Welcome to the Weekly Security Bulletins, end of August edition.
We have some ruby gems to worry about this week. A developer from Finland has discovered a malicious code in the ruby gem "rest-client" which has been modified and released a week ago. The attacker gained access to the developer account, as he reused his password between sites and was leaked in some other breach, and modified the gem and added custom codes to exfiltrate user credentials. There were several releases (v1.6.10 through v1.6.13) of the compromised package and it, along with other compromised gems, has been removed from the Ruby Gems Repository.
Cisco has released several vulnerability updates and six of them are treated as critical. Notably, two vulnerabilities are found to be allowing arbitrary code execution without authentication and as root in some cases. There have been a few other authentication bypass vulnerabilities mentioned by Cisco.
Palo Alto Networks in collaboration with ICANN and various domain registrars have done an extensive study on the use of newly registered domains with malicious intent. The study suggests that more than 70% of the newly registered domains are often malicious or suspicious. These are generally short-lived ranging from a few hours to couple of days! Further analysis of the data indicates that the top 3 malicious NRDs are “.to”, “.ki”, and “.nf”, in which “.to” leads the chart with a whopping 95% of the NRDs being malicious. This shows the importance of blocking such domains as a preventive security measure for enterprises.
Reversinglabs in their recent article reported a vulnerability in the bb-builder module of NPM. They found it in an enormous task of scanning all NPM packages, which is more than 9 million in count. It was found to be containing some Windows executables that would steal passwords from the systems it was installed on. It is another example of the supply chain attacks, which are becoming popular nowadays. The likely intention of the attacker was to cause confusion among the users who are searching for the bb-build project. Luckily only a few people have downloaded the malicious package and thereby limiting the damage.
Github, which is the world's leading software development platform, announced that they will be supporting the WebAuthn standard. This means that Github supports physical security keys via popular web browsers across various desktop and mobile OS’. It also has an option to use your devices as a security key with Windows Hello, Apple Touch ID or Android fingerprint readers.