Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States. […] Read More
BleepingComputer
Hackers Weaponizing Vortax Meeting Software To Attack macOS Users
Threat actors leverage meeting software applications and tools to penetrate weak security loopholes, infiltrate secure settings and organizations, steal highly confidential information, and restrict organizational functions.
Recorded Future’s Insikt group has recently unveiled a long-term campaign aimed at macOS cryptocurrency users, conducted by the “markopolo” threat actor.
The alleged virtual meeting software is Vortax, a carrier for three potent infostealers: Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS).
Exploiting these vulnerabilities in macOS denotes an alarming increase in AMOS attacks and malicious apps that put user security at risk.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
This large-scale attack demonstrates that the threat actor operates various malicious apps. The campaign is attributed to a threat actor known as “markopolo,” previously linked to infostealer campaigns targeting Web3 gaming projects.
This malicious version is primarily distributed through social media, where it is advertised as legitimate software.
Users are lured into downloading the application via phishing links and direct messages containing unique “Room IDs.” These Room IDs, when entered on the Vortax website, redirect users to download links that install the malware.
A previous campaign targeting Web3 gaming linked it to shared hosting and C2 infrastructure that would make it elegant once detected.
This extensive credential harvesting operation indicates that Markopolo could be an initial access broker or darkweb “log vendor” on platforms such as Russian Market and 2easy Shop.
“According to Recorded Future analysis of the Vortax installers on Windows and macOS indicates that Vortax App Setup.exe and VortaxSetup.dmg deliver Rhadamanthys and Stealc, or AMOS, respectively.”
The broad effort to gather credentials illustrates how rapidly modern cyber threats can change and expand on platforms such as macOS when the demand increases.
For macOS, organizations need to improve their security posture by deploying strong monitoring and mitigation strategies that provide protection against these nimble and devastating attacks aimed at their digital ecosystem.
Here below we have mentioned all the mitigations:-
Ensure AMOS detection systems are regularly updated to prevent infections.
Educate users on the risks of downloading unapproved software, especially from social media and search.
Implement strict security controls to prevent unlicensed software downloads.
Encourage reporting of suspicious activities encountered on social platforms.
Use robust intelligence to identify and mitigate macOS malware threats and analyze AMOS infrastructure.
Monitor technology stacks via custom watchlists for enhanced infostealer visibility.
Leverage proper credentials and brand monitoring for insights into compromised data.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Hackers Weaponizing Vortax Meeting Software To Attack macOS Users appeared first on Cyber Security News.
Challenges in the cyber industry.
Simone Petrella sits down to talk with Monica Shokrai from Google at the mWISE 2023 Cybersecurity Conference about challenges in the industry from the company perspective, and what Google does with its own actuarial team to calculate it’s own risk. Ben has the story of a TikTok account that targets ordinary people using advanced facial recognition technology. Dave’s got the story of some of the information being publicly shared in the Google antitrust case. Read More
The CyberWire
LangChain JS Vulnerability Let Attackers Expose Sensitive Information
LangChain, an open-source project designed to assist developers in building applications powered by large language models (LLMs), offers libraries in both Python and JavaScript.
LangChain is a framework that makes it easier for developers to use large language models (LLMs) in various applications.
Recently, a 37-year-old cybersecurity researcher, Evren, identified that the LangChain JS vulnerability allows threat actors to expose sensitive information.
The vulnerability, classified as an Arbitrary File Read (AFR) issue, stems from improper input validation when handling user-supplied URLs.
By exploiting this flaw with Server Side Request Forgery (SSRF), an attacker could craft malicious URLs pointing to local files on the server, enabling them to access and read sensitive information they should not have access to.
These vulnerabilities can enable XSS attacks, which inject malicious code into victims’ browsers. Widely used JS libraries or frameworks with security flaws can also impact numerous sites simultaneously.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
“The fact that this project has more than 11,000 stars and more than 380,000 weekly downloads shows its popularity and widespread use,” stated the security researcher who discovered the vulnerability. “I could not find any guidelines in the LangChain documentation indicating what measures should be taken when receiving a URL from a user, which in my personal opinion, poses a high risk.”
The researcher provided a proof-of-concept (PoC) code demonstrating how an attacker could leverage the vulnerability.
The vulnerability was reported to the LangChain team, who classified it as “Informative”. The team stated that LangChain JS utilizes the Playwright project in the background and that developers are responsible for its secure implementation.
However, the researchers noted that the LangChain documentation lacks clear guidelines on the precautions developers should take when receiving URLs from users, leading them to consider this vulnerability high-risk.
Threat actors can use this vulnerability to access files on the server without authorization, which helps expose sensitive data.
It allows developers to easily use LLMs in Python or JavaScript for document analysis, summarization, conversational AI, and code analysis.
Here below, we have mentioned all the mitigations:-
Implement strict input validation, as this will properly sanitize and validate all the URLs.
Maintain an allowed domains list to restrict the URL fetching to only a specific set of domains that are marked as trusted.
Make sure to deny and block access to sensitive URL schemas like file://, ftp://, and others that should not be accessible.
Network segmentation is a must, as this helps in limiting the access to internal network resources and services.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post LangChain JS Vulnerability Let Attackers Expose Sensitive Information appeared first on Cyber Security News.