Discover more from Cyber Oracle
GitHub Accounts Compromised in Deceptive Campaign; Malicious Code Disguised as Dependabot Contributions
Plus, Lazarus Group's Espionage Campaign Targets Spanish Aerospace Firm in Elaborate LinkedIn Scam
Developers Targeted in Elaborate Scheme to Steal Passwords and GitHub Secrets
A troubling and deceptive campaign has emerged, involving the compromise of GitHub accounts and the surreptitious commitment of malicious code disguised as contributions from Dependabot. The nefarious objective behind this campaign is to pilfer passwords from unsuspecting developers.
Notably, the malware is engineered to capture GitHub secrets and variables and transmit them to a remote server through the utilization of a GitHub Action.
Checkmarx observed unusual commits to numerous public and private GitHub repositories occurring between July 8 and 11, 2023. These deceptive commits were the result of malicious actors utilizing stolen GitHub personal access tokens (PATs) to make fraudulent code contributions to users' repositories while posing as Dependabot.
Dependabot, a legitimate service, is designed to notify users of security vulnerabilities in a project's dependencies by autonomously generating pull requests to keep them updated.
The attackers gained unauthorized access to these accounts by compromising PATs, which were likely silently exfiltrated from the victims' development environments. A significant portion of the compromised users appears to be located in Indonesia.
The exact method by which this theft occurred remains unclear, though suspicions point toward a potential rogue package inadvertently installed by the developers.
This incident underscores the ongoing efforts of threat actors to taint open-source ecosystems and facilitate supply chain compromises. It is indicative of a larger trend, as evidenced by a recent data exfiltration campaign targeting npm and PyPI. This campaign employed 39 counterfeit packages to collect sensitive machine information and transmit it to a remote server.
These modules were published over a span of several days in September 2023 and demonstrated a progressive increase in complexity, scope, and obfuscation techniques, according to Phylum, a software supply chain security company.
Phylum is also tracking what it categorizes as a substantial typosquat campaign targeting npm. In this campaign, 125 packages masquerading as "angular" and "react" are being used to send machine information to a remote Discord channel. The author claims this is part of a "research project" to identify potential vulnerabilities in bug bounty programs, a violation of npm's Acceptable Use Policy that places strain on those tasked with maintaining clean ecosystems.
As the threat landscape continues to evolve, such incidents emphasize the importance of vigilance and security measures in the realm of software development and open-source contributions.
North Korea-Linked Threat Actors Employ Crafty Social Engineering Tactics to Infiltrate Strategic Targets
In a concerning revelation, the Lazarus Group, a notorious North Korea-linked cyber-espionage outfit, has been tied to a sophisticated cyber-espionage attack directed at an undisclosed aerospace company in Spain. The attack involved a clever ruse in which employees of the targeted firm were approached by threat actors impersonating recruiters from Meta Platforms.
ESET security researcher Peter Kálnai, who shared the technical details of the attack, explained, "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz."
This cyber offensive is part of a broader spear-phishing campaign referred to as "Operation Dream Job." The campaign's primary aim is to lure employees working for potential strategic targets, enticing them with fictitious job opportunities as bait to initiate the infection chain.
Earlier in the year, the same hacking group was linked to an attack wave targeting Linux users. In this previous campaign, threat actors utilized counterfeit HSBC job offers as a guise to deploy a backdoor named SimplexTea.
The most recent attack, designed for Windows systems, culminates in the deployment of an implant dubbed "LightlessCan," representing a significant leap in sophistication compared to its predecessor, "BLINDINGCAN." The latter is also known as AIRDRY or ZetaNile and is a malware known for its ability to harvest sensitive information from compromised hosts.
The attack was initiated when the target received a message on LinkedIn from a bogus recruiter claiming to work for Meta Platforms. The impersonator sent two coding challenges, supposedly part of the recruitment process, and persuaded the victim to execute test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.
These ISO files contained malicious binaries (Quiz1.exe and Quiz2.exe) and, when downloaded and executed on a company-provided device, led to the compromise of the system and the breach of the corporate network.
Subsequently, the attackers employed an HTTP(S) downloader known as NickelLoader to facilitate the deployment of various programs into the victim's computer's memory. This included the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as "miniBlindingCan" (also known as AIRDRY.V2).
LightlessCan boasts support for up to 68 distinct commands, with 43 of them currently implemented. On the other hand, miniBlindingCan's primary function is to transmit system information and retrieve files from a remote server, among other tasks.
A notable feature of this campaign is the use of execution guardrails to ensure that payloads are decrypted and executed only on the intended victim's machine. This strategic shift enhances stealthiness and complicates the detection and analysis of the attackers' activities.
The Lazarus Group, along with other threat clusters from North Korea, has been increasingly active in recent months, targeting a range of industries and sectors across various countries. Their operations span manufacturing and real estate in India, telecom companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the United States, as reported by Kaspersky.
Attentive - Senior Software Engineer, Fullstack - New York, NY · Hybrid
Mews - Full-Stack Engineer - Barcelona, Barcelona, Spain · Hybrid
Coinbase - Product Manager II - Fully Remote
Improbable - Lead Software Engineer - Gameplay, Metaverse - Fully Remote
Zoox - Robot Software Infrastructure, Software Engineering Intern - Foster City, CA
Northrop Gruman - 2024 Software Engineering Intern - Warner Robins, GA
Temasek - Project Intern, Cybersecurity (Data Science & Analytics) - Singapore, Singapore
IBM - Front End Developer Intern (May 2024 - 16 months) - Markham, Ontario, Canada · Hybrid
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support our work.