After completing the form, the system will prompt you to select a meeting time.
On our first call, we will determine whether and how we can help. From there, we discuss your current state under the protection of a non-disclosure agreement and craft a tailored plan to move you and your company forward. Last, we carry out that plan together in a way that saves you time, money, and stress.
There is a prolonged and organized cyber campaign aimed at compromising the NuGet package manager. This campaign, which began in August 2023, is characterized by the deployment of a large number of malicious NuGet packages. The threat actors involved have displayed a high level of sophistication, adapting their tactics over time. Initially, they relied on basic downloaders in install scripts, but they have since transitioned to exploiting NuGet’s MSBuild integrations. This shift in strategy indicates a significant level of technical proficiency and persistence on the part of the attackers.
Attack Vector
The attack vector employed by the threat actors centers around a technique known as “typosquatting.” This method involves creating packages with names that closely resemble popular and trusted ones. This can easily deceive developers who might not notice the subtle differences. Furthermore, the attackers have opted for an unconventional approach by placing their malicious code inside the <packageID>.targets file, located in the “build” directory. Typically, such code is found in initialization and post-installation PowerShell scripts. This deviation from the norm adds an extra layer of obscurity, making it harder for traditional security measures to detect the threat.
Attack Details
Within this campaign, the attackers have implemented a specific sequence of operations. The malicious code embedded within the .targets file is responsible for the download and execution of an executable from a remote location. This action is facilitated by the presence of MSBuild integrations, a feature introduced in NuGet version 2.5. These integrations permit the execution of executable code contained in inline tasks. By leveraging this capability, the attackers can run their malicious code in a manner that doesn’t immediately trigger conventional security alarms.
Tactics, Techniques, and Procedures (TTPs)
T1189 - Drive-by compromise
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
T1035 - Service Execution
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
T1105 – Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
T1027 - Obfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
T1564.001 - Hide Artifacts: Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube.
.
As Cybersecurity Awareness Month winds down, we're pleased to share one last feature from Pierre Reed, the Chief of Staff at Access Point Consulting. He explores the importance of fostering a security awareness culture within organizations. Discover how building this culture can empower your team to better protect against cyber threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube.
.
In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.
CVE-2024-28995
SolarWinds has issued a critical update for a zero-day vulnerability in its Serv-U MFT Server, allowing attackers to bypass security and access restricted files without authentication. Actively exploited, this flaw poses a significant risk for businesses that delay applying the fix.
.webp)
.png)
