This post covers 2023-05-22 to 2023-05-29.
Interesting Reads#
Typosquatting in NPM via capitalization#
This article provides insights in a quite interesting type of typosquatting attacks on NPM. Capitalization! Someone could upload a package with the name of a popular package, but with all lowercase letters. To compare with other package managers, PyPI and NuGet will restrict anyone else from uploading a package with the same name, regardless of the capitalization of letters. The NPM security team promptly acknowledged and effectively addressed the security issue. Now newly uploaded packages in conflict will receive an error message “Package name too similar to existing package”.
Just why .zip TLD?#
Google Registry actually announced eight new top-level domains (TLDs) that day: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. Users have a clear idea what .zip means. In his article Bobby Rauch points out the dangers of the .zip TLD. Absuing this ambivalence adversaries can now abuse this to mislead or misdirect Citizen Lab’s John Scott-Railton recommends blocking the newly introduced TLD.
Evil:
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
Legitimate:
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zipFinFisher managers indicted#
German prosecutors have indicted four former CEOs of FinFisher. They are accuesed of having sold surveillance technology to the Turkish secret service without permission. The investigation is based on the complaint of Netzpolitik.org, Gesellschaft für Freiheitsrechte, Reporter ohne Grenzen and European Center for Constitutional and Human Rights.
Python Software Foundation (PSF) subpoenaed for PyPI user data#
The PyPI seems to be having a hard time recently. There are a lot of malicious packages uploaded (1, 2). The signing with GPG seems to be more cosmetic than security relevant (1,). Still, the PSP is also doing some things really well, judging by this blog article.
The United States Department of Justice subpoenaed PSP and request the information for five PyPI users. The subpoenas were not associated with a non-disclosure order. The PSP published the post as a matter of transparency. In the article they describe what information PyPI stores and what was forwarded. Also, the article implies that PSP received more subpoenas, then are explicitly discussed in the article.
Tools#
- pry0cc/axiom - The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!
- guelfoweb/knock - Knock Subdomain Scan
- lc/gau - Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl
- WKL-Sec/GregsBestFriend - GregsBestFriend process injection code created from the White Knight Labs Offensive Development course
- MythicAgents/zippy - WIP: A “trainer” agent which is great for showing customers a nice fake “ransom” screen. Requires target machine to have head - since support for OpenGL 2.1 is currently required by Godot
- hazcod/ransomwhere - A PoC ransomware sample to test out your ransomware response strategy