Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."

According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.

In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.

"The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware," the report noted.

The Drokbk malware is written in .NET, and it's made up of a dropper and a payload.

Typically, it's used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the report from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

"This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets," says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.

He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It's also a relatively unknown piece of malware.

"There may be organizations out there with this running on their networks right now, undetected," he adds.

Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.

"Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems," Pilling notes.

**Dead-Drop Resolver Technique Offers Flexibility**

The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.

"It also helps the malware blend in by making use of a legitimate service," Pilling says.

**Robust Patching Is Critical Defense Strategy**

Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.

"In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key," he says.

He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.

**Iran-Backed Threat Groups Evolving, Attacks on the Rise**

The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.

"The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity," Pilling explains.

Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

"Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication," he explains.

In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are on the rise. Cobalt Mirage is hardly on its own.

"Over the last two years we've seen multiple group personas emerge — Moses' Staff, Abraham's Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations," Pilling says.

The US Treasury Department has already moved to sanction the Iranian government for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Iranian APT Targets US With Drokbk Spyware via GitHub

Red Hat Security Advisory 2024-1328-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.3 General Availability release images, which fix bugs and update container images. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1328.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Advanced Cluster Management 2.9.3 security and bug fix container updates  
Advisory ID:        RHSA-2024:1328-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1328  
Issue date:         2024-03-14  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.9.3 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.9.3 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/release_notes/

Security fix(es):  
CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp  
CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics  
CVE-2024-25620 helm: Dependency management path traversal  
CVE-2024-26147 helm: Missing YAML Content Leads To Panic

Jira issues addressed: 

* ACM-8728: Machine Pool scaling doesn't work for Openstack cluster  
* ACM-8998: Dependency on ConstraintTemplate stuck in Pending state  
* ACM-9123: Trying to upgrade a managed cluster fails with user forbidden errors  
* ACM-9145: Unable to upgrade managed cluster from ACM  
* ACM-9186: search-postgres persists in CrashLoopBackOff while being included in the ACM CR with hugepages enabled  
* ACM-9311: hcp hypershift operator doesn't support OCP 4.15  
* ACM-9467: [Doc bug] Update adding day2 master to unhealthy cluster procedure doc  
* ACM-9719: log error message when the restore cannot be created  
* ACM-9724: Console Search page flickering on initial loading  
* ACM-9746: Search collector logging excessively  
* ACM-9885: Console initial loading time increases over time [ACM 2.9.z]  
* ACM-9930: A misconfigured PlacementBinding halts root Policy updates  
* ACM-9947: The ACM topology view does not show the correct status when the subscription namespace differs from the resource namespace.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html-single/install/index#installing

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2264336  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://issues.redhat.com/browse/ACM-8728  
https://issues.redhat.com/browse/ACM-8998  
https://issues.redhat.com/browse/ACM-9123  
https://issues.redhat.com/browse/ACM-9145  
https://issues.redhat.com/browse/ACM-9186  
https://issues.redhat.com/browse/ACM-9311  
https://issues.redhat.com/browse/ACM-9467  
https://issues.redhat.com/browse/ACM-9719  
https://issues.redhat.com/browse/ACM-9724  
https://issues.redhat.com/browse/ACM-9746  
https://issues.redhat.com/browse/ACM-9885  
https://issues.redhat.com/browse/ACM-9930  
https://issues.redhat.com/browse/ACM-9947

Red Hat Security Advisory 2024-1328-03

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security Updates**

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

*   Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
*   Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
*   Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP\_Query.
*   Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP\_Meta\_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

**Thanks and props!**

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

CVE-2022-21664: WordPress 5.8.3 Security Release

Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.

I told you there are more CVEs coming! Getting to the end of this chunk finally! There are only 3 more CVEs I have reserved which are waiting on developer confirmation/responsible disclosure dates to pass.

For more background and other CVEs from this application check out these two posts. HERE and HERE

Anyway, these were found the same nights as the other ones but we found they only affect version 0.5.5 so not the current version at the time of our testing. So we saw them as less of a priority. Since they were also assigned CVEs figured I’d get a brief overview about them! Again this was with my co-worker at nVisium, Bruno Hernández (GitHub and LinkedIn).

The CVEs are as follows: CVE-2022-34615, CVE-2022-34621, CVE-2022-34623, CVE-2022-34624

CVE-2022-34615 is self-explanatory. Mealie v0.5.5 was found to support a weak password policy. This makes dictionary or brute force attacks trivial. In this case, one character passwords were allowed.

CVE-2022-34621 is a Insecure Direct Object Reference (IDOR) vulnerability. Specifically the “user\_id” parameter was vulnerable across all instances of it. This allowed any authenticated user to change the password of any other user (including administrators) as well as change their profile images or whatever else.

CVE-2022-34623 is a user enumeration vulnerability. When attempting to log in, if you put a proper username and an improper password the application takes a significantly longer time to respond compared to a improper user and improper password. This allows an unauthenticated attacker to determine what usernames/emails are registered on the application.

CVE-2022-34624 is a session termination/expiration issue. Specifically the JWT used to download files do not expire after logout or in a reasonable amount of time. This means that any attacker within a Man-In-The-Middle (MiTM) position or anyone with access to the web server logs can reuse the user’s download token to download the file.

END TRANSMISSION

**Published** August 19, 2022August 19, 2022

**Post navigation**

CVE-2022-34624: CVE-2022-34615, CVE-2022-34621, CVE-2022-34623, CVE-2022-34624 – IDOR, User Enum and More (In Mealie)

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

CVE-2022-21663: WordPress 5.8.3 Security Release

This week on the Lock and Code podcast, we speak with Cody Venzke about why data brokers are allowed to collect everything about us.

_This week on the Lock and Code podcast_…

On the internet, you can be shown an online ad because of your age, your address, your purchase history, your politics, your religion, and even your likelihood of having cancer.

This is because of the largely unchecked “data broker” industry.

Data brokers are analytics and marketing companies that collect every conceivable data point that exists about you, packaging it all into profiles that other companies use when deciding who should see their advertisements.

Have a new mortgage? There are data brokers that collect that information and then sell it to advertisers who believe new homeowners are the perfect demographic to purchase, say, furniture, dining sets, or other home goods. Bought a new car? There are data brokers that collect all sorts of driving information directly from car manufacturers—including the direction you’re driving, your car’s gas tank status, its speed, and its location—because some unknown data model said somewhere that, perhaps, car drivers in certain states who are prone to speeding might be more likely to buy one type of product compared to another.

This is just a glimpse of what is happening to essentially every single adult who uses the Internet today.

So much of the information that people would never divulge to a stranger—like their addresses, phone numbers, criminal records, and mortgage payments—is collected away from view by thousands of data brokers. And while these companies know so much about people, the public at large likely know very little in return.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cody Venzke, senior policy counsel with the ACLU, about how data brokers collect their information, what data points are off-limits (if any), and how people can protect their sensitive information, along with the harms that come from unchecked data broker activity—beyond just targeted advertising.

> “We’re seeing data that’s been purchased from data brokers used to make decisions about who gets a house, who gets an employment opportunity, who is offered credit, who is considered for admission into a university.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 This industry profits from knowing you have cancer, explains Cody Venzke (Lock and Code S05E22) 

We look at a scam targeting artists around the world with a bogus, malware-laden offer from fake Cyberpunk Ape Executives.
The post Fake Cyberpunk Ape Executives target artists with malware-laden job offer appeared first on Malwarebytes Labs.

The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures.

**The Ape Executives have a job offer you can, and must, refuse**

Lots of people with art profiles on social media in Japan and elsewhere have reported messages from people claiming to be from the “Cyberpunk Ape Executives”. These messages promoted some sort of upcoming project related to both cyberpunk and apes.

Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:

**“We appreciate your artwork…”**

The messages received by these artists reads as follows:

> _Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills_
> 
> _Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: \[url removed\] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC._

Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password “111” supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something _else_ pretending to be an ape jpeg. Observe:

Can you spot the ape doing his own thing? Note that without “view file extensions” enabled, you wouldn’t notice the odd one out. Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of infostealer which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.

**Message spam galore**

Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here’s one example found on ArtStation from last week:

There is clearly some form of account compromise taking place, however at time of writing it’s difficult to 100% pin this on the infection file. Those who’ve suffered an account breach typically don’t confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and swear filled artist Tweets ahoy).

What we’ve observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There’s no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.

**Keeping your accounts safe**

It’s possible there’s a phishing aspect to this independent of the infostealer. Perhaps there’s a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:

1.  Do not download the .rar containing the apes. If you have, do not open up the .gif.exe file. Proceed to running security scans at this point, and ensure whatever you have on board is quarantined and stripped out from your system.
2.  If there _are_ messages from so-called Cyberpunk Ape Executives bouncing around somewhere sending you login links, don’t enter the credentials they happen to be asking for. Done this already? Log in and change your password. If they’ve already changed your login, contact support as soon as possible. Again: we don’t know if a phish campaign is operating in tandem with the infection file campaign, and we’d suggest you’re most likely to fall foul of login compromise via the system infection.

