New ‘Trojan Source’ Technique Allows Hackers to Conceal Vulnerabilities in Source Code

November 1, 2021

A groundbreaking class of vulnerabilities has emerged, enabling threat actors to inject misleading malware that technically adheres to coding logic while distorting its intended functionality. Known as “Trojan Source attacks,” this method exploits nuances in text-encoding standards like Unicode, allowing the arrangement of source code tokens to differ from their displayed order. This results in vulnerabilities that evade detection by human reviewers, according to researchers Nicholas Boucher and Ross Anderson from Cambridge University, who outlined the findings in a recent paper. These vulnerabilities, identified as CVE-2021-42574 and CVE-2021-42694, impact compilers across numerous widely-used programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python. Compilers are essential tools that convert high-level human-readable code into executable machine code.

New ‘Trojan Source’ Technique Enables Hackers to Conceal Vulnerabilities in Code

On November 1, 2021, researchers at Cambridge University unveiled a concerning development in cybersecurity: a technique known as “Trojan Source attacks.” This novel class of vulnerabilities allows threat actors to incorporate visually misleading malware within source code, maintaining logical coherence while fundamentally altering its intended execution. As a result, organizations face increased risks, particularly regarding first-party software and supply chain security.

The essence of Trojan Source attacks lies in their exploitation of nuances within text-encoding standards like Unicode. By reordering the logical representation of code tokens from their visual display, attackers can create vulnerabilities that evade detection by human reviewers. Notably, this approach introduces a significant challenge for even the most vigilant code auditors, who may overlook these discrepancies.

Two specific vulnerabilities have been identified and cataloged as CVE-2021-42574 and CVE-2021-42694. They pose risks to compilers across widely used programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python. Compilers serve as the essential intermediary, converting high-level, human-readable code into lower-level machine instructions, making these vulnerabilities particularly critical for various software development environments.

Entities operating within the technology space, especially those relying on the identified programming languages, may find themselves vulnerable to exploitation. The implications of this discovery underline the importance of continuous scrutiny in software development practices. Developers and firms must remain alert as their code may house hidden risks that are not immediately visible during routine reviews.

From an adversary tactics perspective, the MITRE ATT&CK framework offers insight into the potential methods employed in these attacks. Techniques associated with initial access and evasion could play a pivotal role in successfully deploying Trojan Source strategies. The ability to maintain a semblance of legitimate code while executing harmful actions can aid adversaries in achieving persistence within an organization’s infrastructure.

As the cybersecurity landscape evolves, the introduction of such sophisticated techniques emphasizes the pressing need for enhanced security measures and awareness. Organizations must adopt stringent code review processes and invest in training for their development teams to identify and mitigate these emerging threats effectively. The Trojan Source technique serves as a reminder that even the most seasoned professionals must remain vigilant against innovative methods of infiltration and attack.

In this rapidly changing environment, business owners must prioritize cybersecurity initiatives to protect their assets and ensure the integrity of their software systems. Vigilance and adaptation will be crucial in navigating the complexities of the modern threat landscape, where hidden vulnerabilities can have serious implications for operational continuity and data security.

Source link

Related Posts

Google Alerts on Active Exploitation of New Android Zero-Day Vulnerability

November 3, 2021

Google has released its latest monthly security updates for Android, addressing 39 vulnerabilities, including a zero-day exploit that is currently being targeted in limited attacks. Identified as CVE-2021-1048, this zero-day flaw is characterized as a use-after-free vulnerability in the kernel, which could allow local privilege escalation. Use-after-free vulnerabilities pose significant risks, enabling attackers to access or reference memory that has already been freed. This could lead to a “write-what-where” scenario, allowing arbitrary code execution and potential control over a victim’s device. “There are indications that CVE-2021-1048 may be under limited, targeted exploitation,” Google stated in its November advisory, while withholding specific technical details about the exploit, the nature of the attacks, and the identities of any potential perpetrators. The security patch also addresses two critical vulnerabilities among the other fixes.

Critical RCE Vulnerability Discovered in the Linux Kernel’s TIPC Module

November 4, 2021

Cybersecurity experts have uncovered a significant security vulnerability in the Transparent Inter-Process Communication (TIPC) module of the Linux Kernel. This flaw could potentially allow both local and remote attackers to execute arbitrary code within the kernel, giving them control over affected systems. Assigned CVE-2021-43267 and rated with a CVSS score of 9.8, this heap overflow vulnerability “can be exploited locally or remotely within a network to gain kernel privileges, enabling attackers to compromise the entire system,” according to a report by cybersecurity firm SentinelOne shared with The Hacker News. TIPC is a transport layer protocol designed for seamless communication between nodes in dynamic cluster environments, offering improved efficiency and fault tolerance compared to traditional protocols like TCP. The vulnerability arises from inadequate validation of user-provided sizes for a new message type.

Critical Vulnerability in Cisco Policy Suite Exposes Hardcoded SSH Key, Allowing Remote Root Access

November 5, 2021

Cisco Systems has issued security updates to rectify vulnerabilities in several Cisco products that could enable attackers to log in as root users, gaining control over compromised systems. The vulnerability, identified as CVE-2021-40119, has been assigned a critical severity rating of 9.8 out of 10 on the CVSS scale and originates from flaws in the SSH authentication mechanism of Cisco Policy Suite. According to Cisco’s advisory, “An attacker could exploit this vulnerability by connecting to an affected device via SSH,” warning that a successful exploit could provide the attacker with root access. The issue was uncovered during internal security assessments. Future releases of Cisco Policy Suite (21.2.0 and beyond) will automatically generate new SSH keys upon installation, although devices upgrading from version 21.1.0 will still require a manual process to replace the default SSH keys.

Experts Uncover Malicious Code Exploiting Vulnerability in ManageEngine ADSelfService

On November 8, 2021, it was revealed that at least nine organizations in the technology, defense, healthcare, energy, and education sectors were compromised due to a recently patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. This surveillance campaign, which began on September 22, 2021, saw attackers exploiting the flaw to gain initial access, subsequently moving laterally within the networks to conduct post-exploitation activities. They deployed malicious tools designed to harvest credentials and exfiltrate sensitive data through a backdoor. “The attackers relied heavily on the Godzilla web shell, uploading various versions of this open-source tool to the compromised servers throughout the operation,” reported researchers from Palo Alto Networks’ Unit 42 threat intelligence team. “Several other tools exhibited unique characteristics or functionalities…”