Tag: malicious

Malware attacks on Docker Hub spread millions of malicious repositories

Post author By lisa nichols
Post date May 2, 2024
No Comments on Malware attacks on Docker Hub spread millions of malicious repositories

[ad_1]

Cybersecurity researchers from JFrog recently discovered three malicious campaigns in Docker Hub – Docker’s cloud-based registry service for storing and sharing container images. These campaigns contained millions of repositories that pushed generic trojan malware to the developers.

The conclusion of JFrog’s findings is that with open-source repositories such as Docker Hub, keeping them clean of malware is an immensely difficult task.

As the researchers explained, Docker Hub repositories have two key aspects: the images (an application that can be updated and accessible through a fixed name), and the metadata (short descriptions and documentation in HTML format, which will be displayed on the repository’s main page).

Millions of bad repositories

“Usually, repository documentation aims to explain the purpose of the image and provide guidelines for its usage,” the researchers explained.

However, roughly 4.6 million repositories contained no Docker images, meaning they couldn’t be run using a Kubernetes cluster, or a Docker engine – they were practically useless. They just contained the overview page which tried to trick the developers into visiting phishing websites, or other pages hosting malicious code.

Of the 4.6 million repositories, 2.81 million were linked to three campaigns: “Downloader”, “eBook Phishing”, and “Website SEO”.

In terms of the number of malicious repositories, Downloader was the biggest one, amounting to almost 10% of the entire share (1,453,228 repositories). However, it did not have as many users (9,309) as, for example, Website SEO (194,699). The latter, however, only took up 1.4% of the share, having a “mere” 215,451 repositories.

With 7.1% of the share, eBook Phishing was the second, with 1,069,160 repositories. It only had 1,042 users though.

JFrog disclosed its findings to Docker, which prompted the project to remove the malicious repositories – 3.2 million of them.

“Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub’s platform credibility, making it more difficult to identify the phishing and malware installation attempts,” JFrog said.

“Almost three million malicious repositories, some of them active for over three years highlight the attackers’ continued misuse of the Docker Hub platform and the need for constant moderation on such platforms.”

Malicious Google Ads found promoting a fake IP scanner that just wants to steal your data

Post author By lisa nichols
Post date April 19, 2024
No Comments on Malicious Google Ads found promoting a fake IP scanner that just wants to steal your data

[ad_1]

Security researchers have spotted another malicious advertising campaign in Google Ads that sees hackers impersonating multiple legitimate software companies.

While definitely not the first of its kind, this campaign was said to be unique for distributing a sophisticated Windows backdoor.

The campaign was first spotted by cybersecurity researchers from Zscaler Threat labs, who noted between November 2023, and March 2024, unidentified threat actors registered at least 45 domains. All of them were typosquatted versions of port scanning and IT management software companies, such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.

New malware

Then, they somehow managed to create an ad campaign on Google Ads to promote these sites. Usually, hackers would do it by obtaining access to a legitimate Google Ads account, possibly one with a proven track record of “clean” ads.

Consequently, whoever would search for this type of software on Google would be presented with these ads in the top of the search engine results page, as well as in other locations reserved for ads. Those who would open the site, and download the programs offered there, would end up getting the MadMxShell backdoor.

This backdoor, The Hacker News reports, is a brand new piece of malware. Its infection chain is relatively long, and includes multiple DLL and EXE files.

“The backdoor uses techniques such as multiple stages of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively,” the researchers explained.

“In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions.”

So far, the researchers don’t know who the attackers are, or what their motives for the campaign might be. A backdoor has numerous use cases, from data theft and espionage, to unauthorized access, setting up persistence, and even remote control.

Chrome to offer constant, real-time protection against malicious sites 24/7

Post author By lisa nichols
Post date March 15, 2024
No Comments on Chrome to offer constant, real-time protection against malicious sites 24/7

[ad_1]

Google is upgrading Chrome’s Safe Browsing security tool by allowing it to provide constant protection against suspicious websites in real-time.

Before going into the update itself, it’s worth covering the backstory. Safe Browsing gives the Chrome browser a list of thousands of well-known, unsafe websites on the internet. Whenever you visit a webpage, the software will check to see if it’s on the list. If it’s there, Chrome will immediately block it and bring up a warning page telling you to stay away. According to Google’s Security Blog, that list is updated every 30 to 60 minutes 24/7. However, the bad actors behind these malicious websites have adapted to the changing landscape.

