Certificates are used in a manner very similar to signing your changes on GitHub in order to validate that the code in question was written by the specified author. Existing installations of the Desktop and Atom applications are not vulnerable to attack as a result of these certificates. However, if the encryption were broken, the threat actor might sign unauthorized programs with these certificates and make it seem as if GitHub was the company that really developed them.

On December 6, 2022, there were still two Digicert code signing certificates that could be used for Windows and one Apple Developer ID certificate that were valid. On February 2, 2023, GitHub will cancel all three certifications in its possession.

The first Digicert certificate was invalid when it expired on January 4, 2023, and the second one will become invalid on February 1 of the same year. When a certificate’s validity period has ended, it can no longer be used to sign code. They are planning to revoke them on February 2 as a precautionary step, despite the fact that they will not constitute a danger that will persist over time.
The Apple Developer ID certificate has a validity period that extends all the way to 2027. While waiting for the certificate to be revoked on February 2, we are collaborating with Apple to search for any new executable files (such as programs) that may have been signed with the compromised certificate.

After conducting an investigation into the contents of the hacked repositories, they discovered that GitHub.com and any of our other products, with the exception of the particular certificates mentioned above, were not affected in any way. The code included in these repositories has not been altered in any way that is not approved.

The releases page has been updated to reflect the fact that the most recent two versions of the Atom app, 1.63.0-1.63.1, have been removed. These versions will stop working as soon as the certificate is revoked since they are dependent on it.

They are going to revoke the Mac and Windows signing certificates that were used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1 on Thursday, February 2, 2023. Once the certificates are revoked, any and all versions that were signed with them will become inoperable. Before February 2, it is strongly recommended that you update Desktop and/or downgrade Atom in order to prevent any interruptions in the processes you rely on.

No information suggests that the threat actor was able to decrypt or make use of these certificates, but company can’t confirm this.

The post GitHub hacked again, GitHub Desktop and Atom repositories certificates stolen appeared first on Information Security Newspaper | Hacking News.

According to a report prepared by the firm Aqua Security, tens of thousands of user tokens would have been exposed through the Travis CI API, which contains more than 770 million records with multiple types of credentials belonging to users of free subscriptions.

According to the report, Travis CI did not apply sufficient protections for record numbers, which would allow the execution of an enumeration script to retrieve an undetermined number of code strings: “This is not easy with other providers since they must mention in the URL a client ID, making it difficult to execute enumeration in the records.”  

During this research a second API call was also found in a documented API system that was allowing access to another set of records in plain text that were previously unavailable. Using both methods, the researchers were able to find records dating from January 2013 to May 2022.

Aqua Security estimates that valid records are in a range of between 4.2 million and 774 million. After analyzing a sample of 8 million records, experts found nearly 73,000 sensitive strings in the form of tokens, secrets, and various credentials associated with cloud services such as GitHub, AWS, and Docker Hub.

Experts note that some of the data in the historical records was obfuscated. However, this is insufficient because Travis CI allows developers to use various naming conventions for sensitive information.

“We found that, in many cases, ‘github_token’ was masked and revealed no secrets. However, we found around 20 variations of this token that were not protected in any way by Travis CI,” the researchers add.

Travis CI received a report and while the researchers believed the bugs would be addressed soon, a message from the platform responded by mentioning that this is a design issue and probably won’t be fixed. User log exposure appears to be a recurring issue for Travis CI, as reports on this type of risk have been published in 2015, 2019, and 2021.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post More than 770 million records available through the Travis CI API: Anyone can extract tokens, secrets, and other credentials associated with services like GitHub, AWS, and Docker Hub appeared first on Information Security Newspaper | Hacking News.

As reported just a few hours ago, the package received an update version identified as v0.2.6, which attracted attention because ctx Python had not received updates in 8 years.

After the update was reflected in the GitHub repository, some researchers began analyzing the code, finding some exciting features:

This code is specially crafted for when creating a dictionary; all its environment variables are sent to a URL of the Heroku application under attackers’ control.

Experts consider this a clear sign that the current version of the package has been manipulated for malicious purposes and should not be used.

Other versions of a ‘phpass’ fork, published in the Packagist repository, were also manipulated to add this malicious code. PHPass has reportedly been downloaded about 2.5 million times.

