Welcome back to this week's security bulletin!
Have you ever heard about the "typosquatting" attack? Typosquatting attack is a common type of attack in which an attacker deliberately upload misspelled legitimate packages (example: djanga instead of django) in the hope that an unsuspected user accidentally mistypes the name and download the malicious package instead of the legitimate one. It is reported that 700 malicious packages (Rubygems) were available in the popular open-source Rubygems repository.
RubyGems is one of the popular package managers that makes it easy for developers to distribute, manage, and install Ruby programs and libraries. This new attack targets Ruby developers who use Windows system and cryptocurrency transactions. Some of the packages designed explicitly for stealing funds by redirecting cryptocurrency transactions to the attacker's wallet.
Researchers found several packages such as "atlas-client" posing as the "atlas_client" gem, which contains executable file masquerade as an image file (aaa.png). While installing the gem, the image file aaa.png renamed as a.exe, a VBscript which captures the victim's clipboard data. If the clipboard data matches any cryptocurrency wallet address, it replaces the address with the attacker's alternative ("1JkU5XdNLji4Ugbb8agEWL1ko5US42nNmc"). In this way, attackers can redirect all transactions to their wallets.
Dear Ruby developers, it's time to crosscheck all of your gems to find if you accidentally downloaded the typosqautted version.
Google has removed 49 chrome extensions from websites that steal digital currency and steal sensitive information. You can find the list of these 49 browser add-ons here, and researchers from MyCrypto and PhishFort identify them.
These extensions are designed for stealing seed phrase, Keystore files, and private keys. When the user enters them, the extension sends HTTP POST request to its backend, and in this way, the attacker gets wallet details and empty it.
It's recommended to file a report at CryptoScamDB if you suspect you have become a victim of a malicious browser extension and lost funds.
Microsoft has released patches on April 2020 patch Tuesday. There are 113 new security vulnerabilities, 17 of which are critical, and 96 rated outstanding in severity and patches for all of it available now.
The two security flaws were known to the public, and attackers exploit three. One of the publicly disclosed flaws is in the Adobe Font Manager Library tracked as CVE-2020-1020. It's a remote code execution vulnerability for all the systems except Windows 10. An attacker who has successfully exploited the vulnerability could execute the code remotely. An attacker who successfully exploited the vulnerability for the Windows 10 system could execute the code in an AppContainer sandbox context with limited capabilities and privileges. An attacker could then view, change, or delete data, install programs, or create new accounts with full user rights.
The second one is also a remote code execution flaw CVE-2020-0938 resides in Adobe Font Manager Library. There are multiple ways by which an attacker could exploit the vulnerability, such as viewing it in the Windows Preview pane or convincing a user to open a specially crafted document.
It is highly recommended to patch all Windows systems to keep away attackers. You can get the latest Windows updates by navigating to Settings → Update & Security → Windows Update → Check for updates on your PC, or you can install the updates manually.