ARSTECHNICA.COM
Yearlong supply-chain attack targeting security pros steals 390K credentials
EXPLOITING WEAK LINKS Yearlong supply-chain attack targeting security pros steals 390K credentials Multifaceted, high-precision campaign targets malicious and benevolent hackers alike. Dan Goodin Dec 13, 2024 4:46 pm | 9 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreA sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.Unusual longevityThe objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.Its unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for mysterious unattributed threat.The campaign first came to light when Checkmarx recently discovered @0xengine/xmlrpc, a package that had circulated on the NPM JavaScript repository since October 2023. @0xengine/xmlrpc, began as a benign package offering a JavaScript implementation of the widely used XML-RPC protocol and client implementation for Node.js. A screenshot showing the NPM page were @0xengine/rpcxml was available. Credit: Checkmarx Over time, the package slowly and strategically evolved into the malware it is today. A significant change eventually introduced heavily obfuscated code hidden in one of its components. In its first 12 months, @0xengine/xmlrpc received 16 updates, giving developers the impression it was a benign and legitimate code library that could be trusted in sensitive environments.MUT-1244 complemented @0xengine/xmlrpc with a second package available, which was available on GitHub. Titled yawpp and available at hxxps[:]//github[.]com/hpc20235/yawpp, the package presented itself as a tool for WordPress credential checking and content posting. Theres no malicious code in the code, but because the package requires @0xengine/xmlrpc as a dependencysupposedly because it used @0xengine/xmlrpc for XML-RPC communication with WordPress sites, the malicious package was automatically installed.The combination of regular updates, seemingly legitimate functionality, and strategic dependency placement has contributed to the packages unusual longevity in the NPM ecosystem, far exceeding the typical lifespan of malicious packages that are often detected and removed within days, Checkmarx researcher Yehuda Gelb wrote last month. The malicious functionality of the @0xengine/xmlrpc package was made all the more stealthy by remaining dormant until or unless executed through one of two vectors:Direct package users execute any command with the targets or -t flag. This activation occurs when running the packages validator functionality, which masquerades as an XML-RPC parameter validation feature.Users installing the yawpp WordPress tool from GitHub automatically receive the malicious package as a dependency. The malware activates when running either of yawpps main scripts (checker.js or poster.js), as both require the targets parameter for normal operation. The attack flow as shown in a diagram from Checkmarx. Credit: Checkmarx The malware maintained persistencemeaning the ability to run each time the infected machine was rebootedby disguising itself as a legitimate session authentication service named Xsession.auth. Every 12 hours Xsession.auth would initiate a systematic collection of sensitive system including:SSH keys and configurations from ~/.sshCommand history from ~/.bash_historySystem information and configurationsEnvironment variables and user dataNetwork and IP information through ipinfo.ioThe stolen data would then be uploaded to either an account on Dropbox or file.io. Monitoring the wallet where mined Monero cryptocurrency was deposited indicated the malware was running on machines in the real world. Screenshot showing a graph tracking mining activity. Credit: Checkmarx But wait, theres moreOn Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments.A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers. A phishing email used in the campaign. Credit: Datadog The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21. Additional vectors discovered by Datadog. Credit: Datadog Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit."This increases their look of legitimacy and the likelihood that someone will run them," Datadog said.The attackers' use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.Taken together, the many facets of the campaignits longevity, its precision, the professional quality of the backdoor, and its multiple infection vectorsindicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchersas other recently discovered campaigns have doneits unclear why MUT-1244 would also employ cryptocurrency mining, an activity thats often easy to detect.Reports from both Checkmarx and Datadog include indicators people can use to check if they've been targeted.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 9 Comments
0 Comentários 0 Compartilhamentos 31 Visualizações