Exploiting Trusted Platforms: Banking Malware via GitHub and FileZilla

-

 Source: Hackers Exploited GitHub and FileZilla to Deliver Banking Malware (cybersecuritynews.com)


According to the Inskit Group at Recorded Future, activities by Russian-speaking threat actors originating from the Commonwealth of Independent States (CIS) have been uncovered as the primary source behind the spread of sophisticated banking malware through GitHub and FileZilla. Despite being known as relatively secure collaboration platforms, their exploitation to spread sophisticated malware and malicious payloads throughout the internet poses a significant threat to both personal and business security. 

The methodology used by the attackers revolved around creating fake Github accounts and repositories that mimicked legitimate software offerings such as Bartender 5 and Pixelmator Pro. Subsequently, they opted to instead populate their spoofed repositories with malicious software such as Atomic MacOS Stealer (AMOS) and Vidar, which were designed to steal sensitive information from unsuspecting users who downloaded the software, thinking that it was legitimate. Populating such repositories with malicious software guaranteed the attackers some degree of success, mainly based on users who visited the site intending to access the legitimate software that the attackers falsely advertised there. 

Subsequently, upon user download, the malware could perform several illegitimate actions, including remote access to victim computers, data exfiltration, and establishing connections with command-and-control (C2) servers. Furthermore, the research conducted by the Inskit Group indicated that a degree of collaboration and coordination was uncovered between the malware variants pushed by the Russian-speaking hackers. This was due primarily to them sharing the same C2 infrastructure, which supports the theory of a coordinated and well-funded operation behind the recent attacks, potentially emanating from an organized cybercrime group or even a state-funded APT. 

In addition to GitHub, the attackers also used FileZilla, a popular site commonly used as an FTP file transfer client. Similarly to their use of the former platform, FileZilla was used to distribute their malicious payloads to unsuspecting users across the internet. Consequently, their dual exploitation of distinct trusted services across the internet to target end users underlines the sophistication and modularity of this threat group's attack mechanisms. 

In terms of mitigation and protection strategies against such threats, organizations are encouraged to implement stringent security measures, which include but are not limited to code review and automated scanning processes. The latter option can be conducted via automated scanning tools such as GitGuardian, Checkmarx, or GitHub Advanced Security. Furthermore, collaboration and awareness are crucial in the fight against attacks such as these, as security is greatly enhanced by more alert, aware, and skeptical end users. 


For a broader and more holistic overview on the attack, feel free to check out the original article on Cybersecurity News

Comments

Post a Comment

Popular posts from this blog

Configuring Secure Cloud Networks with VPN and NAT on AWS: A Personal Project

-
Image
As a passionate and driven cybersecurity enthusiast, I embarked on a side project to enhance my knowledge of cloud security and networking using AWS. This project involved setting up a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. The hands-on experience not only deepened my understanding of AWS but also set me on a path towards better understanding the principles of cloud security as a whole. Objectives and Requirements Objective: Demonstrate configuring a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. Requirements: Select two AWS cloud regions. Create a VPC in each region with distinct CIDR blocks. Configure a public and private subnet in each VPC. Deploy a VPN Gateway VM in the public subnet and a Private VM in the private subnet of each region. Establish a secure tunnel using VPN software between the VPN Gateway VMs. Configure the VPN Gateway VM to provide NAT functionality for the Private VM. Update route table...
Read more

How Misconfigurations Outweigh CVEs in Cybersecurity Risks

-
  Source:  New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs (thehackernews.com) Research conducted by XM Cyber has uncovered that a whopping 80% of security exposures are due to misconfigurations, while a comparatively minuscule 1% are from Common Vulnerabilities and Exposures (CVEs). Their research, which has studied over 40 million exposures, underlines that more efforts should  be directed  toward properly configuring systems to reduce cyber risk.  Focusing solely on  CVEs  results is a flawed security posture, as misconfigured systems can pose a more substantial risk to critical assets than previously understood. They can create more challenging vulnerabilities, especially since they do not appear on typical vulnerability scans that target software versions rather than configurations. Furthermore, with traditional security measures typically  being  CVE-focused, the odds of misconfigurations slipping ...
Read more

30+ Tesla Cars Compromised Due to TeslaLogger Vulnerability

-
Source:  30+ Tesla Cars Hacked Globally Using Third-Party Software (cybersecuritynews.com) Following up on our most recent blog post regarding the threat posed by misconfigurations, a recent incident impacting Tesla places those findings under a brighter spotlight. Due to vulnerabilities caused by misconfigurations in TeslaLogger, a third-party software used for data logging, security researcher Harish SG uncovered that  its insecure default settings could be exploited  to gain unauthorized access. After Harish discovered the issue, it  was reported  to the platform's maintainer, who  is expected  to have taken actions to mitigate or resolve that risk.  It is essential to clarify that the vulnerability and potential remote access associated with it did not reside in Tesla's vehicles or in Tesla's infrastructure but rather stemmed from misconfigurations surrounding the use of default credentials and improper storage of API keys by TeslaLogger. Desp...
Read more