Security news weekly round-up - 3rd May 2024

Habdul Hazeez - May 3 - - Dev Community

Introduction

It's another weekly review, and I welcome you all to this week's edition. Today, we'll cover articles about malware, artificial intelligence, vulnerabilities, attacks against Android applications, and online user accounts_


Bogus npm Packages Used to Trick Software Developers into Installing Malware

It's a social engineering attempt that tries to leverage the intensity of a job interview into tricking the developer into installing malware. It's a difficult one to recommend how you can stay safe. However, it's best to avoid interviews that instruct you to download a package as part of the interview process.

Here is why:

During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system.

BBC presenter’s likeness used in advert after firm tricked by AI-generated voice

If it was created by a man with good intentions, there is a high tendency that it will be misused for personal gain or to wreak havoc. Such is the case of Artificial Intelligence, from those that generate text to those that can clone your voice. The latter applies to this article. Turns out that the scammer tricked a firm into thinking that the presenter consented to an advertisement, as a result, the firm paid them, thinking it was going to the presenter.

Here is an excerpt from the article:

The person assuming Bonnin’s identity gave Carter a phone number and email address. They also provided him with contact details from someone pretending to be from the Wildlife Trusts, the charity where Bonnin serves as president. He said the deal was negotiated via WhatsApp and emails. He also claims he spoke to one of the scammers impersonating Bonnin over the phone on at least one occasion.

Vulnerability in R Programming Language Could Fuel Supply Chain Attacks

The good news is that they have fixed it. The bad news is that you are vulnerable if you have not updated to the latest version of R. The excerpt below briefly explains the vulnerability.

A vulnerability in the R programming language implementation can be exploited to execute arbitrary code when a malicious RDS file is loaded and referenced, and could be used as part of a supply chain attack.

Deepfake of Principal’s Voice Is the Latest Case of AI Being Used for Harm

Closely related to the BBC's presenter impersonation. This one was dangerous and required the involvement of law enforcement.

Here is a brief of what happened:

The fake audio clip that impersonated the principal is an example of a subset of artificial intelligence known as generative AI. It can create hyper-realistic new images, videos and audio clips. It’s cheaper and easier to use in recent years, lowering the barrier to anyone with an internet connection.

The fake recording contained racist and antisemitic comments, police said. The sound file appeared in an email in some teachers’ inboxes before spreading on social media.

Microsoft Warns of ‘Dirty Stream’ Vulnerability in Popular Android Apps

It's programming-related and it prompted Google to publish an article warning developers about it.

Here is an excerpt from the article:

The issue is related to a data and file sharing mechanism on Android, specifically the content provider component and its ‘FileProvider’ class, which enables file sharing between installed applications. Improperly implementing this mechanism can introduce potentially serious vulnerabilities.

Maximum-severity GitLab flaw allowing account hijacking under active exploitation

The article's title says it all. What's more, it's tracked as CVE-2023-7028 with a severity rating of 10 from a maximum of 10.

Here is how the vulnerability works:

The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .