Astrix Security

From a single OAuth Phishing victim to a potential compromise of over 400,000 users 🚨 Have you come across Google’s new “Privacy Policy Extension” OAuth app? Hopefully not, as it was recently exploited in a phishing attack targeting CyberHaven - a cybersecurity company specializing in insider threat protection. Here’s what happened: A CyberHaven employee received a phishing email that led him to believe that without further actions, the CyberHaven Chrome extension will be taken off the Chrome Web Store. He then clicked on a link embedded in the mail, which led him to unknowingly authorize a malicious third-party Google OAuth Application and grant it access to his Chrome Web Store extensions. This allowed the threat actor to push a modified, malicious version of the CyberHaven Chrome extension. The extension collected the user's Facebook data - including access tokens and user IDs - and transmitted it to a command-and-control server. It is important to emphasize that the employee had all the standard "human identity" security features - MFA and Google Advanced protection - enabled, and neither kicked in to stop this attack. This is just one of many attacks from recent years that demonstrate how traditional security features are not enough to stop Non-Human Identity attacks. An NHI security tool could have at least alerted CyberHaven that they have a new OAuth App connected to their Google Workspace, giving them a chance to react to this threat before it caused significant impact. But it doesn't just end here: Following CyberHaven’s disclosure of the breach, researchers identified over 20 additional compromised Chrome extensions linked to the same indicators of compromise, all funneling user data to the malicious C&C - revealing this to be a major campaign. Some Chrome extensions were compromised over a year ago without detection. If the other extensions were compromised using the same method - OAuth phishing attack - this means that this entire campaign, which affected over 2,000,000 users, could have been averted if the developers had proper NHI defense mechanisms in place. OAuth phishing attacks are not new and have been present since at least 2019, making headlines in multiple cases. Notable examples include Microsoft warning users about malicious 365 OAuth apps in 2022 and earlier this year when GitHub developers were targeted by the malicious Gitloker OAuth App. Sources: https://lnkd.in/ds-kbxXx https://lnkd.in/dW463jU6 https://lnkd.in/dN9DyT9u

Today, rspack, a rust-based tool that helps speed up the process of preparing code for websites and apps, has announced a compromise to two of their packages - rspack/core and rspack/cli. The maintainers detected that an attacker has released a new version of the packages, 1.1.17 using a compromised NPM token, containing malicious code. As a response to the breach, the package maintainers revoked the token, removed the malicious package and committed to follow stricter token management protocols. Tokens have become the main target for attackers: the simplicity of use immediately granted access to anyone holding the token, and the fact that they are so often accidentally exposed and have excessive permissions makes it a no-brainer for threat actors to search for. Hopefully, the fast response time of the maintainers in this case restricted the blast radius of this attack, but we, as a community, cannot rely on this and must embrace better security around handling tokens.

Hackers hacked by hackers - leading to 400K stolen WordPress credentials In a recent attack targeting offensive security professionals, a threat actor known as MUT-1244 lured unsuspecting black and white hackers into downloading and running trojanized exploits for CVEs and other hacking tools in GitHub repos. As someone who uses these kinds of tools on a semi-regular basis (for educational purposes only 🙂) and received multiple antivirus alerts over some of those, this does not come as a surprise. This is only one of a few vectors used by MUT-1244 to deliver the same second-stage payload that exfiltrates AWS credentials, SSH private keys, and the terminal’s history. In addition, the payload backdoors the infected system to provide persistence and enable further attacks against it. This is where it gets interesting. One of the repositories, by the name YAWPP, contained a tool pretending to be a WordPress credential checker, stole those credentials (in addition to running the generic second-stage payload), leading to nearly 400,000 WordPress credentials being stolen. This campaign shows that no one, not even experienced security professionals, is invincible to mistakes. Credentials will always be prone to getting leaked and ending up in the hands of an attacker. Luckily, it is still possible to maintain relative security when using them, even when they do get leaked. This can be done by restricting their access and monitoring the identities behind those credentials for breaches and abuse. As a personal note, I urge offensive security practitioners to always read the exploits they are about to run, especially when they come from untrusted sources, both to prevent these kinds of attacks against them and to understand the attack they are performing (as part of a pentest or red-team operation) on a deeper level. https://lnkd.in/erwbTnSZ