Security news weekly round-up - 8th September 2023

Habdul Hazeez - Sep 8 '23 - - Dev Community

Introduction

This week's review is mostly about malware, application and cloud security, vulnerabilities and phishing.


Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus

Even with all the security software on your computer, you have to be extra vigilant. If you ever doubt that, this article is proof that you should not. Here is what's going on:

The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023. Put differently; the PDF document embeds within itself a Word document with a VBS macro that's designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office.

Developers Warned of Malicious PyPI, NPM, Ruby Packages Targeting Macs

If you're a developer and you're using a Mac, please, be careful. As the title says, malicious packages are targeting your systems. Meanwhile, all the packages have something in common; harvesting system information.

Here is more for you:

Threat actors have started uploading malicious packages to PyPI, NPM, and RubyGems repositories in a new campaign aimed at stealing user information, software supply chain security firm Phylum reports. The first malicious packages were uploaded to PyPI and NPM repositories over the weekend, specifically targeting macOS users.

Thousands of Popular Websites Leaking Secrets

Dear site admins, kindly check and ensure that you're not leaking sensitive information that can result in severe consequences for the site that you're managing. That's not from me, but the information from the article is indirectly telling you to do this:

All (100%) had repo permissions, which would enable an attacker to take arbitrary actions against all of the victim user’s repositories, including, but not limited to implanting malware in the code.

Password-Stealing Chrome Extension Demonstrates New Vulnerabilities

Keep calm. It's an academic research 😊. Still, we should be worried that browser extensions can do this. The details are technical, but, here is what's going on:

Once loaded into the DOM tree, the lack of security boundaries allows the extension to leverage the DOM APIs to gain access to all DOM elements and extract the value of the input elements. Google.com and Cloudflare.com are two top websites impacted by this vulnerability.

How a Chinese Espionage Group Exploited Microsoft’s Mistakes

Stories like this remind me of "No System is Safe". Behind the scenes, it was a "race condition" that led to the exposure of a signing key. The aforementioned actors used this, and the rest, as they say, is history. More from the story:

Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump.

‘Atomic macOS Stealer’ Malware Delivered via Malvertising Campaign

Dear Mac users, I know, this is the second article that concerns you. Please, stay safe to the best of your abilities. Moreover, it's really scary as seen in the following excerpt:

The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in,” Malwarebytes explained.

New Phishing Campaign Launched via Google Looker Studio

The Curious Case of Using a Legitimate Tool for Malicious Purposes (Did you notice what I did 🤔?, Let me know in the comments section!). Now, the story is for real, here is why:

This is a long way of saying that hackers are leveraging Google’s authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google. And it does! Because the attack is nested so deep, all the standard checks will pass with flying colors.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .