Press Release
A well-known npm package deleted files to oppose the situation in Ukraine.
In opposition to the continuing Russo-Ukrainian War, the creator of the well-known npm package “node-ipc” released corrupted versions of the library this month.
On developers’ computers, newer versions of the “node-ipc” programme started overwriting all files, erasing all data, and creating new text files containing “peace” messages.
Node-ipc is a well-known package used by important libraries like Vue.js CLI, with over a million downloads each week.
Protestware: Open source is affected by the continuing conflict in Ukraine
For users based in Russia and Belarus, specific versions (10.1.1 and 10.1.2) of the enormously popular “node-ipc” package were discovered to include malicious code that would overwrite or destroy arbitrary files on a system. These variations are monitored by CVE-2022-23812.
On March 8th, software engineer Brandon Nozaki Miller, alias RIAEvangelist, published two open source software packages on npm and GitHub called peacenotwar and oneday-test.
The fact that the packages primarily send a “message of peace” on the Desktop of any user who instals them suggests that the creator originally developed them as a way of peaceful protest.
According to RIAEvangelist, “This code serves as a non-destructive illustration of why controlling your node modules is vital.”
It also acts as a peaceful protest against Russia’s aggression, which currently threatens the entire world.
Although also maintained by RIAEvangelist, some npm versions of the well-known “node-ipc” library were seen unleashing a harmful payload to erase all data by overwriting files of users installing the package. This caused havoc.
It’s interesting to note that the malicious code, which was launched by the developer as early as March 7th, would read the system’s external IP address and would only overwrite files to remove data for users residing in Russia and Belarus.
To hide its true intent, the code in “node-ipc,” more notably in file “ssl-geospec.js,” uses base64-encoded strings and obfuscation techniques:
According to a condensed version of the code released by the researchers, the code will effectively delete all data on a machine for users located in Russia or Belarus by replacing all file contents with a heart emoji.
Additionally, because the peacenotwar module is included in “node-ipc” versions 9.2.2, 11.0.0, and those higher than 11.0.0, impacted users noticed “WITH-LOVE-FROM-AMERICA.txt” files appearing on their Desktop with “peace” messages:
Snyk, an open source security company, researchers also observed and investigated the malicious activity:
According to Liran Tal, Director of Developer Advocacy at Snyk, “at this point, a very clear abuse and a catastrophic supply chain security incident will occur for any system on which this npm package will be run, if that matches a geo-location of either Russia or Belarus.”
Users of Vue.js are alarmed by a supply chain attack.
The well-known JavaScript front-end framework “Vue.js” also depends on “node-ipc.” However, prior to this incident, “Vue.js” was configured to collect the most recent minor and patch versions rather than pinning the versions of “node-ipc” dependent to a safe version, as is clear from the caret () symbol: As a result, when several users were surprised, they urgently pleaded with the project’s maintainers to pin the “node-ipc” dependent to a safe version.
In addition, not only Vue.js but other open source projects have been harmed by this sabotage, as noted by BleepingComputer.
Other project maintainers are being cautioned by developers Lukas Mertens and Fedor to make sure they are not using a malicious version of “node-ipc”:
Researchers at Snyk believe that ‘node-ipc’ versions 10.1.1 and 10.1.2, which blatantly harm the system, were removed by npm within 24 hours of being published.
But take note that “node-ipc” versions 11.0.0 and higher are still accessible on npm. Additionally, the peacenotwar module that generates the aforementioned “WITH-LOVE-FROM-AMERICA.txt” files on the desktop is still present in these versions.
As a result, if you used the “node-ipc” library to build your application, be sure to pin the dependency to a secure version, like 9.2.1 (it turns out that 9.2.2 isn’t completely safe either).
Community outraged by incident in open source
This is the second significant act of self-sabotage by an open source developer this year, following the BleepingComputer-first reported “colours” and “fakers” episode from January.
The creator of “colours,” Marak Squires, received conflicting responses from the open source community because of his method of protest, which involved damaging countless apps by inserting infinite loops inside of them.
But the action of RIAEvangelist, who manages over 40 packages on npm, has come under fire for going beyond “peaceful protest” and aggressively placing damaging payloads in a well-known library without informing honest users.
A GitHub user described it as “a massive blow” to the open source community’s collective confidence.
“This behaviour is just unacceptable. War is undoubtedly a dreadful thing, but that doesn’t justify certain actions, such as placing weird files in desktop folders and erasing all files for Russia/Belarus users. You’re a f***, go to hell. You just managed to destroy the open-source community. You feeling better, @RIAEvangelist?” another enquired.
Some criticised the “node-ipc” developer for repeatedly altering and removing earlier comments on the forum in an effort to “clean up” his tracks [1, 2, 3].