According to security researcher Somdev Sangwan, the insertion of this backdoor could be aimed at extracting access credentials for Amazon Web Services (AWS).

The malicious version was released on May 14, so users who installed the package before that date are employing the original version (v0.1.2) and will not be affected by this issue. On the other hand, any installation of ctx Python after May 14 could include malicious code.

About the attack method, specialists mention that the domain name of the original maintainers of ctx Python expired, which would have allowed the attackers to register it again and take control of this package, adding the malicious payload for later distribution.

The official page of the ctx Python project in PyPI has been removed, showing the error ‘Not Found’ to visitors.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.

The report, by a researcher known simply as ‘Satya0x’, details that the exploitation of this flaw could have allowed malicious hackers to demand a ransom with the threat of blocking access to the protocol, which would have left all stored funds unusable.

In his proof of concept (PoC), published on GitHub, the researcher notes that more than $730 million in virtual assets resided in the Wormhole contract at the time of testing. In response, Wormhole approved the maximum payment set in its vulnerability rewards program.

The vulnerability was described as an updateable proxy implementation self-destruct bug, and was validated and fixed in late February only a few hours after the researcher submitted his report.

Apparently, this error exists due to an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy, which was not initialized after a previous fix reversed the original initialization. The threat actors could have passed their own Guardian set and proceeded with the update as a Guardian under their control.

Subsequently, malicious hackers could force an update attempt with submitContractUpgrade(), causing a DELEGATECALL to a malicious address; at this stage, attackers could execute a SELFDESTRUCT code to permanently delete the deployment contract.

Satya0x was pleased with their work and with the willingness shown by Wormhole and Immunefi, operator of the contract’s bug bounty program: “I am proud to have participated in the mitigation of this vulnerability.”

A reward of $10 million USD seems completely excessive, although this is explained if analyzed in the large and frequent losses suffered by decentralized finance platforms (DeFi). At the beginning of 2022, Wormhole itself lost $325 million USD from a cyberattack of unknown origin, so it should not be surprising that its reward programs are so attractive to the ethical hacking community.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Ethical hacker gets $10 Million bounty for finding critical vulnerability in Ethereum Wormhole contract appeared first on Information Security Newspaper | Hacking News.

Flux is an open and extensible CD solution to keep Kubernetes clusters in sync with configuration sources, and is used by firms across all industries, including Maersk, SAP, Volvo, and Grafana Labs, among many others. In its most recent version (Flux2), multi-tenant support was introduced, among other features.

The vulnerability was described as a remote code execution (RCE) error that exists due to improper validation of kubeconfig files, which define commands that will be executed to generate on-demand authentication tokens: “Flux2 can reconcile the state of a remote cluster when a kubeconfig file exists with the correct access rights,” points a report posted on GitHub.

Paulo Gomes, a software engineer who collaborates at the Cloud Native Computing Foundation (CNCF), which originated GitOps and provides support for Flux and Kubernetes, mentions: “The tool can synchronize the declared state defined in a Git repository with the cluster in which it is installed, which is the most commonly used approach, or it can target a remote group.”

Gomes adds that the access required to target remote clusters depends largely on the intended scope. This is completely flexible and is based on the fact that Kubernetes RBAC has a wide range of granularity. This behavior allows a malicious user with write access to a Flux source or direct access to the target cluster to create a specially crafted kubeconfig file to execute arbitrary code in the controller container.

When analyzed according to version 2 of the Common Vulnerability Scoring System (CVSS), this vulnerability was considered of medium severity and received a score of 6.8/10, because in single-tenant deployments, the error is less dangerous and the attackers obtain almost the same privileges required for exploitation.

However, the flaw receives a score of 9.9/10 according to CVSS v3.1, as this release includes a metric around ‘scope’ changes, which means that the flaw can affect resources beyond the security scope managed by the developers of the vulnerable component.

The flaw has already been addressed by the creators of the tool, so users of affected deployments are advised to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical vulnerability in Flux2, a Kubernetes continuous delivery tool, enables hacking between neighboring deployments appeared first on Information Security Newspaper | Hacking News.

Mike Hanley, GitHub’s chief security officer, confirmed the incident by mentioning that even the platform uses some of the affected apps: “Our analysis suggests that threat actors could be mining the contents of the downloaded private repository, to which the stolen OAuth token had access, in search of secrets that could be used to move to another infrastructure.”

