It’s no secret that Autodesk Forge uses AWS. But now they made it explicit. Some of the API will be exposing AWS services – in particular S3 – directly.
Source: Data Management OSS (Object Storage Service) migrating to Direct-to-S3 approach
Oh dear. Yet another npm author went rouge. This time it appears that the npm package deletes files for users with Russian/Belarus IP addresses. Time to take package pinning more seriously.
This week, the developer of the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The ‘node-ipc’ package, which gets downloaded over a million times weekly, began deleting files on developer’s machines, in addition to creating new text files with “peace” messages.
Source: BIG sabotage: Famous npm package deletes files to protest Ukraine war
Disclaimer: The following analysis of what could have happened is pure speculation based on publicly available information.
On 8 Jan 2022, news broke that as many as 469 OCBC bank customers were affected by phishing scams, racking losses of up to S$8.5 million in total. This should be one of the biggest and most successful phishing attack of a Singapore bank in recent memory.
Based on details of the news report, it appears that the scam works mainly as a result of 2 factors:
1. Successful social engineering
2. Possible SMS hijacking
Fake bank SMS
According to reports, users who got scammed received SMS messages that appear to originate from the bank. Scammers prey on user’s tendency to trust messages that appear alongside previous legitimate SMSes. How scammers are able to do this is to make use of a feature of SMS sending known as Alphanumeric sender ID. Meaning, they can send an SMS with a chosen sender ID that the bank uses. In this case, they chose “OCBC” as the sender ID. When the user receives such a SMS, it will appear alongside existing SMSes from the same sender ID “OCBC”.
As a quick test, I sent myself a test message with sender ID set to “BOC SG” (what Bank of China Singapore uses) and this is what I see:
This is just to show how easy it is to fake a sender ID. Interestingly, I was unable to reproduce this using “OCBC” as the sender ID, probably because the service provider/ISP is filtering out such IDs.
If a user thinks that it is a legitimate message from the bank, they tend to let their guard down and click on the link that the “bank” has sent – especially if it’s worded as something urgent. In this case it directs to a phishing site that looks exactly like the bank’s login page. Once the user enters their login user/password, the scammer would have captured their login credentials.
SMS hijacking
Just having login credentials is insufficient to make the attack successful. Because most banks would require 2FA for full login and to perform other more important actions like money transfer. This is where the SMS hijacking comes in.
It has been known for quite some time that SMS is NOT a reliable form of 2FA. To understand why, we have to dig into how SMS is implemented. Those who are interested can find out more here. There are some sites – which I won’t link to – that offers to provide such hijacking service for as little as $16.
To cut the long story short, if an attacker knows your mobile phone number, they can intercept your SMS messages, without you knowing. Shocking. I know. But this is well known and has been repeatedly demonstrated in cybersecurity conferences and other public forums.
With both the login credentials and hijacked SMS messages carrying OTP messages, an attacker can in theory carry out transactions without the user being notified.
Actually that is not all, if the bank calls your mobile number – for example, to verify the transaction – that can be intercepted as well via the same mechanism.
Closing the gap
The attack worked in this case because Singapore allows for Alphanumeric sender ID without requiring pre-registration by the sending organization. There are now renewed calls to make pre-registration compulsory to use this feature.
Fixing SMS hijacking – if it’s indeed the mechanism being used – will take more effort and probably require all ISPs to put in place mitigation in their systems. The easier fix may be to deprecate SMS as a 2FA option and stick to other more secure options like authenticating through app or physical tokens.
There are also some questions as to why automatic fraud detection that banks usually have in place is not working in this case. I shall not speculate on this but wait for further information from the investigation.
Conclusion
OCBC customers are not the first to fall prey to scams and neither will they be the last. As we move more and more to the digital world we can expect cyber criminals to keep exploiting both technical loopholes as well as human weaknesses to achieve their objectives. User education remains important and so are improving processes and closing technology gaps.
Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.
Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.
Source: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps
log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.
Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.
Source: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec
Got hit by this today. Was trying to open a Word doc from a colleague when I receive the following scary warning.
Submitting the same file to VirusTotal returns 0 threats detected. Hmmm.
Searching for the keyword Win32/PowEmotet.SB returns the following:
Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.
Source: Microsoft Defender scares admins with Emotet false positives
If you are hit by the same issue, just update your threat definition and it should go away:
Categories
OneMap API
Do you know that you can do this? No API key or token is required to do simple geocoding via OpenMap API.
Notice the response returns LONGTITUDE and LONGITUDE containing the same values. This is due a misspelling in the earlier API and a decision not to break the earlier API.
Find out more here: https://www.onemap.gov.sg/docs/#onemap-rest-apis
One of the FBI website had a web form that allowed arbitrary content to be sent from a legitimate FBI domain – passing all DMARC, DKIM, SPF. This isn’t even a hack – anyone could have done it using their web browser. But it could have serious consequences had the attacker had more nefarious motives.
The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for…
Earlier, we had a group which abuse Unicode bi-directional mechanism to deceive the reader about the actual ordering of source code, leading to clever hiding of backdoor in plain sight.
Now we have yet another novel method to include a backdoor in source codes. The attack vector makes use of Unicode characters that are invisible, but which are valid characters in variables names.
The attack requires the IDE/text editor (and the used font) to correctly render the invisible characters. At least Notepad++ and VS Code render it correctly (in VS Code the invisible character is slightly wider than ASCII characters). The script behaves as described at least with Node 14.
It’s a worrying trend to see more and more hijacking of popular packages to spread malware. The threat actor apparently gained access to the packager maintainers account and inserted a post install script to download malware.
The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.
Source: Malware found in coa and rc, two npm packages with 23M weekly downloads