“Even while some people may view maintainer RIAEvangelist’s purposeful and risky action as a justified form of protest. How does that affect the maintainer’s standing and involvement in the developer community in the future? “Snyk’s Tal queries.
Before including “node-ipc” in their applications, developers should use caution because there is no guarantee that future versions of this library or any other library made available by RIAEvangelist will be secure.
One method of defending your applications against such supply chain attacks is to pin your dependencies to a trustworthy version.
Press Release
After discontinuing support for ransom payments, insurer AXA was attacked by ransomware.
A ransomware cyber assault has targeted the Thai, Malaysian, Hong Kong, and Philippine branches of the world’s largest insurance company, AXA.
The Avaddon ransomware organisation claimed yesterday, as reported by BleepingComputer, that it had stolen 3 TB of private data from AXA’s Asian operations.
Additionally, AXA’s international websites were down yesterday for a while due to a Distributed Denial of Service (DDoS) attack, according to BleepingComputer.
The group claims that the compromised data collected by Avaddon includes copies of ID cards, bank account statements, claim forms, payment records, contracts, claim forms for customers that reveal their sexual health diagnosis, and more.
The group’s statement follows AXA’s revelation that it would no longer cover ransomware extortion payments when underwriting cyber-insurance plans in France.
Asian AXA offices are targeted by a ransomware organisation.
The ransomware organisation Avaddon took responsibility for the attack on AXA’s offices in Asia yesterday.
The group also asserted that there was a DDoS attack ongoing against AXA’s websites hosted in Thailand, Malaysia, Hong Kong, and the Philippines:
The Avaddon ransomware gang initially made the threat to launch DDoS assaults to take down victims’ websites or networks until they get in touch and start negotiating to pay the ransom in February 2021.
When ransomware gangs started deploying DDoS assaults against their victims as an extra point of leverage in October 2020, BleepingComputer became the first publication to report on this new development.
About a week after AXA announced that payment for ransomware extortion settlements would no longer be included in their cyber-insurance policies sold in France, Avaddon announced the attack on AXA’s infrastructure.
Avaddon started dumping part of the stolen data on their leak site yesterday, as seen by BleepingComputer, even if the exact date of the incident remains unknown.
Avaddon also threatened to expose AXA’s priceless records if the insurance firm didn’t get in touch with them and work with them within 10 days.
The gang asserts to have obtained 3 TB of AXA data, which includes:
client medical records (including those containing sexual health diagnosis)
customer claims payments to consumers’ bank accounts scanned records content only available to hospitals and physicians (private fraud investigations, agreements, denied reimbursements, contracts)
Identity cards, passports, and other forms of identification
AXA: Access to data by a Thai partner only, “No Evidence”
AXA responded when approached by BleepingComputer as follows:
A recent targeted ransomware assault on Asia Assistance affected its IT operations in Thailand, Malaysia, Hong Kong, and the Philippines.
As a result, someone was able to access some data handled by Inter Partners Assistance (IPA) in Thailand.
“At this time, there is no proof that any additional data was accessed in Thailand beyond IPA.”
“The incident is being investigated by a dedicated taskforce that includes outside forensic experts. Partners in business and regulators have been informed.”
According to an AXA spokesman, “AXA takes data privacy very seriously and will take the appropriate procedures to notify and help all corporate clients and people impacted” if IPA’s investigations reveal that sensitive data of any persons have been affected.
The incident’s timing is interesting in light of this week’s FBI and Australian Cyber Security Centre (ACSC) alerts on ongoing Avaddon ransomware assaults aimed at enterprises from a wide range of industries in the US and around the world.
Attackers who use ransomware on enterprises continue to expand and interrupt many operations while demanding extortionate ransom payments.
The DarkSide cyberterrorist organisation recently requested $5 million to reactivate the Colonial Pipeline infrastructure.
Additionally, just this week, BleepingComputer reported that a $20 million ransomware demand was made on Ireland’s Health Services.
Press Release
After taking data, the Android spyware BRATA wipes your smartphone.
The most recent version of the Android malware known as BRATA now includes several new and dangerous features, such as GPS tracking, the ability to use numerous communication channels, and a tool that wipes all evidence of malicious activity from the device by performing a factory reset.
Kaspersky originally identified BRATA as an Android RAT (remote access tool) in 2019 that mostly targeted Brazilian users.
A Cleafy report from December 2021 highlighted the malware’s appearance in Europe, where it was observed to target customers of online banking services and steal their credentials with the help of con artists posing as bank customer support representatives.
Cleafy analysts kept an eye out for new features in BRATA, and in a new research released today, they show how the malware is still evolving.
versions with modifications for various audiences
The most recent iterations of the BRATA malware currently target e-banking users in China, Latin America, the UK, Poland, Italy, and Spain.
