Cyber Security Weekly Briefing, 31 December – 6 January

Telefónica Tech    9 January, 2023

PyTorch’s dependency chain is breached

PyTorch, a popular open-source machine learning framework, has warned users who installed PyTorch-nightly between 25 and 30 December 2022 to uninstall the framework and the ‘torchtriton’ library due to a successful compromise via a dependency confusion attack.

The malicious ‘torchtriton’ library in PyPI shares a name with an official library published in the PyTorch-nightly repository, causing the malicious package to be introduced to users’ systems instead of the legitimate one in order to steal sensitive information from the victim.

PyTorch has renamed the ‘torchtriton’ library to ‘pytorch-triton’ and reserved a dummy package in PyPI to prevent similar attacks. This issue does not affect users of the stable versions of PyTorch.

More info

* * *

Synology fixes a critical vulnerability

Synology has addressed a maximum severity vulnerability affecting Plus Servers VPN. The vulnerability, identified as CVE-2022-43931 and CVSS of 10.0, can be exploited in low-complexity attacks without requiring router privileges or user interaction, allowing a remote attacker to execute arbitrary commands. 

The company has released fixes for the vulnerabilities and recommends users upgrade VPN Server Plus for SRM to the latest version.

More info

* * *

New Raspberry Robin campaign

Security Joes researchers have detected new attacks by the Raspberry Robin framework against insurance and financial institutes in Europe. Raspberry Robin activity was also recently documented by the TrendMicro team, but Security Joes researchers have observed a new, more complex version of the malware.

The download mechanism has been updated with new anti-analysis capabilities. The attackers have also started to collect more data from victims’ machines. Regarding this last issue, they point out that, while previously the C2 beacon contained a URL with username and hostname in plain text, it now contains other data such as the name of the processor and additional data on the video devices available on the machine, while encrypting this profile of the victim’s machines with RC4.

Finally, it is worth noting that this time the victims are Portuguese and Spanish-speaking organisations.

More info

* * *

MasquerAds: malware distribution campaign using Google Ads

Researchers at Guardio have warned of a malware distribution campaign via Google Ads which they have named MasquerAds.

The ads, supposedly promoting popular legitimate programs such as Zoom, Slack, AnyDesk, Blender, Audacity or Brave, point to a legitimate website approved by Google’s ad system, however, once the link is accessed, the user is redirected to a different site where the malware is eventually downloaded and hosted on legitimate services such as Github, Dropbox or Discord.

Guardio attributes this campaign to the group known as Vermux and indicates that it has mostly affected users in the United States and Canada. Malware variants observed in their research include cryptocurrency miners and the Racoon and Vidar stealers. The use of Google ads in such campaigns appears to have increased recently, leading even the FBI to issue an alert.

More info

* * *

Zoho fixes critical vulnerability in ManageEngine

Zoho has addressed a security flaw affecting several ManageEngine products. The flaw, identified as CVE-2022-47523, is a SQL injection vulnerability affecting Password Manager Pro, PAM360 privileged access management software and Access Manager Plus privileged session management solution.

Successful exploitation would provide an attacker with unauthenticated access to the back-end database, allowing any type of query to be performed. Zoho recommends upgrading the affected products to the latest version as soon as possible.

More info

Leave a Reply

Your email address will not be published.