Google states a majority of these unsafe web pages littering the internet are only around “for less than 10 minutes”. Because the list refreshes every 30 minutes or so, there is a blind spot within this time frame. Bad actors are exploiting the blind spot and slipping through Chrome’s defenses. It’s a small window of opportunity, but it’s enough to do a lot of damage.

The solution here, as mentioned earlier, is to provide real-time protection.

Security boost

It’s important to note the security boost is being made to Safe Browsing’s Standard Protection mode. A company representative told us Enhanced mode already has these capabilities, but Google is essentially closing the gap a bit.

The way the new default will work is a little complicated, so here’s a quick breakdown.

Let’s say you visit a website not on Chrome’s list. The browser will then take the page’s URL, break it down into smaller bits of data, and send the packet to a third-party privacy server owned by Fastly, a company specializing in cloud computing. The server then analyzes the data and matches what it finds against its own database. If anything weird is found, Chrome is alerted and will warn you to stay away.

Of course, there’s more to it than that. We didn’t go over exactly how the browser breaks down the URL. If you want more details, we recommend checking out the blog post and Google’s URL hashing guidance page.

Activating the enhanced Safe Browsing does require more information than normal. But it’s important to note that neither Google nor Fastly will receive any user identifiers. IP addresses will not be collected. All the security checks you send over are mixed in with requests from other people so it’s all one big mess. And because Fastly runs the server independently, Google has no access to the data.

The same representative from earlier told us the upgrade is live on Chrome for desktop and iOS, but not for Android. That’s coming later on in the month.

Because it’ll be the default, you don’t have to manually activate it. To obtain the tool, start by clicking the three dots in the upper right corner. Go to Help, then select About Google Chrome. The installation will begin automatically. Relaunch the browser once prompted.

Return to the Settings menu, select Privacy and Security on the left, then go to the Security tab. Expand Safe Browsing and you should see Safe Browsing’s standard mode with the updated text. We didn’t receive the patch at the time of this writing, so the image below is still the old version. It’s just an example of what you might see.

Chrome's Safe Browsing

(Image credit: Future)

Since the Android version isn’t out yet, we can’t show you its process although we suspect it’ll be very similar to the desktop experience.

It’s unknown what kind of extra information Google will ask from its users. Presumably, the data it’ll want will be the same listed under the Enhanced mode: system information, extension activity, and the like. We reached out to Google for more details. This story will be updated at a later time.

To learn how to further beef up your computer’s security, check out TechRadar’s roundup of the best antivirus software for 2024.

[ad_2]

Source Article Link

Tags Chrome, constant, malicious, offer, protection, realtime, Sites

Featured

Watch out — these malicious PyPl packages could drain your wallet, and they’ve already been downloaded thousands of times

[ad_1]

Be careful when downloading Python packages from PyPI – researchers have found some are malicious and looking to steal your cryptocurrency haul.

Cybersecurity researchers from ReversingLabs recently discovered seven such packages, whose goal is to steal BIP39 mnemonic phrases from its victims.

A cryptocurrency wallet is secured in two ways: with a password, and with a mnemonic phrase (a set of either 12 or 24 seemingly random words). When a user sets up a wallet, they generate a mnemonic phrase and a password. A password is used to log into the wallet, while the mnemonic phrase is used to restore the wallet, in case it needed to be installed on a different device or hardware wallet.

BIPClip has been in operation for over a year

By stealing the phrases, hackers would be able to load other people’s wallets onto their own devices, essentially getting unrestricted access to the funds.

Cumulatively, the packages were downloaded almost 7,500 times, before the researchers notified PyPI and the malware was removed. These are their names, so make sure you haven’t downloaded them:

jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20-scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)

ReversingLabs dubbed the campaign BIPClip, and claim it kicked off in early December 2022.

“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with TheHackerNews. “It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”

PyPI, being one of the largest and most popular Python package repositories on the internet, is often the target of supply chain attacks. Hackers frequently impersonate legitimate packages, trying to trick developers into downloading malicious versions which exfiltrate their sensitive data and deploy malware and ransomware. At one point last year, PyPl was forced to suspend new projects and user sign-ups following a flood of malware.