Npm timing attack, legitimate software spreads malware, Mango Markets hacked

Npm timing attack, legitimate software spreads malware, Mango Markets hacked

Npm timing attack can affect supply chain

Security researchers at Aqua Security found a way to find out which private packages are in a GitHub repository. This uses the small time difference by returning a 404 error based on whether the packet is private or simply not there. The buffering mechanism of the npms API seems to be causing the time difference. This can vary by a few hundred milliseconds. This opens the door for attackers to create malicious clones or misspelled versions of the packages. Ultimately, these clones can make their way into production software, and then to consumers. Aqua contacted GitHub on March 8th. GitHub said it could not fix the problem, citing architectural limitations.

(Blueing computer)

Legitimate software used to spread malicious WhatsApp mod

Researchers at Kaspersky discovered a Trojan lurking in a modified WhatsApp build called YoWhatsApp. This still provides a fully functional app with a custom interface, but gives the Trojan access to full device permissions granted to WhatsApp. The researchers discover the modified app spread through several non-malicious apps. This includes ads in the Snaptube app, and uploaded to the internal store of the video app Vidmate. The Trojan can be used to take over an account, or make a user unknowingly subscribe to services.

See also  My cell phone was hacked and this is what I did to save my data and apps

(Secure List)

Mango Markets hit by $100 million hack

The Solana blockchain trading platform certainly experienced an escalation of what happened in the attack. It said on the evening of October 11 there was “an incident” with an attacker draining funds. At midday on the 12th, it said market manipulation allowed an attacker to drain around $100 million. Mango said this “effectively resulted in a total drain of all available equity” and stopped deposit withdrawals. The attacker staked out a large position on the blockchain, traded against itself on other exchanges to inflate prices, and then came up with a Mango governance proposal on its DAO to waive any criminal investigation and not be responsible for any “bad debt .” It had the market power to vote this through with 99% yes votes.

(Fortune)

Microsoft is adding security and collaboration features to Edge

Microsoft continues to add features to its Chromium-based Edge browser, and this time they’re not for e-commerce! The browser comes with typo protection for URLs, and suggests websites that are often misspelled. This can potentially avoid typos while squatting. There’s also a new opt-in feature that will use your browser’s most conservative content settings when you’re on an unfamiliar site. This will turn off just-in-time JavaScript compilation among other precautions. Microsoft also added a preview of Edge Workspaces, allowing team members to share browser tabs. This will allow tabs to update in real time.

(TechCrunch)

Thanks to today’s episode sponsor, Noname Security

Are you sure your APIs are secure? Noname Security discovers all the APIs running on your network and analyzes them to detect design flaws, misconfigurations and vulnerabilities. You can even catalog sensitive data and quickly see how many APIs have access to credit card data, phone numbers, SSNs, and other sensitive PII data. Learn more at nonamesecurity.com/posture-management

First exception to the ban on US chip equipment

Earlier this month, the US Commerce Department announced further export bans on advanced chip manufacturing equipment to China. This affected technology up to a decade old and would have made it difficult to manufacture DRAM in the country. Memory chip maker SK Hynix confirmed it received a one-year temporary exemption from new US rules. This will allow SK Hynix to supply its own China-based facilities without additional licensing requirements from the US Department of Commerce. It is expected that the US will grant further exemptions to other DRAM manufacturers such as Samsung.

See also  7 ways to improve cyber hygiene

(WSJ)

Google starts rolling out passwords

Google began rolling out support for passwords to log into websites and services. This will initially be available on Android for those in the Google Play Services beta and on Chrome Canary builds. Passkeys will require authentication on the device to use. Users can save them in Google Password Manager. A stable launch is coming “later this year.” Android will support passwords from third-party credential managers in 2023.

(9to5Google)

White House Strategy Light on Cyber ​​Details

Since taking office, the Biden administration implemented a number of policy goals and executive orders to strengthen the nation’s cybersecurity initiatives. So with the release of its National Security Strategy, it is a little surprising to see a rather sparse mention of cyber in the document. It only highlights the area specifically in a short segment titled “Securing Cyberspace”, making brief references to it in relation to challenges presented by China and Russia. It notes that threat actors continue to target critical infrastructure and that the government continues to work with allies on standards to improve cyber resilience. Speaking about the document, National Security Adviser Jake Sullivan said he should not see it as “a detailed account of every single challenge” but rather “a broader brush” of how the administration hopes to advance American interests.

(The record)

Weak passwords are still a problem in the cloud

According to Google Cloud’s latest Threat Horizons Report, weak or no passwords were a factor in over 57% of cloud compromises in Q2. The report found that high levels of SSH activity indicate that organizations often use default or no credentials at all when spinning up an instance. The next most common factors, software problems and misconfiguration, accounted for a combined 29.7%. Google observed threat groups starting cryptominers when they gained access. But it notes that organizations should be more concerned about actors exploiting access covertly.

See also  iPhone tips and tricks: Can an iPhone 13 be hacked? Yes, and THIS is how you can protect it

(Anton Chuvakin)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *