that the darknet is discussing exploits as a service, and that a PoC exploit was published for fresh vulnerability in Ghostscript.

The post Zerodium offers up to $400,000 for exploits for Microsoft Outlook appeared first on Gridinsoft Blog.

The patch was released as part of the 2.15.0 release.

The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS vulnerability rating scale. The bug allows remote arbitrary code execution (RCE). Yesterday’s information security researcher aggravated the problem, p0rz9 published a PoC exploit on Twitter, and the vulnerability can be exploited remotely, and this does not require special technical skills.

The problem was originally discovered while searching for bugs on Minecraft servers, but Log4j is present in almost all corporate applications and Java servers. For example, the library can be found in almost all enterprise products the Apache Software Foundation released, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open-source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra, and others.

Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. Information security specialists already report that solutions of giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and probably thousands of other companies may be vulnerable to Log4Shell.

p0rz9 wrote that CVE-2021-44228 could only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. KnownSec 404 Team reports that Log4j 2.15.0 has set this parameter to true to prevent attacks. Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again be vulnerable to attacks.

Moreover, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on older versions.

Unfortunately, this also means that all older versions are at risk, where this parameter is set to false by default. That is, all previous releases of Log4j, starting with 2.10.0, are vulnerable.

According to experts from Bad Packets and Greynoise, several cybercriminals are already scanning the network in search of applications that may be vulnerable to Log4Shell, which means that there is almost no time left to install patches.

Let me remind you that I also talked about the fact that the IIS bug with worm potential poses a threat to WinRM servers.

The post 0-day In Log4j Library Poses A Threat To Many Applications & Servers appeared first on Gridinsoft Blog.

The attack is based on the use of bidirectional control characters in source code comments. Such characters, known as BiDi (“bidirectional”), are Unicode control characters that are used within a text string to signal the transition from LTR (left to right) to RTL (right to left) mode and vice versa.

In practice, these characters are used exclusively for software applications and are invisible to humans, since they are only used to embed text with a different reading direction in large blocks of text (for example, to insert lines in Arabic or Hebrew).

Researchers have found that most compilers and code editors have no protocols for handling BiDi symbols or signalling their presence in source comments.

According to experts, attackers can insert BiDi control characters into comments that people cannot see, and upon compilation, they will move text from the comment field into executable code or move code in comments, thereby exposing applications to attacks and bypassing security checks.

In addition to compilers, several code editors and hosting services, as listed in the table below, are also reported to be affected.

In addition, according to experts, source code compilers are vulnerable to another problem (CVE-2021-42694) related to homoglyphs. During such attacks, classic Latin letters are replaced with similar characters from other alphabets.

The researchers write that the second attack can be used to create two different functions that look the same to the human eye but are actually different. Anderson and Boucher claim that in this way, an attacker can covertly add malicious code to a project.

The researchers summarize that compilers and editors should detect bidirectional control characters and homoglyphs and be sure to communicate them to people. So far, however, only the developers behind the official Rust compiler have released the update.

Let me remind you that I also wrote that Expert hacked 70% of Wi-Fi networks in Tel Aviv for research.

The post Trojan Source attack is dangerous for compilers of most programming languages appeared first on Gridinsoft Blog.

The exploit was published by a Vietnamese information security specialist who is known online under the pseudonym Nguyen The Duc. The code is already available on GitHub, and the effectiveness of the exploit has been confirmed by several leading researchers.

This is indeed a thing. https://t.co/W3yVcUnTJz pic.twitter.com/mDEih91fRa

— Will Dormann (@wdormann) September 5, 2021

Ghostscript, which dates back to 1988, is a small library that allows applications to process PDF documents and PostScript-based files. While Ghostscript is primarily used in desktop software, it is also used on the server side as it is often included in image converting and file uploading toolkits such as ImageMagick.

The exploit introduced this week allows an attacker to download a malformed SVG file that escapes the image processor and runs malicious code on the underlying OS.

Interestingly, the vulnerability for which the exploit was created was not discovered by Nguyen The Duc. The credit goes to Emil Lerner, CTO and founder of Wunderfund, who found the bug last year and used it to get rewards from companies like Airbnb, Dropbox and Yandex. Details of the vulnerability went public last month after Lerner gave a talk at the ZeroNight conference.

Additionally, the researcher shared a link to his presentation.

The Record reports that there is still no patch for this vulnerability, moreover, the Artifex company, which is behind the development of Ghostscript, reported that no one had officially notified it about this problem. The company said that it is “more and more frustrated with cybersecurity researchers who neglect the ethical disclosure of potentially dangerous security vulnerabilities,” and promised to release a fix as soon as possible.

Let me remind you that we also admitted that the GitHub Developers Review Exploit Posting Policy Due to Recent Scandal.

The post PoC exploit published for fresh vulnerability in Ghostscript appeared first on Gridinsoft Blog.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.