Netizen Cybersecurity Bulletin (September 28th, 2023)


  • Phish Tale of the Week
  • Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot
  • Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as LastPass, the password manager company, and informing you that action needs to be taken on your account in order to avoid deactivation, in this case updating personal information. The email explains that “LastPass” takes our security very personally, so we should confirm our information in order to maintain full access to our account. It seems both urgent and genuine, so why shouldn’t we click the “Confirm My Information” button? Luckily, there’s plenty of reasons that point to this being a phishing scam.

Here’s how we can tell not to click on this link:

  1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from LastPass. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
  2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases in bold like “Warning” and “To avoid the deactivation” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
  3. The final warning sign for this email is the lack of legitimate LastPass information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible LastPass email and can be immediately detected as a phishing attempt.

General Recommendations:

phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

  1. Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot

In a recent cyberattack targeting software supply chains, hackers successfully inserted malicious code updates into hundreds of GitHub repositories by exploiting stolen passcodes to commit unauthorized changes. They cleverly used the name of a well-known tool, Dependabot, to deceive developers into accepting these tainted updates.

The attackers exploited stolen personal access tokens (PATs), which are security credentials used to authenticate code updates, to push code changes into the GitHub repositories. They employed a known technique to impersonate the contributor’s identity, making it appear as if Dependabot had made the changes. This tactic added malicious code to the end of JavaScript files, enabling it to load and execute code from the attacker’s site.

This deception technique, involving the impersonation of Dependabot, is a new twist in the realm of software supply chain attacks and could easily mislead unsuspecting developers, according to Guy Nachshon, a security researcher at Checkmarx.

“The attacker plants code changes to appear as if they were made by Dependabot — so the victim won’t deep dive into the code changes,” he says. “This is a software supply chain attack and the first time we’ve witnessed such a deception technique with the impersonation of Dependabot.”

This incident is the latest in a series of attacks targeting developers and the GitHub platform itself, aiming to inject malicious code into the software supply chain. For instance, in previous incidents, attackers stole code from Dropbox’s GitHub repositories by tricking a developer into divulging their credentials and two-factor authentication code on a phishing site. Another attacker created a malicious Python package that masqueraded as a software development kit for a popular security client.

It’s essential to note that these types of attacks are not exclusive to GitHub, as various threat actors have attempted to exploit impersonation tactics to manipulate users into trusting a fraudulent code commit, often coupled with stolen PATs. GitHub emphasizes that its systems were not compromised in this attack, and there’s no evidence to suggest that GitHub users are at risk. Nevertheless, malicious actors continue to seek opportunities to compromise personal data and sensitive information wherever they can find it.

Dependabot, a tool purchased by GitHub in 2019, automates regular software and security checks for projects hosted on the GitHub platform. Attackers could have submitted their malicious code under any name, but by masquerading as Dependabot, they gained a level of trust among developers. Nicolas Danjon, a security researcher at GitGuardian, highlights this point: “Dependabot is an automated process that will add some merge requests to your projects to update your dependencies. As a developer, if you see a request that comes from Dependabot, you’re not even going to check the code — you just accept it because you trust the source.”

However, it’s important to stress that the actual code submission is made possible by the theft of PATs. Without these stolen credentials, the threat would be significantly diminished, according to Checkmarx’s Nachshon. Developers are urged to secure their accounts and adopt the principle of least privilege by using fine-grained tokens instead of classic tokens.

To safeguard software development pipelines against attacks, developers should prioritize enhancing security measures. This includes ensuring that the theft of a single credential cannot lead to code compromise. GitHub has already taken steps in this direction by scanning all public repositories for developer secrets like passwords and security tokens and mandating two-factor authentication for all developer accounts.

The impersonation attack underscores the importance of not relying solely on project attributes, such as the number of developers and commits, to determine project trustworthiness. In 2022, researchers demonstrated that some of the signals and metadata used for assessing a software project’s trustworthiness could be forged, potentially deceiving developers into downloading malicious code.

To enhance security, organizations should not only protect their development secrets but also employ honey tokens, a deception defense strategy that scatters fake credentials throughout developers’ environments. This helps detect when attackers attempt to use invalid identities. Additionally, developers should thoroughly analyze the code from the packages they use to check for any signs of malicious code infiltrating the supply chain.

Checkmarx’s Nachshon also recommends that GitHub allows every user to access their security access logs, a feature currently limited to enterprise users. This would empower users to monitor and track their security activities more effectively, potentially identifying suspicious activities or unauthorized access more promptly.

To read more about this article, click here.

Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years

A sustained and extensive cyber espionage campaign, believed to be orchestrated by Chinese state-sponsored actors, has come to light. This ongoing campaign, referred to as TAG-74 by Recorded Future’s Insikt Group, has been identified as a significant threat to a range of entities in South Korea, including academic institutions, political bodies, and government organizations. The adversaries behind TAG-74 have strong links to Chinese military intelligence, making their activities of concern to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.

This targeted cyber campaign has a specific focus on South Korean academic institutions, aligning with China’s broader objectives of intellectual property theft and expanding its influence. Additionally, it is motivated by strategic considerations, including China’s relations with the United States.

The attackers employ social engineering tactics, using Microsoft Compiled HTML Help (CHM) files as lures to deliver a custom variant of an open-source Visual Basic Script backdoor named ReVBShell. Subsequently, this backdoor serves as the entry point for deploying the Bisonal remote access trojan. ReVBShell is designed to go dormant for specific periods, as dictated by commands from a remote server, with the ability to modify these time intervals. Furthermore, it employs Base64 encoding to obfuscate its command-and-control (C2) communications.

The usage of ReVBShell has been associated with two other Chinese-linked clusters, known as Tick and Tonto Team. AhnLab Security Emergency Response Center (ASEC) also reported an identical infection sequence involving Tonto Team in April 2023. Bisonal, the remote access trojan employed in this campaign, is a versatile threat capable of gathering information about processes and files, executing commands and files, terminating processes, downloading and uploading files, and deleting files on disk. The connections between TAG-74 and other Chinese threat groups, particularly Tick, underscore the prevalent sharing of tools and techniques among these actors.

Recorded Future notes that the TAG-74 campaign reflects a long-term strategy aimed at collecting intelligence from South Korean targets. Given the group’s sustained focus on South Korean entities over many years and its likely affiliation with the Northern Theater Command, it is anticipated that TAG-74 will continue to remain highly active in gathering intelligence from strategic targets within South Korea, as well as in Japan and Russia.

To read more about this article, click here.

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Copyright © Netizen Corporation. All Rights Reserved.