Threat Update: Linux Backdoor Malware Infects WordPress-Based Websites
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Background:
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded).
The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands.
Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Takeaway:
The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the ‘torchtriton’ library to ‘pytorch-triton’ and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Background:
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Takeaway:
Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use strong and unique passwords for your accounts. It is not unusual for attackers to develop exploits for what might be considered ‘old’ vulnerabilities, this is because organizations don’t always maintain up to date patching across all their applications with equal diligence and rigor, and maintaining accurate software inventory is challenging. This provides an attack surface that is visible to attackers but a blind spot for organizations.
Learn about our Penetration Testing Services
“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets
(published: December 28, 2022)
Background:
Multiple campaigns have been abusing Google Ads hiding malicious redirects by profiling for a one-time valid gclid value (Google identifier for promotional flow) as well as additional visitors’ information (geo-location, user-agent, etc). This fingerprinting together with server-side forwarding makes this malicious forwarding hidden from Google and sandboxes. Threat actors are able to change malicious payloads daily, bundle the malware with the legitimate software, and bloat to 500Mb and above, and hide inside reputable file sharing and code hosting servers like Discord’s CDN, Dropbox, and GitHub.
One threat actor dubbed Vermux deployed hundreds of domains in servers located mostly in Russia, targeting mainly Canada and the US. Vermux concentrates on serving cryptominers via GPU-related search terms, but has been seen serving a variant of the Vidar trojan as well.
Takeaway:
Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones. Companies can protect their users by proactively monitoring for typosquatting attempts.
Twitter Data of “+400 Million Unique Users” up for Sale – What to Do?
(published: December 28, 2022)
Background:
A threat actor under the alias Ryushi claims to be selling private data of over 400 million unique users of the Twitter social network. The actor shared a sample that included a number of most popular US politicians and business people. The stolen data exposes associated emails and phone numbers, it was likely scraped prior to Twitter fixing an API abuse vulnerability in 2021. The data provides for deanonymization and potential harassment, stalking, and social engineering attempts. The attacker has specifically addressed Twitter with the claim that the company will face European General Data Protection Regulation (GDPR) breach fines if the ransom is not paid.
Takeaway:
Privacy protection regulations similar to GDPR is a double-edged sword as they try to push companies to be more secure around users’ data, but also give additional leverage to the attackers if the breach did occur. High-profile Twitter users should prepare for potential spearphishing attacks via the email and phone number associated with their account.
BlueNoroff Introduces New Methods Bypassing MoTW
(published: December 27, 2022)
Background:
Since September 2022, the financially-motivated, North Korea-sponsored BlueNoroff group (a subgroup of Lazarus Group) modified its initial malware delivery steps while targeting cryptocurrency and financial industries in Japan, UAE, Taiwan, and the US. It has recently started to adopt new methods of malware delivery. BlueNoroff evades the Mark-of-the-Web flag by hiding a decoy document and a malicious script inside the image (.ISO) and virtual (.VHD) drives. The group was seen using multiple Living Off the Land Binaries, Visual Basic and Windows Batch scripts.
Takeaway:
Unsolicited emails delivering ISO and VHD attachments should be handled with extreme caution. While preparing for its attacks, BlueNoroff acquires typosquatted domains.
LastPass Finally Admits: Those Crooks Who Got in? They Did Steal Your Password Vaults, After All…
(published: December 23, 2022)
Background:
The LastPass password management company previously admitted to a August 2022 breach and a follow-up attack that exfiltrated some of the customers’ information. In late December 2022, LastPass revealed that stolen customer data includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the service. Moreover the threat actor was also able to copy a backup of customer vault data that included unencrypted URLs for the websites.
Takeaway:
LastPass users who used the default complexity of master password or stronger, are likely safe from possible brute force attempts to reveal each of their passwords in the stolen vault. Other users are advised to change the master password and proceed to changing every password stored in the vault. Moreover all LastPass users should raise their awareness to phishing attacks as the stolen unencrypted data makes it easier to create a convincing spearphishing message.
Learn about our Penetration Testing Services
source https://www.rootshellsecurity.net/threat-update-linux-backdoor-malware-infects-wordpress-based-websites/
Comments
Post a Comment