**All my apes giving security advice**

Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here’s the _genuine_ Ape Executives themselves, warning artists about the fakers:

> There's currently a scam going around with people pretending to work with us. This is not real. Don't respond. Don't click the link. Report the people who are doing this on the platform they contact you on. #ApeExecutives pic.twitter.com/A60J3Tt1ks
> 
> — CYBERPUNK APE EXECUTIVES (PHASE ONE SOLD OUT) (@ApeExecutives) April 26, 2022

Accept no ape imitations.

We’ll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There’s nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you’ll be paying with here is system data, and quite possibly your logins too.

Fake Cyberpunk Ape Executives target artists with malware-laden job offer

The scans used by the Python Package Index (PyPI) to find malware fail to catch 41% of bad packages, while creating plentiful false positives.

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts, researchers have found. 

According to a Chainguard analysis of PyPI — the main repository for software components used in applications written in Python — the approach catches 59% of malicious packages but also flags a third of popular legitimate Python packages and 15% of a random selection of packages. 

The research aims to create a data set that Python maintainers and the PyPI repository can use to determine the efficacy of their system for scanning projects for malicious changes and supply chain attacks, the Chainguard researchers stated in a Tuesday analysis.

While the existing approach detects the majority of malware, it clearly needs significant improvements to prevent wasting project managers' time with false alarms, says Zack Newman, a senior software engineer at Chainguard, who collaborated on the research.

"These are volunteers with countless other responsibilities, not security researchers who are willing to spend all day trawling through suspicious code," he says. "They care a great deal about the security of PyPI and work very hard to improve the situation, but the return on effort just isn't there at the moment for these scanners."

False positives are the bane of many software analysis tools, and therefore security teams. Even with a system that is 100% accurate at finding malicious packages, if it has a 1% false positive rate, developers and application-security professionals would still have to dig through 200 alerts each week to determine if any of the 20,000 weekly PyPI releases are actually malicious.

"Hundreds of packages triggered alerts," Newman says. "While we did some spot checks, just a quick look isn't enough to tell for sure whether a package is malicious — that's why malware-detection tools are so important. This gave us a lot of empathy for the repository administrators, who would face this volume of alerts tenfold each week."

He adds, "To be useful, a scanner would need to reduce that false positive rate to around 0.01%, even at the expense of missing some malicious packages."

**PyPI's Malware-Scanning Approach**

PyPI aims to foil software supply chain attacks by checking packages and projects in two ways. The PyPI scans the package's _setup.py_ file using signatures to detect known suspicious patterns — expressed by YARA rules, an industry standard for creating malware signatures — that could indicate the inclusion of malicious functionality. (YARA stands for Yet Another Recursive Acronym, more of an inside industry joke than a descriptive name.) In addition, the repository's scanning tools analyze a projects commits and contributors for suspicious changes that could suggest malicious contributions.

The researchers built their data set using 168 known examples of malicious attacks on the PyPI repository. They then created a second data set with the 1,000 most-downloaded packages and the 1,000 most-imported packages, and when they eliminated duplicates, they ended up with 1,430 popular packages. Finally, they also created a data set of a random selection of 1,000 packages, which resulted in 986 random Python packages, since 14 did not have any Python code.

The popular and randomly selected packages were all assumed to be legitimate, the researchers said. In addition, the popular projects likely had better security hygiene and abided by programming best practices.

"While there is a chance that some of these packages are malicious, the chance that more than a handful of these packages is malicious is vanishingly small," they wrote in the analysis provided exclusively to Dark Reading. "Importantly, these packages are more likely to represent a package selected from PyPI at random."

**Open Source Software Repositories Remain a Cybercrime Target**

The research comes as application-security professionals and software developers look for ways to ensure the security of the open source software components that make up 78% of the code in an average program. 

The Open Source Security Foundation (OpenSSF) has launched a number of initiatives to improve the security of the open source software supply chain, including identifying the most critical packages that need more security scrutiny, and support for the adoption of SigStore, a way of cryptographically linking source code to compiled packages.

Attacks on the software supply chain have increased over the past few years. In the past month alone, security firm Kaspersky found malware in the Node Package Manager (npm) repository, while security firms Check Point and Snyk found nearly a score of malicious packages hosted on the PyPI repository service.

And it came to light that a school-aged kid in Italy uploaded multiple malicious Python packages containing ransomware scripts to PyPI, supposedly as an experiment.

