Risky Biz News: GitHub aflood with fake and malicious PoCs

In other news: Iran nuclear agency hacked; $60 million ransom demanded from UK car dealership Pendragon; and DormantColors spreads malicious Chrome and Edge extensions.

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

If you're a security researcher or IT admin tasked with defending your network and you download proof-of-concept code from GitHub, there's a one in ten chance that you will download and run a fake or malicious exploit, according to the results of a sprawling study performed by academics from Leiden University in the Netherlands.

The researchers said they downloaded and analyzed 47,313 GitHub repositories containing PoC code for known vulnerabilities discovered between 2017 and 2021.

The research team analyzed if the exploit code communicated with known malicious IP addresses, if the exploit contained any obfuscated hexadecimal or Base64 code, or if the exploit contained known trojanized binaries.

The team said that using this analysis method, they identified 4,893 malicious repositories—roughly 10.3% of all the scanned repos. Sixty of these are still live today; the researchers told BleepingComputer in an interview.

Academics said the number of malicious repositories was high in 2019, 2020, and 2021, compared to 2017 and 2018. The researchers argued that this happened because those three years saw "a few CVEs that have had a massive security impact" rather than threat actors focusing on this particular distribution method.

Among the most dangerous examples the research team saw, they found exploits laced with Cobalt Strike backdoors, infostealers, and a plethora of remote access trojans.

Besides obviously malicious PoCs focused on collecting and exfiltrating data or infecting machines with malware, the Leiden University team also saw fake or joke PoCs where there was no malintent, such as your obligatory rick-roll.

The infosec community went past its childish naivety stage a long time ago, so most researchers and IT admins don't run PoCs directly on their production systems these days (hopefully 🤞). This study just puts a number on the chances of getting infected with malware if you're running PoCs shared by some unknown account named PapaSmurf, rather than waiting for someone like Rapid7 or TrustedSec to release one.

Breaches and hacks

Argentina's army gets ransomwared: Argentina's Joint Chief of Staff of the Armed Forces disconnected its IT network last week after the agency suffered a ransomware attack. Local media reported that the incident prevented army officials from holding their regular security meetings, including ones with international partners.

$60mil ransom demand: Pendragon, one of the UK's largest car dealerships, said it was hacked and held for ransom by the LockBit ransomware gang, which requested a whopping $60 million to decrypt the company's files—one of the largest ransomware demands ever reported.

METRO incident: EU retail giant METRO disclosed a cybersecurity incident that has been affecting its ability to provide IT services to its stores in Austria, Germany, and France. According to German IT blogger Günter Born, the IT outage has been causing issues for the company since at least October 17.

Carousell data breach: A hacker is selling the personal details of nearly 2 million users registered on the portal of Carousell, a Singapore-based buy-and-sell portal. The figure sounds small, but it actually accounts for nearly 40% of Singapore's entire population.

Iran nuclear agency hack: A hacktivist group calling itself Black Reward took credit for hacking Iran's Atomic Energy Organization and released more than 50GB of data containing emails, contracts, and construction plans related to Iran's Russian-backed nuclear power plant in Bushehr. The group also requested the release of recent political prisoners detained in the Mahsa Amini anti-government protests over the past month. The Iranian government confirmed the incident on Sunday.

Government, politics, and policy

Australia to increase data breach penalties: Following a string of high-profile hacks over the past month (Optus, Telstra, Medibank, Woolworths, and EnergyAustralia), Australian government officials plan to introduce legislation this week to significantly increase penalties for repeated or serious privacy breaches. According to officials, the new law will increase maximum penalties from the current $2.22 million penalty to $50 million, or even 30% of the company's adjusted turnover in the relevant period.

New TSA cybersecurity directive: The Transportation Security Administration (TSA) unveiled new cybersecurity regulations for passenger and freight railroad carriers last week. The new rules take effect on October 24 and will last one year. Railroad companies are now mandated to deploy network segmentation policies that separate OT systems from other IT networks—in case of compromise. In addition, carriers will also have to deploy threat detection systems and timely patches for operating systems, applications, drivers, and firmware. [Additional coverage in The Record]

India's spy agency bought NSO Group hardware: The OCCRP reported last week that India's Intelligence Bureau, the country's main domestic intelligence agency, bought hardware from the Israeli spyware firm NSO Group that matches the description of equipment used to deploy the Pegasus spyware.

RunZero (formerly Rumble Network Discovery) is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

Cybercrime and threat intel

Pop star hacker sentenced: Adrian Kwiatkowski, a 22-year-old from the UK, was sentenced last week to 18 months in prison for hacking the personal accounts of famous pop stars, stealing unreleased music, and then selling it online in exchange for cryptocurrency. According to the UK Crown Prosecution Service, Kwiatkowski was in possession of 565 stolen and unreleased songs and admitted to officials to selling two unreleased songs by British pop star Ed Sheeran and 12 songs by American musician Lil Uzi Vert.

Widespread VMWare abuse: Fortinet reported widespread abuse of CVE-2022-22954, a VMWare vulnerability patched earlier this year in April. Threat actors abusing this vulnerability include groups deploying the Mirai DDoS malware, the RAR1ransom ransomware strain, and the GuardMiner crypto-mining gang.

