Open source supply chain attacks, which have been going on for a year, are worsening



[ad_1]

Open source supply chain attacks, which have been going on for a year, are worsening

A series of supply chain attacks hitting open source software over the past year shows little sign of slowing down, following the discovery this week of two backdoors inserted into a dozen libraries downloaded by hundreds thousands of server administrators.

The first backdoor to appear was Webmin, a web-based administration tool with more than one million installations. Around the month of April last year, according to webmin developer Jamie Cameron, someone has compromised the server used to develop new versions of the program. The attacker then used this access to distribute a backdoor that was downloaded over 900,000 times and may have been actively used by tens of thousands of servers connected to the Internet.

The unknown attacker has slightly modified the Webmin script called password_change.cgi. This change allowed attackers to send a command through a special URL that an infected Webmin server would then execute with root privileges. In version 1.890, which had more than 421,000 downloads between June 2018 and last weekend, the backdoor was enabled by default. On 1.90, 1.91, 1.91, and 1.92, which had more than 942,000 downloads, the backdoor was only active when administrators changed a default setting that allowed for changing expired passwords. The Backdoored versions have been distributed on SourceForge, which is the main distribution source to which the Webmin Web site points.

The statistics collected from the Shodan search engine – here, here, here, and here – have shown tens of thousands of Internet servers running these versions of Webmin, although it is not excluded that some of these servers are running Webmin, built from unmodified Github code or from another source does not include the backdoor.

Enter RubyGems (again)

A second backdoor appeared Monday in 11 libraries available in the RubyGems repository. According to an analysis by developer Jan Dintel, the backdoor allowed attackers to use pre-selected credentials to remotely execute commands of their choice on infected servers. The malware included a variety of other features, including code for downloading environment variables (which often contain identifying information used to access databases, service providers, and other users). other sensitive resources) on a server located at the following address: mironanoru.zzz.com.ua.

RubyGems officials also discovered that the malicious code included a minor for cryptocurrencies. In total, RubyGems' figures showed that the backdoor libraries had been downloaded almost 3,600 times.

Rest-client versions 1.6.10, 1.6.11, 1.6.12 and 1.6.13, which account for just over 1,200 of these downloads, were hijacked by someone who compromised a developer account aging protected by a previously cracked password. . It is not known how the remaining RubyGems libraries were infected. RubyGems executives did not respond to an e-mail requesting a comment for this message.

Harnessing trust

Webmin compromises and RubyGems libraries are just the latest open-source software supply chain attacks. Most people do not hesitate to install software or updates from the official website of a known developer. As developers continue to make software and websites harder to exploit, Black Hat has increasingly leveraged this trust to spread malware by poisoning code at source.

The wave of attacks began seriously last October, with the discovery in one week of two unrelated attacks on the supply side against two open source projects. The first application was the VestaCP control panel interface, and the other a package called "Colourama" that was slipped into the official Python repository.
A month later, malicious codes designed to steal funds in bitcoin portfolios were found in flow of events, a code library with 2 million downloads used by Fortune 500 companies and small startups. Officials from NPM – the open source project manager who hosted the backdoor software – said the malicious code was designed to target users with the help of a bitcoin portfolio developed by Copay, the 39, one of the many companies that have integrated this software. flow of events in its application. It took six days for the NPM to issue an opinion after becoming aware of the attack.

Last March, researchers discovered that another RubyGems library called bootstrap-sass was also routed. At the beginning of last month, something similar happened to a RubyGems library called strong password. Like the one discovered this week infecting the 11 RubyGem projects, the bootstrap-sass and strong password backdoors used a cookie function of the browser to give attackers the ability to execute code on infected servers. The backdoor with strong password also interacted with smiley.zzz.com.ua, a domain that bears more than a passing resemblance to the mironanoru.zzz.com.ua domain used in recent attacks.

Ripe fruit

To be fair, closed source software is also plagued by attacks related to the offer – as evidenced by those who hit the computer twice, ASAU, the malicious update MEDOC tax accounting software originally from the NotPetya outbreak in 2017, and another backdoor that infected users of the CCleaner hard disk utility the same year.

But the fruits of supply chain attacks seem to be open source projects, in part because many do not make multifactor authentication and code signing mandatory among its broad base of contributors.

"Recent findings clearly show that these problems are becoming more common and that the security ecosystem around publishing and package management is not improving fast enough," Ars told Reuters. HD Moore, Vice President of Research and Development at Atredis Partners. "What's scary is that each of these instances probably has the effect of compromising even more developer accounts (through captured passwords, tokens, API keys, and SSH keys). Attackers probably have enough identification information on hand to do it repeatedly, until all the credentials are reset and the appropriate MFA and signature are in place. be put in place. "

Moore said the impact of open-source supply chain infections is often difficult to assess because behind-the-scenes applications can be included as an upstream dependency by another package. "The way dependency management tools are pushing to the latest default packages makes a successful attack in the case of a backdoor dependency even more likely," he added.

Open source attacks can also have a big impact because they affect powerful servers used to perform tasks such as sending e-mail and distributing web pages. Once the server installs a backdoor application, the only recourse is to perform a full rebuild, a task so heavy that it may be ignored by most of the 100,000 or more systems that have received one of the Maliciously falsified packages discovered this week.

"Without a proper reinstallation of the operating system and the application, as well as the rotation of keys and identification information, the system may still be compromised," Kenn said. White, director of the Open Crypto Audit project, Ars. "I refused more than one commitment because the operators thought that they could manually inspect the system via, for example, file differences, and perform a valid evaluation themselves." It's naive, it's the least we can say.

[ad_2]

Source link