InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Developers have discovered a backdoor in the Codecov bash uploader. Itâs been there for four months. We donât know who put it there.
Codecov said the breach allowed the attackers to export information stored in its usersâ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecovâs infrastructure,â the company warned.
Codecovâs Bash Uploader is also used in several uploaders â Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step â and the company says these uploaders were also impacted by the breach.
Threat actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.
Unknown attackers hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.
On March 28, the attackers pushed two commits to the âphp-srcâ repository hosted on the git.php.net server, they used the accounts of Rasmus Lerdorf, the PHPâs author, and Jetbrains developer Nikita Popov.
Maintainers of the project are investigating the supply chain attacks, experts believe attackers have compromised the git.php.net server.
âWe donât yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).â wrote Popov. âWhile investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.â
The maintainers of the PHP reverted the changes and are reviewing the repositories to detect any other evidence of compromise beyond the two referenced commits.
In the future, in order to access the repositories, users will now need to be part of the php organization on GitHub and their account will have 2FA enabled. Adopting this new configuration it is possible to merge pull requests directly from the GitHub web interface.
At this time, it is not immediately clear if the backdoor was downloaded and distributed by other parties before the malicious commits were detected.
It was a pirated and malware-tainted version of Appleâs XCode development app that worked in a devious way.
You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway.
Nevertheless, this redistributed version of Xcode seems to have been popular in China at the time â perhaps simply because it was easier to acquire the âproductâ, which is a multi-gigabyte download, directly from fast servers inside China.
The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself.
The implanted malware was buried in places that looked like Apple-supplied library code, with the result that Apple let many of these booby-trapped apps into the App Store, presumably because the components compiled from the vendorâs own source code were fine.
As we said at the time, âdevelopers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost.â
As you probably know, this sort of security problem is now commonly known as a supply chain attack, in which a product or service that you assumed you could trust turned out to have had malware inserted along the way.
The username and password (zyfwp/PrOw!aN_fXp) were visible in one of the Zyxel firmware binaries.
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.
The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.
Device owners are advised to update systems as soon as time permits.
Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks
