Widespread Vulnerability Uncovered: GitHub Repositories Prone to RepoJacking Attack
A recent study unveiled a massive security threat lurking in the depths of GitHub repositories: RepoJacking. Millions of repositories, including those owned by industry leaders like Google and Lyft, are potentially at risk from this attack. RepoJacking, also known as dependency repository hijacking, empowers malicious actors to seize control of obsolete usernames or organization names, and subsequently deploy trojanized repositories brimming with malicious code.
RepoJacking essentially targets the weak link in the system: when a repository owner changes their username, it creates a gateway for malevolent actors to assume the old username and shatter the secure link. Another risk comes into play when the original account gets deleted following a change in repository ownership, opening another avenue for cyber attackers to take control using the former username.
This form of attack could have far-reaching implications, particularly affecting projects dependent on the compromised repository. Cyber adversaries could poison the entire software supply chain by introducing harmful content fetched from their controlled repositories. To protect from such hazards, Aqua recommends routine checks on code for any links connected to external GitHub repositories and maintaining control over old usernames.
NSA Advises Measures to Thwart BlackLotus Bootkit Threatening Windows Systems
The U.S. National Security Agency (NSA) has issued guidelines to help organizations combat the powerful Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. This advanced crimeware, first identified by Kaspersky in October 2022, is capable of bypassing Windows Secure Boot protections. BlackLotus achieves this feat by exploiting a known Windows flaw, Baton Drop, found in susceptible boot loaders not included in the Secure Boot DBX revocation list.
BlackLotus, unlike firmware threats, focuses on the earliest software stage of the boot process for persistence and evasion, although there’s no evidence to suggest its targeting of Linux systems. Given its strategic positioning, BlackLotus enables threat actors to meddle with security mechanisms and launch additional payloads with heightened privileges.
The NSA suggests several mitigation measures, including updating recovery media, monitoring changes to the EFI boot partition, scrutinizing device integrity measurements and boot configuration, customizing UEFI Secure Boot to block outdated Windows boot loaders, and removing the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux. Microsoft is expected to fully close this attack vector by early 2024.
U.S. Cybersecurity Agency Lists Six Exploitable Flaws, Recommends Urgent Updates
In a critical update, the U.S. Cybersecurity and Infrastructure Security Agency has added six vulnerabilities to its Known Exploited Vulnerabilities catalog, urging immediate action. The list includes three Apple flaws (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two issues in VMware (CVE-2023-20867 and CVE-2023-20887), and a Zyxel device vulnerability (CVE-2023-27992), all of which have evidence of active exploitation. Particularly concerning are CVE-2023-32434 and CVE-2023-32435, both associated with Operation Triangulation, a long-term cyber espionage campaign starting in 2019.
The Federal Civilian Executive Branch (FCEB) agencies have been advised to promptly apply vendor-provided patches to secure their networks against potential threats. This announcement comes in conjunction with CISA’s alert about three vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service condition.
‘nOAuth’ Flaw in Microsoft Azure AD Threatens Account Security
An alarming security flaw has been discovered in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process. This vulnerability, dubbed ‘nOAuth’ by the discovering firm Descope, could have been leveraged to achieve a full account takeover. The misconfiguration flaw involves an attacker modifying email attributes under “Contact Information” in the Azure AD account. By exploiting the “Log in with Microsoft” feature, malevolent actors can gain control of a victim’s account.
The attack procedure is alarmingly straightforward: a malicious actor creates an Azure AD admin account, alters their email address to match that of a potential victim, and misuses the single sign-on feature on a susceptible app or website. Successful exploitation could give cybercriminals open access to set up persistence, steal data, and execute further post-exploitation activities.
Over 100,000 Stolen ChatGPT Account Credentials Up for Sale on Dark Web
Cybersecurity firm Group-IB revealed that from June 2022 to May 2023, more than 101,100 compromised OpenAI ChatGPT account credentials were found on unauthorized dark web marketplaces. Of these, India had the dubious honor of contributing the most stolen credentials. The surge in compromised ChatGPT accounts reached a peak in May 2023, with the Asia-Pacific region experiencing the highest concentration of stolen ChatGPT credentials over the year.
The report also highlighted the tools of choice for cybercriminals, with the notorious Raccoon info stealer accounting for the majority of the breaches, followed by Vidar and RedLine. Information stealers have become the darling of cybercriminals for their ability to lift passwords, cookies, credit cards, and other data from browsers and cryptocurrency wallet extensions.
The analysis from Group-IB’s Threat Intelligence report indicates that these findings stem from malware on individual devices and not a breach at OpenAI. As a protective measure, users are urged to adhere to good password hygiene practices and enable two-factor authentication (2FA) to prevent account takeover attacks.