The list of affected applications includes:

• Heroku Dashboard (ID: 145909)
• Heroku Dashboard (ID: 628778)
• Heroku Dashboard – Preview (ID: 313468)
• Heroku Dashboard – Classic (ID: 363831)
• Travis CI (ID: 9216)

GitHub’s security teams identified unauthorized access to their npm production infrastructure on April 12, when threat actors used a compromised AWS API key. This key could have been obtained by downloading some private npm repositories using the compromised tokens.

The tokens used for the attack were revoked when the platform identified the compromise. Hanley confirmed that the impact of the incident includes unauthorized access to private GitHub.com repositories, in addition to potential access to npm packages on its AWS S3 storage.

Even though threat actors could have stolen information from the compromised repositories, the platform has concluded that none of the packages were modified for malicious purposes: “npm uses an infrastructure independent of GitHub,” Hanley’s message ended.

Security teams on the platform are already working to notify affected users, in addition to maintaining an active investigation into the intrusion. To speed up the investigation, GitHub recommends users review their organizations’ audit logs, in addition to the security logs for each account to identify potential signs of attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites

The post GitHub was hacked. Source code is filtered from different repositories appeared first on Information Security Newspaper | Hacking News.

Tracked as CVE-2022-24765, the first flaw affects users working on multi-user machines where unverified users can create a C:\.git\config directory on the Windows system, where Git operations could be executed outside a repository.

Security engineer Taylor Blau mentions, “Since some configuration variables cause Git to execute arbitrary commands, a code execution scenario could present itself when working on a shared machine.” According to the report, there are several scenarios in which a user could be affected:

• Users who installed posh-git
• Git Bash users who set up GIT_PS1_SHOWDIRTYSTATE
• IDE users such as Visual Studio
• Users of the Microsoft Git branch are vulnerable simply by starting a Git Bash

On the other hand, CVE-2022-24767 resides in the Git Uninstaller for Windows, which is vulnerable to dynamic link library (DLL) hijacking, since the high-privilege SYSTEM account inherits the settings that point to TMP and TEMP the worldwide write account C:\Windows\Temp.

The notification for this vulnerability mentions that the default system settings for TMP and TEMP are directed to C:\Windows\Temp, so the SYSTEM user account inherits those settings; “Any authenticated user can place malicious .dll files that are uploaded when the Git uninstaller for Windows is run through the SYSTEM account,” the report states.

It should be noted that GitHub is not affected by these vulnerabilities. However, users should be aware of these vulnerabilities and update their local installation of Git, especially if they use Git for Windows or if you use Git on a multi-user machine.

The latest version of Git contains fixes for these flaws, so users are strongly encouraged to upgrade to Git v2.35.2. This version has changed its behavior when searching for a top-level .git directory, breaking down when the directory path changes ownership of the current user.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Github releases updated versions of its local client after fixing 2 critical code execution vulnerabilities appeared first on Information Security Newspaper | Hacking News.

Apparently, Miller intentionally changed his code to overwrite the host system data, in addition to modifying the code to display a message calling for world peace, as a protest against the war in Ukraine. GitHub confirmed that this is actually a critical vulnerability tracked as CVE-2022-23812: “Malicious code is capable of overwriting arbitrary files depending on the user’s geographic location,” the platform notes.

At the beginning of March, node-ipc versions 10.1.1 and 10.1.2 were released. When imported as a dependency and executed, these versions of the library check whether the IP address of the host machine is associated with Russia or Belarus; if so, all files are overwritten with a heart symbol.

These versions contained a package created by Miller identified as peacenotwar, capable of creating a file called WITH-LOVE-FROM-AMERICA.txt on users’ desktops and in OneDrive folders. The file allegedly contains a phrase from the developer clamoring for peace, although some users who have seen the file claim that it is simply an empty text file.

Whenever another project uses node-ipc versions 11 or 9.2.2 as a dependency, peacenotwar runs, leaving files on users’ computers. Version 9.2.2 has disappeared from the NPM registry along with the destructive versions 10.1.x. Vue.js, for example, brought node-ipc 9.2.2 while it was available, as 9.x is considered a stable branch, meaning there was a period when some Vue developers may have experienced the sudden appearance of text files.

The good news is that few people were exposed to this destructive version of the library, as large applications and frameworks will have used the stable branch. Any user who has accessed the latest generation versions could have lost their files or found the manifest created by the developer.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Node-ipc JavaScript library was modified to include file deletion malware depending on the users’ IP addresses appeared first on Information Security Newspaper | Hacking News.

The report indicates that the vulnerability especially affects older keyless car models, although fortunately there are methods to protect against this variant of hacking.

Tracked as CVE-2022-27254, this flaw was described as a variant Man-in-The-Middle (MiTM) attack, or replay attack, in which cybercriminals intercept radio frequency signals that are normally sent from a remote key fob to the car, manipulating these signals and sending them back at a later time in order to unlock the car doors.

This report was presented by researchers Blake Berry, Hong Liu, Ruolin Zhou and Sam Curry, who even released a video demonstrating the deployment of the attack. The researchers mention that the attack is functional mainly on Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) launched between 2016 and 2020.

These kinds of mistakes are more frequent than you might think. In 2020, Berry reported a similar flaw in other Honda models, claiming that the auto company simply ignored its report, exposing millions of drivers of models like.

• 2016 Honda Accord V6 Touring Sedan
• 2017 Honda HR-V
• 2018 Honda Civic Hatchback
• 2020 Honda Civic LX

Apparently this will be the case for this new vulnerability, as Honda has shown no plans for cars with legacy technology: “It appears that these attacks only work from a location very close to the target car, which requires local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and turned on nearby,” a company spokesperson said.

Honda does not confirm or deny that some of its models may be affected by this specific vulnerability, although it acknowledges that, if so, there are no plans to upgrade older vehicles, at least for the time being: “It is important to remember that while we are working to implement more advanced security features in the new models, threat actors are also working to improve their forms of attack,” the spokesperson adds.

Given this panorama, the researchers recommend that the owners of these vehicles keep the keys in a container capable of inhibiting the radio frequency signals emitted by these devices, in the effect known as Faraday’s cage. These attacks depend entirely on intercepting the signal, so an inhibitor will almost completely mitigate the risk of theft.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How anyone can easily steal Honda keyless cars. PoC published appeared first on Information Security Newspaper | Hacking News.

Specialists say that this research plays a fundamental role in the investigation of cybercriminal incidents, although sometimes researchers face multiple questions and crossroads during the analysis, increasing the workload unnecessarily. That is why it is necessary to find a way to make these processes more efficient.

On this occasion, experts from the cyber forensics course of the International Institute of Cyber Security (IICS) will show you Hoarder, a script created to collect and analyze the most valuable elements for forensic investigations or incident response instead of creating images of the entire hard drive.

Available on GitHub, this tool can represent a great advantage for cyber forensics investigation, lightening the workload of experts and allowing defining the most characteristic features of a cyberattack.

Tool usage

Hoarder analyzes the Hoarder.yml configuration and produces an extensive help message for ease of use, mention the experts of the cyber forensics course.

For example, if you want to collect all the artifacts specified in Hoarder.yml, you must use the following commands:

> .\hoarder.exe –all or > .\hoarder.exe -a or just > .\hoarder.exe

At the end of the execution, a ZIP file called <HOSTNAME>.zip will be generated, which contains all the artifacts in addition to hoarder.log which contains the debug records of the script.

To collect all artifacts with group tag analysis, run the command:

> .\hoarder.exe -g parsing

Configuration

The tool has a default configuration (Hoarder.yml):

• If you are running from the binary executable: The default Hoarder.yml settings are embedded in it. if you place your own hoarder.yml next to hoarder.exe you use it instead of the default settings
• If you are running from the source, you can modify Hoarder.yml or rename it and name your own Hoarder.yml configuration

Here’s an example of collecting and analyzing files or folders:

• Events: Name of the artifact. this name will be used as an argument on the hoarder command line
• Output: Output folder for this artifact
• path32: Path to the artifact for 32-bit systems
• path64: Path to artifact for 64-bit systems
• Files: File names
• Groups: They function as tags and each artifact can be configured to be part of one or more groups
• Parsers: One or more parsers to run this artifact