It's unlikely that PyPI is alone in having problematic scanning results. Going forward, the Chainguard researchers plan to extend their analysis to evaluate at least four open source software malware analyzers, such as OSSGadget Detect Backdoor, bandit4ma, and OSSF Package Analysis, as well as translating the PyPI Malware Checks rules to SemGrep, a multilanguage open source static code analyzer.

One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious

Categories: Hacking
Tags: hacking

Tags: sextortion

Tags: snapchat

A college student fell victim to a Snapchat sextortion scheme. With a friend's help, she 'hacked back' and sent him to jail.



(Read more...)




The post When a sextortion victim fights back appeared first on Malwarebytes Labs.

When Katie Yates suddenly started receiving nude photos of her friend, Natalie Claus, over on Snapchat, she instantly recognized that Claus had just become a victim of a sextortion attack. She also knew how Claus should respond.

This happened in December 2019 when Claus was a sophomore. Both were students at the State University of New York.

Yates has a story of her own, too. Months before receiving those messages from Claus, she was herself a victim of sexual assault. After reporting the abuse, Yates started receiving abusive messages on social media. Seeing the lack of support from anyone on campus, she explored ways to identify her harasser.

This vigilanteism—Yates taking the matter into her own hands because she's not getting any help—proved beneficial for Claus. So when Yates asked Claus if she wanted to catch her hacker, Claus said, "Yeah."

**Hacker posed as "Snapchat Security"**

The case of Claus's hacker, David Mondore (a chef), actually made headlines around 2020 and 2021. Claus is not his sole victim, and a press release revealed that Mondore was involved in a string of Snapchat hijacking activities from July 2018 to August 2020. During this period, the hacker gained unauthorized access to at least 300 Snapchat accounts, including Claus's.

This Bloomberg article mentioned that Mondore posed as a "security employee" who warned Claus of an alleged breach of her Snapchat account. The Office of the US Attorney of New York provided more detail on the ruse that tricked Claus into handing over her account to Mondore.

According to Claus, whom the press release refers to as Victim 1, she received a Snapchat message from an acquaintance, whom the press release refers to as Acquaintance 1. The person messaging Victim 1 is actually Mondore using Acquaintance 1's account.

Acquaintance 1 asked Victim 1 for her Snapchat credentials, so they can use the account to check if another user blocked them. In Snapchat, you can't see anyone who's blocking you even when you search for their username or full name. It appears the only way to see who's blocking who is using another account. Several sites use this tactic.

Clearly, Mondore took advantage of this.

After Victim 1 sent her credentials to Acquaintance 1, Mondore sent Victim 1 a text message via an app anonymizing his actual phone number. The message he sent purportedly came from Snapchat Security, requesting Victim 1 to send the passcode for her "My Eyes Only" folder to verify that Victim 1's account has been legitimately accessed.

"My Eyes Only" is a secure, encrypted, and private folder within Snapchat where users can save potentially sensitive photos and videos. This can only be accessed with a passcode.

After gaining access to Victim 1's Snapchat account and her "My Eyes Only" folder, Mondore rinses and repeats. He contacted Victim 1's contacts using her account, asking for their credentials under the pretense of checking who blocked them.

Mondore also used Claus's private photos, which she had taken for herself as she attempted to recover from a rape, to gather compromising material from her Snapchat contacts. The message sent out with her nude images says, "Flash me back if we're besties." It was sent to 116 people, four of whom responded with explicit photos of themselves.

**"Gotcha"**

Claus hatched a plan to trap her hacker with Yates's help. Using her own Snapchat account, Yates sent a message to Claus's account, which Mondore had already controlled by then, saying she had nude images to share, with a URL link made to look like a porn site.

The URL, once clicked, collected the IP address of anyone who accessed it using the Grabify IP Logger website. Not only that, Yates and Claus set up the URL to redirect Mondore to the Wikipedia page for the word "gotcha" instead of the porn site he probably expected.

Mondore, upon seeing the Wikipedia redirect, messaged Yates saying, "What the hell is this?" She then blocked Claus's account after collecting Mondore's IP: he was in Manhattan and using an iPhone without a VPN.

Claus sent her police report to the campus police, who then forwarded it to the New York state police. One of the officers then knew who to contact within the FBI. The tip eventually led to Mondore's arrest. He received a sentence of 6 months jail time.

"It was him being an idiot that did it," Claus said of her hacker. "When I passed all that information to the FBI, they said, 'There's a really good chance that we wouldn't have caught him without this.'"

Despite what happened to her and the "too light" punishment Mondore received, Claus believes he's not a monster. "He's a human," she told Bloomberg. "That's what makes it scary."

Search

lenovo warranty check/lookup | check warranty status | lenovo support us