AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 05/23/2022

Researchers Spot Supply Chain Attack Targeting GitLab CI Pipelines

Security researchers at SentinelLabs are calling attention to a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign, dubbed CrateDepression, combines typosquatting and the impersonation of a known Rust developer to push a malicious ‘crate’ hosted on the Rust dependency community repository.  (Editor’s note: A crate is a compilation unit in Rust). The malicious crate was swiftly flagged and removed but SentinelLabs researchers found a second-stage payload exclusively built to  Gitlab CI pipelines, signaling a risk of further larger-scale supply-chain attacks. “Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected,” SentinelLabs said in a technical report documenting its findings.

 

Fake domains offer Windows 11 installers – but deliver malware instead

Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that actually deliver information-stealing malware. Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal. ‘Warez’ sites containing pirate material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware. Cracked forms of software are on offer for free and users who download the software are usually trying to avoid paying for software licenses or gaming content. A brief scan of active warez sites reveals listings for Windows, macOS, and Linux applications, including Adobe Photoshop, various creative applications, enterprise versions of Windows software, and a host of films and games. 

 

Phishing websites now use chatbots to steal your credentials

Phishing attacks are now using automated chatbots to guide visitors through the process of handing over their login credentials to threat actors. This approach automates the process for attackers and gives a sense of legitimacy to visitors of the malicious sites, as chatbots are commonly found on websites for legitimate brands. This new development in phishing attacks was discovered by researchers at Trustwave, who shared the report with Bleeping Computer before publication. The phishing process begins with an email claiming to contain information about the delivery of a parcel, masquerading as the DHL shipping brand.

 

Russia-linked Sandworm continues to conduct attacks against Ukraine

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage. In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper. According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations. The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts.

 

How we learned to break down barriers to machine learning

Dr. Sephus came to AWS via a roundabout path, growing up in Mississippi before eventually joining a tech startup called Partpic. Partpic was an artificial intelligence and machine-learning (AI/ML) company with a neat premise: Users could take photographs of tooling and parts, and the Partpic app would algorithmically analyze the pictures, identify the part, and provide information on what the part was and where to buy more of it. Partpic was acquired by Amazon in 2016, and Dr. Sephus took her machine-learning skills to AWS. When asked, she identified access as the biggest barrier to the greater use of AI/ML—in a lot of ways, it’s another wrinkle in the old problem of the digital divide. A core component of being able to utilize most common AI/ML tools is having reliable and fast Internet access, and drawing on experience from her background, Dr. Sephus pointed out that a lack of access to technology in primary schools in poorer areas of the country sets kids on a path away from being able to use the kinds of tools we’re talking about.

 

Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet

Hacktivist group Anonymous has announced on social media that it’s launching a cyber-war against the pro-Russian group Killnet, which recently attacked European institutions. The news comes after anonymous hackers recently declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine, including leaking over 360,000 Russian federal agency files in the process. On Twitter, the @YourAnonOne account announced that: “The #Anonymous collective is officially in cyber war against the pro-Russian hacker group #Killnet.” Last week, Killnet attacked the websites of various Italian institutions and government ministries, including the superior council of the judiciary, its customs agency and its foreign affairs, education and cultural heritage ministries.

Related Posts