| Github | https://github.com/odony |
| https://twitter.com/odony |
Exploitation was the primary entry method into orgs, although it declined slight YoY due to the rise of infostealers.
Three of the four most exploited vulns were zero days, all were in cybersecurity products (Palo-Alto, Ivanti Connect Secure, Ivanti Policy Secure and Fortinet). In most of the cases documented, it was ransomware groups running rings around security vendors, ie the security vendors were the cause of the victims woes due to defective products.
Ten npm packages were suddenly updated with malicious code yesterday to steal environment variables and other sensitive data from developers' systems.
Expect many more of these. VSCode is an absolute security trash fire, MS Security needs to have a word with MS.
- It installs as non-admin
- There are no security controls *at all* around marketplace access
- addons update automatically and are required
- No vetting
- Blue tick verification just needs any domain name
- Source code link on addons doesn’t need to match the addons
- Allows RCE by design
- The marketplace is absolutely riddled with malware
Background blogs on VSCode extensions, which the author didn’t link together and basically struggled to communicate the issue widely, but the issues are definitely there.
Part 1 https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7
Part 2 https://medium.com/extensiontotal/2-6-exposing-malicious-extensions-shocking-statistics-from-the-vs-code-marketplace-cf88b7a7f38f
Part 3 https://medium.com/extensiontotal/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171
Part 4 https://medium.com/extensiontotal/4-6-introducing-extensiontotal-how-to-assess-risk-in-vs-code-extensions-3ac5bfd83fb1
Part 5 https://medium.com/extensiontotal/5-6-breaking-the-internet-the-aftermath-of-our-research-2dee0a1e2498
Part 6 https://medium.com/extensiontotal/6-6-uncover-hidden-risks-cisos-guide-to-using-extensiontotal-api-for-your-organization-59fee46e6369
Follow up https://medium.com/extensiontotal/vscode-extension-trivia-real-or-cake-f729adc9e03e
30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s…
me, 2020: "it's going to be really funny when Google discontinues search"
you, my followers: "lol amy you're so cynical"
google, 2024:
https://www.vincentschmalbach.com/google-now-defaults-to-not-indexing-your-content/
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable. [contains quote post or other embedded content]
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
Really required a lot of coincidences.
Kevin Beaumont
BleepingComputer
securityaffairs
bert hubert 🇺🇦🇪🇺🇺🇦
Odoo Community Association
★ Amy Star ★
AndresFreundTec