The Week in Cybersecurity: NPM removes malicious modules, Microsoft backtracks on macros

The Week in Cybersecurity: NPM removes malicious modules, Microsoft backtracks on macros

Welcome to the latest edition of Cybersecurity Week, which offers you the latest headlines from both the world and our team on the most pressing issues of cybersecurity. This week: consequence of another attack on the supply chain involving malicious npm modules. Also: Microsoft is backtracking on the promise of disabling Office macros.

NPM removes malicious modules after the report

More than 30 malicious Javascript modules were removed from the NPM package repository on Thursday, days after a ReversingLabs report identified dozens of NPM packages that contained code designed to divert data from application forms and websites. The packages were replaced with “Security Retention Packages” and a message that the package contained “malicious code and was removed from the registry by the NPM security team”.

DevOps Connect: DevSecOps @ RSAC 2022

The decision to remove suspicious packages follows a ReversingLabs report detailing an extensive campaign, called IconBurst, which sowed NPM with malicious packages, many of them similar to popular and legitimate Javascript modules. ReversingLabs researcher Karlo Zanki identified the modules after noticing the presence of suspicious and obscured code in the modules, a rarity in open source packages published in a public repository. Analysis of the obfuscated code revealed that it was malicious and was designed to collect data from forms within applications that used malicious packages. For example, a malicious NPM package called sliding package imitated the popular Javascript framework sliderand used an embedded jQuery library, extending its end () function with functionality that collected data from all elements of the page form using the swiper-bundle module.

Image showing a message about removing the npm package.

The incident is only the latest involving the NPM platform. Researchers at the company Checkmarx said so discovered more than 1200 NPM packages linked to 1,000 different accounts that were part of an apparent cryptocurrency experiment orchestrated by a malicious actor named “CuteBoi.” In May, ReversingLabs and researchers at the Snyk company discovered an apparent attack of “dependency confusion” using malicious public packages. dealing with the names of NPM private packages used by major German companies. (This attack was later revealed to be part of a benign “red team” exercise.) Previous research by ReversingLabs identified a tagged threat Win32.Infostealer.Heuristics hidden in various versions of the nodejs_net_server NPM package.

News summary

Cybersecurity never sleeps. Here are the stories we are paying attention to this week …

Microsoft is stepping back by blocking Office macros by default

Microsoft received praise for its decision to start disabling Office macros by default. But now the company is backtracking on that promise, according to a Bleeping Computer report. The company announced in February that it would begin disabling default macros in Excel, Word, Powerpoint and other Office documents. ReversingLabs research has shown that the use of macros in Excel documents, for example, has a high correlation with malicious behavior. The new default policy began to be implemented in April and general availability was expected in June. However, Microsoft 365 users began to notice that warnings about the presence of macros had disappeared from Office, while the functions for editing and enabling macros were restored. “According to comments received, a recovery has begun. An update on the recovery is underway,” said Angela Robertson, GPM chief identity and security officer for the Microsoft 365 Office team. The decision could have a big impact on Microsoft customers. Ransomware groups such as Emotet, Qbot, Dridex and others routinely abuse macros to get a place in victims ’networks. ReversingLabs researchers identified nearly 160,000 files in the company’s TitaniumCloud that use Excel 4.0 (XLM) macros. On closer inspection, more than 90% were classified as malicious or suspicious. (Bleeping Computer)

AstraLocker ransomware operators closed their operations

AstraLocker ransomware operators he told BleepingComputer they are closing the operation and providing decoders on the VirusTotal malware analysis platform. AstraLocker is based on the source code of the Babuk Locker Ransomware (Babyk) leaked online in June 2021. (Security issues)

Chrome bug actively exploited by Google patches

While people were celebrating the July 4 holiday in the U.S., Google silently released a stable update to the Chrome channel to fix a actively exploited zero-day vulnerability, the fourth flaw the seller has had to fix in its product. browser so far. this year. (Post threat)

The Pro-China group uses the DragonBridge campaign to target rare earth mining companies

A pro-China campaign of influence highlighted rare earth mining companies in Australia, Canada and the US with negative messages in an unsuccessful attempt to manipulate public discourse for the benefit of China. (The Hacker News)

A hacker denounces the theft of data from a major Chinese citizen

A hacker who claims to have stolen personal data from hundreds of millions of Chinese citizens now sells the information online. A sample of 750,000 entries posted online by the hacker showed the names of citizens, mobile phone numbers, national identification numbers, addresses, birthdays and police reports they had submitted. (Security Week)

Germany presents a plan to deal with cyberattacks on satellites

The German Federal Office for Information Security (BSI) has released a benchmark IT protection profile for space infrastructure amid concern that attackers may be looking to the sky. (The Register)

*** This is a ReversingLabs Blog Security Bloggers Network syndicated blog written by Paul Roberts. Read the original post at:

Source link

Related post

HCL Group acquires majority stake in vernacular edtech platform GUVI

HCL Group acquires majority stake in vernacular edtech platform…

IT firm HCL Group has acquired a majority stake in vernacular edtech platform GUVI that offers technical courses, the company said…
NIT Srinagar’s Torus club organises model quiz

NIT Srinagar’s Torus club organises model quiz

Torus club of NIT Srinagar is organizing a modeling competition Posted on Friday, January 7, 2022 Srinagar, January 06: Torus-design thinking…
ADA Highlights the Best Ruby on Rails Development Companies

ADA Highlights the Best Ruby on Rails Development Companies

Chained by competition rather than obsolescence, Ruby on Rails remains preferred by many web development companies” – ADA Reports! UNITED STATES,…

Leave a Reply

Your email address will not be published.