Risky Biz News: Threat actor stole data for 100,000 npm users

In other news: New Office zero-day; Russia test VPN ban; and FIDO2 security flaws.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The threat actor who gained access to GitHub's platform in early April 2022 was able to escalate access to GitHub's npm infrastructure and steal the data of more than 100,000 npm user accounts, GitHub said last week, in an update to its original breach disclosure.

The breach initially happened after the threat actor gained access to OAuth tokens used by the Heroku and Travis CI services to integrate with the GitHub platform.

Initially, it was believed that the hacker was looking to harvest private source code from GitHub users that were using Heroku or Travis CI integrations.

But last week, following additional investigations, GitHub said the threat actor "was able to escalate access to npm infrastructure" as well. From there, they collected:

  • An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
  • All private npm package manifests and package metadata as of April 7, 2021.
  • A series of CSVs containing an archive of all names and version numbers of published versions of all npm private packages as of April 10, 2022.
  • Private packages from two organizations.

GitHub said the threat actor didn't modify any source code hosted on its platform and began resetting npm user accounts passwords for affected accounts.

As a side-effect of this investigation, the company said that it also found an internal logging tool that had logged credentials in cleartext, which it has now corrected.

General tech and privacy

VPN blocks in Russia: The Russian government appears to be carrying out tests to block VPN protocols inside the country. According to reports, VPN protocols like L2TP, IKEv2, and IPsec are getting blocked in certain regions. Last year, Roskomnadzor, Russia's communications watchdog, began blocking access to some popular VPN services. After Russia's invasion of Ukraine, the Russian government also began blocking access to many western websites as a way to control the messaging around the war. This block caused an even larger migration of regular Russians to VPN services, which may explain why Russia is now testing a block of the underlying VPN protocols themselves.

Google details new Chrome hardening plans: The Google security team published last week a blog post detailing some of the steps it is taking to harden Chrome against the common memory attacks against its browser, typically caused by its C++ codebase. In addition, the company also published the design document of Ubercage, the new sandbox system that will be included with the V8 JavaScript engine inside Chrome.

More Chrome security: Chrome v103, to be released next month, will also feature a new security mechanism that will block iframes from opening external protocol links.

Even more Chrome security: There are also new security features for Chrome Enterprise and Chrome OS too.

Government, politics, and policy

Spain Pegasus scandal: Spain's prime minister vowed to tighten the oversight of the country's spy agencies after powerful spyware was found on the phones of several Spanish politicians earlier this year.

Cybercrime and threat intel

REVil prosecution in Russia: Russian news outlet Kommersant reported last week that the prosecution of REvil suspects detained at the behest of US authorities in January this year has stalled, with Russian prosecutors claiming they have not yet received the evidence to try the suspects from their American counterparts. The brief collaboration between the two countries stopped after Russia's invasion of Ukraine. [h/t Oleg Shakirov] [English language coverage in Cyberscoop]

Infraud sentence: A 37-year-old named John "Peterelliot" Telusma was sentenced last week to four years in prison. Telusma was a member of the Infraud cyber crime ring, which dabbled in the sale of stolen credit card data.

DOJ goes after BEC actor's funds: The US Department of Justice moved last month to seize almost $4.5 million (151.85 BTC) in funds that are owned by a suspect accused of BEC schemes. Olalkan Jacob Ponle, who went online as "Mr. Woodbery," was charged and arrested in June 2020. As cybersecurity veteran Gary Warner pointed out on Friday, the DOJ intervened to seize the funds after a mysterious entity moved the Bitcoin to a new address.

FBI alert: The FBI said in a PIN alert last week that credentials for US colleges and universities are being widely advertised across Russian cybercrime forums. The agency is now warning organizations about a possible rise in attacks targeting their institutions. The full alert is here: PDF.

Facebook good-bot suspended: It appears that Meeta has suspended a bot account created by a security researcher to detect and report romance scam profiles on its Facebook Dating service. gg, Meta!

Malware technical reports

EnemyBot: AT&T Alien Labs has published a report on EnemyBot, a strain of multi-platform malware that has seen a spike in usage in recent months. Currently, the botnet has been observed targeting IoT devices, web servers, Android devices, and content management system (CMS) servers. The malware, whose source code is publicly available, is primarily used to create bot networks to be for DDoS attacks.

Vulnerabilities and bug bounty

Office zero-day: Security researcher Nao_Sec discovered last week a new zero-day vulnerability that was being used to run malicious code on user systems via malicious Office Word documents. Security researcher Kevin Beaumont has a write-up on this new zero-day, called Follina, and so does Huntress.

FIDO2 vulnerabilities: A team of academics said last week that they found vulnerabilities in the Client-to-Authenticator Protocol (CTAP2), a part of the FIDO 2.0 authentication standard that could allow for MITM scenarios, where an attacker could impersonate a client to the authenticator. A research paper is available here, while a summary is available via itnews.

Microsoft's Android research: Microsoft's vulnerability research team said they found four critical security flaws in a mobile framework developed mce Systems that is currently used inside several Android System apps that are pre-installed on most Android devices. The vendor patched the bugs—which allowed command injection and privilege escalation attacks—last year. The bugs may also impact non-system apps developed by third-party app developers and even some iOS apps as well.

KrbRelayUp: Microsoft has published instructions on how to detect and stop attacks carried out using a new tool released last month named KrbRelayUp.

Fuchsia OS: We now have the first kernel attack against Google's upcoming Fuchsia OS, courtesy of Positive Technologies.

Infosec industry

BSides Knoxville 2022: Videos from the BSides Knoxville 2022, which took place two weeks ago, are now on YouTube.