This Week in Cyber 23rd June 2023

Millions of GitHub Repositories Likely Vulnerable to RepoJacking Attack

A study by security firm Aqua reveals that millions of software repositories on GitHub are vulnerable to a supply chain attack called RepoJacking. This includes repositories from notable organizations like Google and Lyft. RepoJacking occurs when an attacker registers a username and creates a repository with the same name as an organization that has either deleted the account or changed the username. As a result, code relying on that project as a dependency fetches contents from the attacker-controlled repository, compromising the software supply chain. The researchers found that 2.95% of a subset of 1.25 million repositories analyzed were vulnerable to RepoJacking, suggesting that millions of repositories on GitHub may be at risk. GitHub previously addressed similar concerns in 2022. To mitigate the risk, users are advised to periodically check their code for external repository links and retain ownership of previous organization names even after renaming.

Multiple US Government Agencies and Companies Hit in Global Cyberattack Exploiting Software Vulnerability

Several US federal government agencies and companies have fallen victim to a global cyberattack targeting widely used software. The US Cybersecurity and Infrastructure Security Agency (CISA) is actively providing support to affected agencies as they investigate and remediate the intrusions on their MOVEit applications. The cybercriminals behind the attack, known as Clop ransomware gang, have not made any ransom demands to federal agencies so far. Progress Software, the software manufacturer, has discovered a second vulnerability and is working on a fix. The incident adds to a growing list of victims, including major US universities and state governments, highlighting the urgent need to address ransomware attacks that have disrupted critical institutions. CISA Director Jen Easterly emphasized that the hackers have primarily exploited opportunistic vulnerabilities rather than causing significant impacts. Efforts are underway to secure affected environments and patch the software vulnerability.

Over 100,000 Stolen ChatGPT Credentials Found Being Sold On The Dark Web

Between June 2022 and May 2023, over 101,100 compromised OpenAI ChatGPT account credentials were discovered on dark web marketplaces. India accounted for 12,632 of the stolen credentials, other countries with the most stolen credentials include Pakistan, Brazil, Vietnam and America. The credentials were found in information stealer logs sold on the cybercrime underground. The majority of compromised accounts were breached by the Raccoon info stealer (78,348), followed by Vidar (12,984) and RedLine (6,773). Information stealers are popular among cybercriminals for hijacking passwords, cookies, credit cards, and other sensitive data. Users are advised to practice good password hygiene and enable two-factor authentication (2FA) to prevent account takeover. OpenAI stated that the findings were due to commodity malware and not an OpenAI breach, and they are investigating the exposed accounts. OpenAI maintains industry best practices for user authentication and authorization.

Critical 'nOAuth' Flaw in Microsoft Azure AD Allows Complete Account Takeover

Researchers have identified a security flaw in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process that could potentially enable full account takeover. The flaw, named "nOAuth" by California-based identity and access management service Descope, affects Microsoft Azure AD multi-tenant OAuth applications. The vulnerability arises from a misconfiguration that allows a malicious actor to modify email attributes in the "Contact Information" section of an Azure AD account. By exploiting the "Log in with Microsoft" feature, the attacker can hijack a victim's account. To carry out the attack, the adversary creates and accesses an Azure AD admin account, changes its email address to that of the victim, and leverages the single sign-on mechanism on a vulnerable app or website. Even if the victim does not have a Microsoft account, the attacker gains full control over their account if the app merges user accounts without proper validation. Successful exploitation grants the attacker unrestricted access to set up persistence, exfiltrate data, and perform other post-exploitation activities based on the application's nature. Microsoft has cautioned against using email claims for authorization purposes due to this insecure anti-pattern in Azure AD applications

New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

ChamelGang, a threat actor, has expanded its capabilities by using a previously unknown implant to backdoor Linux systems. The malware, called ChamelDoH, communicates via DNS-over-HTTPS (DoH) tunneling. ChamelGang was initially exposed by Positive Technologies in September 2021, targeting industries in multiple countries. The group leverages vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application, using a passive backdoor called DoorMe. ChamelDoH is a Linux backdoor that captures system information and allows remote operations. It uses DoH to send DNS TXT requests to a rogue nameserver, making it difficult to block since legitimate traffic commonly uses DoH providers like Cloudflare and Google. ChamelDoH's use of DoH for command-and-control (C2) prevents interception and enables encrypted communication between compromised hosts and the C2 server. Stairwell detected 10 ChamelDoH samples, indicating ChamelGang's focus on developing robust Linux intrusion tools.