Introduction
Hello, and welcome to our security news weekly review here on DEV. In this edition, it's 80% of the articles are about malware, and 20% are about vulnerability.
So, everyone, let's get started.
Malicious VSCode extensions with millions of installs discovered
As a developer, this can be tough to handle because you have many things to worry about when coding than an extension which could be malicious. Nonetheless, you should know this exists and hope Microsoft puts in more strict policies about the extensions that find their way to the VSC Marketplace. My advice: install only the necessary extensions that you need in VSCode.
The following is an excerpt from the article:
VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and deserves the security community’s attention.
More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack
Irrespective of your job, don't think "Who will target me, I mean, I don't offer any value". No, no, no, don't think that. As detailed in the article, the would-be victim was a recruiter, but the attack was not successful. What's more, beware of using pirated software because it could be a lure to get something dangerous on your computer system.
Read the following excerpt and take time to read the full article linked above:
More_eggs campaigns are still active and their operators continue to use social engineering tactics such as posing to be job applicants who are looking to apply for a particular role and luring victims (specifically recruiters) to download their malware
Phishing emails abuse Windows search protocol to push malicious scripts
This is a dangerous combination. Phishing plus legitimate Windows feature, and finally, a malicious script. We might as well refer to this as a nightmare. Armed with this knowledge, be wary of downloading HTML attachments in your email.
What's more, here is an excerpt from the article:
The recent attacks described in the Trustwave report start with a malicious email carrying an HTML attachment disguised as an invoice document placed within a small ZIP archive. The ZIP helps evade security/AV scanners that may not parse archives for malicious content.
The HTML file uses the <meta http-equiv= "refresh"> tag to cause the browser to automatically open a malicious URL when the HTML document is opened.
New Cross-Platform Malware 'Noodle RAT' Targets Windows and Linux Systems
It's scary when malware is cross-platform, especially targeting two popular operating systems used by millions of people. The excerpt below is a quick overview of how the malware works.
The Windows version of Noodle RAT, an in-memory modular backdoor, has been put to use by hacking crews like Iron Tiger and Calypso. Launched via a loader due to its shellcode foundations, it supports commands to download/upload files, run additional types of malware, function as a TCP proxy, and even delete itself.
Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating
The bug was first reported on June 7, 2024. Now, a week later, some have been victims of threat actors taking advantage of the vulnerability. I'll encourage you to read the article, starting with the excerpt below. It briefly explains how the bug works.
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.