Mar 23 2023
Welcome to Gone Phishing, your daily newsletter that cuts to the chase like Partygate (hang in there Bojo!)
Today’s hottest cyber security stories:
.NET developers utilising packages from the trusted NuGet repository were given something to chew on yesterday when they became the target of a “sophisticated and highly-malicious attack” aiming to infect their systems with cryptocurrency stealer malware.
Explain to me like I’m five:
The NuGet repository is sort of like a free supermarket for developers to visit and help themselves to ‘packages’ and other bits of code and processes to assist them in whatever their building or maintaining.
That was more like ‘explain to me like I’m ten’, wasn’t it? Well, we wouldn’t want to patronise our loyal subscribers now, would we?
These crypto-jack heists are becoming more common but what sets this one apart is that it’s the very first instance of nasty malware hiding in a NuGet package. It sets a depressing precedent for developers who are used to trusting these things every day.
To be clear, packages have been found to contain vulnerabilities which have subsequently been found to propagate phishing links but for packages to be straight .exe scams is a first.
“The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli said.
Three of the most downloaded packages were:
These three alone accounted for 166,000 downloads, although it’s also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate. Sneaky bastards, as they are…
The malware, written in a low-level language, delivers several capabilities that include a crypto stealer and an auto-updater module that pings the C2 server for an updated version of the malware.
Shachar Menashe, senior director at JFrog Security Research, said: “This proves that no open source repository is safe from malicious actors.
“.NET developers using NuGet are still at high risk of malicious code infecting their environments and should take caution when curating open-source components for use in their builds – and at every step of the software development lifecycle – to ensure the software supply chain remains secure.”
Be careful out there, folks! Even you, developers. It’s so easy to become careless when using certain resources every day… But that’s when they get you!
So, the government has a fantastic new ‘plan to promote cyber resilience across the health and care sectors… By 2030!?
God knows what state the cybersecurity is in now but judging by other government agencies and the effectiveness of the NHS itself (not our lovely doctors and nurses – the management and infrastructure), our guess would be not great!
So here’s what they’ve laid out in their official press conference
Sounds vague, as usual with the government.. “Build a stronger, more sustainable NHS for the future” means absolutely nothing and is just words.
Hopefully they’ll succeed in some of their goals because we’d imagine there’s rather a lot of sensitive information on the NHS’ computer systems. Just a guess, mind!
Got a Netgear Orbi router? Well you might be at risk of being hacked and it serves you right for getting a router nobody ever heard of. Try choosing a reliable brand, next time. Just kidding, sort of.
So, what’s the story? Well scammers have their sights on your precious home network. Is nothing sacred?
Well, Cisco (okay, we’ve heard of that brand) Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.
A mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points.
Netgear’s Orbi system connects to the user’s modem or gateway and uses “satellites” to extend the Wi-Fi signal to different places throughout the home.
Now, this is scary! Via the vulnerabilities, hackers could potentially overwrite existing executable files with trojanized versions, potentially leading to remote code execution.
Remote code execution basically means controlling devices (including cameras and microphones!!) from hacker headquarters, wherever that may be. Probably Russia. Or China. Sorry we shouldn’t prejudge…
So yeah, if you have one of these routers you may want to turn your webcam off… And your microphone. And buy a new router.
Lol kidding, apparently the issue is getting resolved. Still, not nice!
So long and thanks for reading all the phish!