Hundreds of networks reportedly hacked in Codecov supply-chain attack
Following on with a story we have been covering this week, new reporting from Reuters shows that hundreds of customer networks have been breached in the Codecov incident, expanding the scope of this breach beyond just its own systems. Codecov is an online software testing platform that can be integrated with GitHub projects to generate code coverage reports and statistics. In this attack, threat actors gained Codecov’s credentials from their flawed Docker image that was then used to alter Codecov’s Bash Uploader script, used by its customers. Codecov has over 29,000 customers, including prominent names like GoDaddy, Atlassian, The Washington Post, and Procter & Gamble, making this a noteworthy supply-chain incident.
Remote code execution vulnerabilities uncovered in smart air fryer
Researchers from Cisco Talos have disclosed two remote code execution (RCE) vulnerabilities in the Cosori Smart 5.8-Quart Air Fryer, a Wi-Fi-connected kitchen product that leverages the internet to give users remote control over cooking temperature, times, and settings. According to Talos researchers, Cosori did not “respond appropriately” within the typical 90-day vulnerability disclosure period, which is why it has now been made public. Though consumers may consider this situation to be innocuous, this is an example of an IoT endpoint vulnerability that can leverage a home connection to cause damage there or anywhere else.
Biden administration unveils plan to defend electric sector from cyberattacks
The Department of Energy (DOE) yesterday announced a 100-day plan to help shore up the U.S. electric power system against cyber threats. The plan, rolled out with the private sector and CISA, is meant to help owners and operators develop more comprehensive approaches to detection, mitigation and forensic capabilities. The plan will focus on getting industrial control system (ICS) owners and operators to select and use technologies that will help gain real-time awareness of cyber threats, and response capabilities, and will also be encouraging the deployment of technologies that boost visibility into threats in both ICS and operational technology networks.
Pulse Secure VPN zero-day used to hack defense firms and government organizations
Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure SSL VPN appliance actively exploited against US Defense Industrial base (DIB) networks and worldwide organizations. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers to upgrade their server software. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in their security advisory.
Thanks to our episode sponsor, Palo Alto Networks
Microsoft revitalizes store, opens up options for developers
Microsoft is working on a new Store app for Windows 10 that will include a visual redesign and more importantly, changes to the policies that govern what kind of apps can be submitted to the store by developers. According to Zac Bowden of Windows Central, the changes include: allowing developers to: submit unpackaged Win32 apps to the Store, host apps and updates on their own content delivery network (CDN), and use third-party commerce platforms in apps, all without making changes to their existing code, as was required in the past.
Fake Microsoft Store, Spotify sites spread info-stealing malware
Our previous story about Microsoft’s new Store design takes on greater significance given that attackers are promoting sites impersonating the Microsoft Store, and Spotify, that distribute malware to steal credit cards and passwords saved in web browsers. The attack was discovered by cybersecurity firm ESET and involves ads for things like online chess games or free trials or premium services from Spotify. Clicking on these ads leads to extremely accurate-looking fake web pages, which download the highly effective information-stealing Trojan, Ficker onto their systems.
Lazarus hacking group now hides payloads in BMP image files
Although hiding malicious code in mages is not new, the techniques are always getting better. North Korea’s Lazarus group has tweaked its loader obfuscation techniques by abusing image files deployed in a recent phishing campaign. The attack chain begins with a Korean-language Microsoft Office document which asks victims to enable macros in order to view the content. The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file. During decompression, the PNG is converted to BMP format, and drops a loader for a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine. Because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed, it cannot be detected by static detections.
Japanese police say Tick APT is linked to Chinese military
Japanese law enforcement believes a group of hackers linked to the Chinese military are behind a broad cyber-espionage campaign that has breached more than 200 Japanese companies and organizations since at least 2016. Japanese news agencies said the suspects used fake IDs to register web servers between 2016 and 2017. The servers were later used by a Chinese hacker group known as Tick to launch attacks against Japanese companies and research institutes active in the aviation and national defense sectors.