With various overlay sets, languages, and even different apps to target particular populations, each version focuses on a different bank.
In all versions, the developers employ comparable obfuscation strategies, such as enclosing the APK file in an encrypted JAR or DEX package.
The VirusTotal scan below shows how effectively this obfuscation avoids antivirus detections.
On that front, before moving on to the data exfiltration process, BRATA now actively looks for indicators of AV presence on the device and tries to erase the discovered security tools.
New capabilities
The keylogging functionality, which is a new feature in the most recent BRATA versions, was discovered by Cleafy researchers and adds to the existing screen capturing capabilities.
All new variations also include GPS monitoring, however analysts are unsure of its precise function.
The performing of factory resets, which the actors do in the following circumstances, is the scariest of the new malevolent features.
The fraudulent transaction has been successfully finished after the compromise (i.e. credentials have been exfiltrated).
It has been discovered by the programme that it operates in a virtual environment, perhaps for analysis.
The kill switch used by BRATA is a factory reset, which wipes the device and increases the risk of a victim experiencing an unexpected and permanent loss of data.
Finally, BRATA now supports HTTP and WebSockets and has provided new channels for data exchange with the C2 server.
A direct, low-latency route that is perfect for in-the-moment communication and live manual exploitation is provided by the choice of WebSockets for the actors.
Additionally, because WebSockets don’t need to send headers with each connection, less suspicious network traffic is generated, which reduces the likelihood of being discovered.
Basic safety precautions
BRATA is only one of several sneaky RATs and Android banking trojans that target users’ banking credentials that are out there.
Installing apps from the Google Play Store, avoiding APKs from dubious websites, and always scanning them with an AV programme before opening them are the best strategies to prevent being infected by Android malware.
Pay close attention to the permissions that are requested during installation and don’t allow those that don’t seem necessary for the app’s primary functions.
Finally, keep an eye on your battery life and network traffic levels to spot any sudden spikes that can be caused by malicious processes that are running in the background.
Press Release
After discovering a credit card skimmer, Costco admits a data breach.
Customers who recently made purchases at one of Costco Wholesale Corporation’s stores have received notification letters informing them that their credit card information may have been stolen.
According to Fortune 500 rankings, the retail giant—also known as Costco Wholesale and Costco—is an American multinational that runs a sizable chain of membership-only retail locations. It is the fifth-largest retailer in the world and the tenth-largest firm in the US by total revenue.
It runs e-commerce websites with 737 warehouses across the world that cater to the Americas, Europe, and Asia, among other global regions.
planted skimmer in the Costco warehouse
During a regular check by Costco staff, a credit card skimming device was found in one of the company’s warehouses, leading to the discovery of the breach.
The business got rid of the gadget, let the authorities know, and is now assisting the police in their investigation.
In breach notification letters, Costco informed possibly impacted customers that they had recently visited a Costco facility where a payment card skimming device had been found.
“Our member records show that throughout the possible operational period of the device, you swiped your payment card to make a purchase at the impacted terminal.”
probable theft of customer financial information
Costco said that if those who placed the card theft device had been successful in accessing the data prior to the skimmer being discovered and taken out, then consumers affected by the incident may have had their payment information stolen.
The magnetic stripe of your credit card, which contains your name, card number, card expiration date, and CVV, may have been obtained by unauthorised individuals if they were able to remove information from the device before it was identified, according to Costco.
Customers were given advice by the retailer to check their bank and credit card statements for fraudulent payments and alert the appropriate financial institutions to any suspect activities.
The total number of customers who were impacted or the warehouse where the skimmer device was discovered were not disclosed in the data breach notification letters sent to affected consumers.
Although the business withheld details on the incident’s exact timing, Costco customers have been complaining about fraudulent charges on their credit cards at least since February.
-
Apps1 year ago
Why is Everyone Talking About Hindi Keyboards?
-
Social Media1 year ago
Who is Rouba Saadeh?
-
Apps1 year ago
Things you need to know about Marathi keyboard today
-
Apps1 year ago
Stuck with Your default Bangla keyboard? Isn’t it time for a change?
-
Games1 year ago
Top 7 Popular Puzzle and Card Games for Relaxing Your Brain on Mobile, Featuring Solitaire
-
Social Media1 year ago
Mati Marroni Instagram Wiki (Model’s Age, Net Worth, Body Measurements, Marriage)
-
Entertainment1 year ago
12 Online Streaming Sites that Serve as Best Alternatives to CouchTuner
-
Entertainment1 year ago
Movierulz Website: Movierulzz 2021 Latest Movies on Movierulz.com