Facebook hacking groups: Meta removed more than 45 Facebook groups and pages that were advertising hacking services and hacked accounts following a Bloomberg and Cisco Talos investigation. The groups had more than 1 million combined members, including three with more than 100,000 members.

New malware threats: Red Canary, which runs a monthly ranking of the top malware threats it sees online, said it saw three new malware families break into its Top 10 for the month of October:

  • Web Companion (#6) – a program that, if given permission, can access and change users' browser settings
  • Zloader (#7) – a banking trojan with many variants; while it originally focused on credential theft, in more recent years, it's delivered pre-ransomware payloads on behalf of several ransomware families
  • PureCrypter (#8) – Multi-stage encrypted malware suite that uses process injection to deliver and execute additional malicious payloads such as information stealers or remote access tools

DormantColors: Guardio Security researchers published details on DormantColors, a threat actor specialized in distributing malicious Chrome and Edge browser extensions. According to researchers, this group relies on malvertising to promote their sites, a novel way to side-load malicious code, which it then uses to steal browsing and search data, and also hijack affiliate IDs on more than 10,000 websites. Guardio said they named the group DormantColors because most of their extensions provide UI color customization features. All the group's extensions were hosted on the official stores. Extension IDs are in the company's blog post, and a list of names is embedded below.

Team Mysterious Bangladesh: Indian security firm CloudSEK said it found evidence that Team Mysterious Bangladesh, a group of pro-Bangladesh hacktivists, are planning cyberattacks against various Indian targets.

Daixin Team: CISA, the FBI, and the HHS published an advisory on Daixin Team, a cybercrime group that has been predominantly targeting US healthcare companies with ransomware and data extortion operations.

TommyLeaks and SchoolBoys: Two new recently discovered ransomware operations named TommyLeaks and SchoolBoys are actually run by the threat actor. According to BleepingComputer, the group has been active since last month and built its ransomware encrypter/decrypter using the leaked LockBit ransomware builder.

New Sparta group: A new ransomware hack-and-leak group named Sparta has compromised and extorted at least 12 victims. Despite being a new threat actor, Sparta ranked fourth behind LockBit, BlackBasta, and AlphV, in NCC Group's monthly threat. In the meantime, the IceFire group appears to have taken a hiatus, not having listed any new victims last month after ranking in the Top 10 in August.

Malware technical reports

Exbyte: Broadcom's Symantec team published a report on Friday on Exbyte, a data exfiltration toolkit used by one of the affiliates of the Blackbyte RaaS. The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service.

Dark Crystal RAT: Splunk researchers have a report out on the Dark Crystal RAT, or DCRat, a common payload used by low-sophisticated threat groups these days.

Black Basta ransomware: Check Point has a technical breakdown of the Black Basta ransomware code.

Android bankers: Dr.Web researchers said they uncovered a series of Android shopping apps meant to infect Malaysian users with a banking trojan.

More on URSNIF (Gozi/IFSB): After Mandiant's report last week on URSNIF and its pivot from a banking trojan to a modular backdoor malware, CSIS researchers published a report on the malware's technical underlayers and the gang behind it.

RomCom backdoor: CERT-UA says they saw a spear-phishing campaign targeting Ukrainian organizations last week, distributing a version of the RomCom backdoor malware. Authorities said they believe a threat actor named UNC2596 (Tropical Scorpius) is behind the attacks. This is the same group believed to operate the Cuba ransomware. BlackBerry's security team also has an in-depth look at the technical side of this campaign, although they have not linked it to Cuba ransomware operators.

APTs and cyber-espionage

WarHawk: Zscaler has a report out on WarHawk, a new backdoor deployed by the Indian SideWinder (Rattlesnake) APT in attacks against Pakistani targets.

Konni malware: South Korean security firm ESTsecurity analyzed a malicious Android app they linked to Konni, a North Korean APT.

Winnti APT: Malwarebytes has a report on a new cyber-espionage campaign targeting government entities in Sri Lanka. The company linked this operation to the Winnti APT group.

Fortinet gear APT abuse: CYFIRMA researchers said they'd observed the APT34 group exploiting CVE-2022-40684, a recently disclosed/patched authentication bypass in Fortinet devices.

"The suspected threat actors are US17IRGCorp aka APT34, HAFNIUM, and its affiliates in the ongoing campaign' درب عقب' translating to 'Tailgate'."

APT27 intrusion: French security firm INTRINSEC published a step-by-step technical breakdown of an APT27 (LuckyMouse, EmissaryPanda) intrusion, during which the Chinese espionage group breached a network, lay in hiding for 11 months, and stole 3TB of data from their victim over the span of 17 days.

Vulnerabilities and bug bounty

SHA-3 buffer overflow: US cryptographer Nicky Mouha unveiled details on CVE-2022-37454, a vulnerability in eXtended Keccak Code Package (XKCP), a library that implements various cryptographic schemes. The vulnerability impacts XKCP's SHA-3 implementation and allows attackers to execute arbitrary code or can eliminate expected cryptographic properties. Fixes were deployed last week for XKCP and its implementations for Python, PHP, and Ruby.

Autodesk vulnerabilities: Fortinet researchers published details on 24 vulnerabilities in various Autodesk software products, including many remote code execution issues.

Infosec industry

BSides Portland 2022 videos: Talks from the BSides Portland 2022 security conference, which took place earlier this month, are available on YouTube.