Parsing

Starting with version 4.0.0, Hoarder has support for the analysis of collected artifacts. As mentioned in the IICS cyber forensics course, there are three main parts to the analysis:

• parsers.zip: Contains the binaries, scripts, and data files of your parser To add your own parsers, place a parsers.zip file next to hoarder.exe containing all the parsers used
• configuration: in Hoarder.yml, add your parser command
• command-line arguments: -pa for the accumulator to bring raw and analyzed artifacts, and -n for the accumulator to bring only analysis results

Commands and plugins

The researchers of the cyber forensics course mention that the tool contains the following features:

• Pluings: Preset functions within the script that can be called for specific results, such as processes and services
• Commands: Defined within Hoarder.yml to execute unique built-in commands

The tool also supports the execution of system commands. The following example shows the execution of the systeminfo command:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, and more information on the cyber forensics course feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to collect only valid evidence during forensic investigation and incident response processes instead of creating images of system memory appeared first on Information Security Newspaper | Hacking News.

The researchers detected that BotenaGo’s source code has been available in the repository since October 16, 2021, allowing any malicious hacker to use, modify, and update it for the deployment of their own attack campaigns, primarily denial of service (DoS) attacks against IoT devices. The repository that stores this code also includes some hacking tools supported by BotenaGo.

According to the report, the malware’s source code is made up of 2891 lines of code, in addition to dozens of empty lines and developer feedback. In the opinion of AT&T experts, this is a simple but effective malware that has all the necessary tools to perform an attack, including:

• Reverse shell and telnet loader, for the implementation of a backdoor in charge of receiving C&C commands
• Automatic configuration of the 33 malware exploits, leaving hackers with everything ready to attack the affected system and infect it with a suitable payload according to the characteristics of the system

As shown below, the top of the source code shows a comment with the list of exploits supported by BotenaGo:

This malware is capable of executing 33 exploit functions targeting different IoT routers and devices by calling the scannerInitExploits function:

Each malicious function contains the exploit settings and a payload specific to the affected system. Some exploits are a string of commands, such as multiple “GET” requests:

In this screenshot, we can see the exploitation of CVE-2020-10987.

In addition, the code contains additional configuration for a remote server, available payloads, and a path to folders that contain additional script sequence files for execution on infected devices.

Faced with the risk of attack, the researchers issued a list of recommendations that should mitigate the impact of this malware:

• Maintain minimal exposure to the Internet on Linux servers and IoT devices
• Use a properly configured firewall
• Install security and firmware updates as soon as possible
• Check your system for unnecessary open ports and suspicious processes

As mentioned above, the availability of this code can become a serious issue for users of IoT devices, whether in home, enterprise, and industrial environments. In addition to the risk of DoS attacks, the source code could prove useful for the development of other malware variants, further extending the problem.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Code from the BotenaGo botnet is posted on GitHub. Millions of companies at risk of DDoS attack appeared first on Information Security Newspaper | Hacking News.

JFrog researchers mention that JNDI is an API that provides directory functionalities and names for Java applications, while H2 is an open-source Java SQL database widely used, primarily by Internet of Things (IoT) device manufacturers.

According to the report, this flaw was also detected in early December, discovering URLs controlled by threat actors to facilitate remote execution of unauthenticated code, allowing threat actors to take control over affected deployments.

Experts consider this to be the first critical flaw found since the finding of Log4Shell exploiting the same attack root but not being part of Log4j: “There are likely to be more packets affected by the same root cause as Log4Shell, accepting arbitrary JNDI search URLs. We have adjusted our automated vulnerability detection framework to account for the javax.naming.Context.lookup function as a dangerous function and released the framework in the Maven repository to find issues similar to Log4Shell2,” the researchers report.

The H2 database package was one of the first to be validated and reported to its developers, who immediately released a new version, available on GitHub. Experts add that several code paths in the H2 database framework pass unfiltered in attacker-controlled URLs to the javax.naming.Context.lookup function, which would allow remote loading of the code base.

In the report, H2 database users are asked to upgrade their deployments to the latest version available: “If you are running an H2 console that is exposed to your LAN, this issue is extremely critical and you should upgrade your H2 database to version 2.0.206 immediately,” JFrog adds.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New critical vulnerability similar to log4j discovered in Java applications with H2 databases appeared first on Information Security Newspaper | Hacking News.