June 10, 2024
4 Min Read

Threat Report 10.06.24

Threat actors ransom GitHub repositories with stolen credentials

Threat actors are targeting GitHub repositories to run a newly discovered extortion campaign. The attack likely stems from the use of stolen credentials, and involves threat actors compromising an account, wiping associated repositories, and ransoming the wiped data.

GitHub has not commented on the attacks, but have previously issued advice for securing accounts against attacks like these. They recommend taking precautions such as enabling multi-factor authentication on your account, verifying the email addresses associated with your account, and revoking access to unused or unauthorised SSH keys, deploy keys, and integrations.

If you have reason to believe your account has been previously compromised, it is advised to change your password as soon as possible.

Fake browser updates used to spread malware

Researchers have spotted an attack that spreads malware such as BitRAT and Lumma Stealer by tricking users into downloading fake browser updates.

The attack commences when the victim visits an infected website containing JavaScript that will redirect the user to a fake update page. This webpage has a link which when clicked will download a file named ‘Update.zip’. Within this ZIP file is a JavaScript file, ‘Update.js’, which when run will trigger PowerShell scripts to download additional payloads.

BitRAT is a remote-access trojan used to harvest data, mine cryptocurrency, download additional binaries, and remotely control the infected device. Lumma Stealer is information stealing malware which captures information from web browsers and crypto wallets among other things.

To mitigate this kind of attack, it’s important to double check URLs to ensure they are as expected and to heed warnings on downloading and running suspicious files.

Zyxel patches vulnerabilities in EoL NAS devices

Zyxel has released patches to address vulnerabilities in two network-attached storage (NAS) models in end-of-life status. The affected devices are Zyxel’s NAS326 models running version V5.21(AAZF.16)C0 and earlier and NAS542 models running version V5.21(ABAG.13)C0 and earlier.

There are five vulnerabilities addressed, three of which could allow an unauthenticated attacker to execute operating system commands and arbitrary code on affected devices. The vulnerabilities are as follows:

  • CVE-2024-29972: This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
  • CVE-2024-29973: This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.
  • CVE-2024-29974: This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
  • CVE-2024-29975: This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.
  • CVE-2024-29976: This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

Zyxel recommends updating affected devices as soon as possible to avoid any potential exploitation by threat actors. There is currently no evidence that these vulnerabilities are being exploited in the wild.

Read similar blogs