Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE that was released in November 2022, can be abused to create a trusted malware file server. The issue lies in Codespaces' ability to share forwarded ports publicly, which allows developers to preview their projects as an end user:
“We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.”
The researchers explain that “attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.” Trend Micro also notes that they haven’t seen this technique used in the wild. For more on Codespaces abuse, see CyberWire Pro.
Ready to make the switch to 1Password? It’s easy!
Bank logins. Confidential project files. Your grandma's super-secret shortbread recipe. Everything your team or business stores in 1Password is protected by our industry-leading encryption models – because security isn't just a feature. It's our foundation. And with dedicated onboarding and customer success teams at your disposal, switching is easier than you think.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Abnormal Security released research this morning on phishing attacks purporting to be from internal HR departments with policy updates in the new year. The first attack, a payload-based credential phishing attack, claims to be from the victim’s company Human Resources department informing them of updates to benefits packages. The email asks for the review of an “updated handbook,” which would lead to a credential harvesting login page imitating Microsoft. The other observed link-based attack presented itself as an internal HR email, announcing a new employee handbook containing a link directing to a credential harvesting page. For more on HR-themed phishing, see CyberWire Pro.
Bitdefender has published a report looking at the prevalence of travel-themed phishing scams. The researchers found that 60% of all travel-themed emails sent between December 20th and January 10th were phishing attacks. Most of the attacks observed by Bitdefender targeted English-speaking users: “Particularly, spammers pushed their travel-themed lures on English-speaking recipients, with 53% of the correspondence targeting US inboxes. The US is followed by Ireland (10%), India (6%), the UK and South Africa (5% each), and Germany (4%).” For more on this form of social engineering, see CyberWire Pro.
SynSaber has published a report looking at industrial control system (ICS) vulnerabilities catalogued by the US Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022. The researchers found that 35% of vulnerabilities disclosed in 2H 2022 don’t currently have a patch available, and 33% will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security researchers rather than the equipment manufacturers. The researchers also note that 22% of the vulnerabilities “require local or physical access to the system in order to exploit (up from 23% during the first half of the year).” For more on recent ICS vulnerabilities, see CyberWire Pro.
The Guardian reports that Viktor Zhora, of Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), is visiting Britain's GCHQ this week, and has said that Russian cyberattacks have tripled over the past year, and continue at a high rate. Interestingly, he said that “in some cases, cyber-attacks supportive to kinetic effects” have been seen; that is, Ukraine sees signs that Russia is attempting to integrate cyber operations and information operations with missile strikes and action on the ground.
Mr. Zhora's remarks are consistent with a report his agency issued earlier this week, "Cyber Attacks, Artillery, Propaganda. General Overview of the Dimensions of Russian Aggression." The report stresses signs that Russian attempts at coordinated operations have increased, that Russian targeting has been not just indiscriminate, but directed against civilians, and that Russian cyber operations can amount to war crimes. The cyberattacks have generally been parried by Ukrainian defenses, but they remain an enduring threat. The report ends with a call for more international cooperation against cyberattacks, whether by Russia or other "authoritarian regimes," and notes the value of considering those states' military doctrine in forecasting their probable courses of action in cyberspace. It calls for international recognition of the ways in which cyber operations can constitute either crimes against peace or war crimes, and it urges an expansion and tightening of economic sanctions against Russia.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Today's issue includes events affecting the European Union, France, Germany, Israel, Morocco, the Netherlands, Poland, Russia, Ukraine, the United Kingdom, and the United States.