Laptop screen with GitHub logo

  Source: Monticello via Shutterstock

  An unidentified group of threat actors orchestrated a sophisticated
  supply chain cyberattack on members of the Top.gg GitHub organization
  as well as individual developers in order to inject malicious code into
  the code ecosystem.

  The attackers infiltrated trusted software development elements to
  compromise developers. They hijacked GitHub accounts with stolen
  cookies, contributed malicious code via verified commits, established a
  counterfeit Python mirror, and released tainted packages on the PyPI
  registry.

  "Multiple TTPs help attackers create sophisticated attacks, evade
  detection, increase the chances of successful exploitation, and
  complicate defense efforts," says Jossef Harush Kadouri, head of
  software supply chain security at Checkmarx.

  The attackers utilized a convincing typosquatting technique with a fake
  Python mirror-domain resembling the official one to deceive users,
  according to a [1]blog post by Checkmarx researchers.

  By tampering with popular Python packages like Colorama — which is used
  by more than 150 million users to simplify the process of formatting
  text — the attackers concealed malicious code within seemingly
  legitimate software, expanding their reach beyond GitHub repositories.

  They also exploited high-reputation GitHub Top.gg accounts to insert
  malicious commits and increase the credibility of their actions. Top.gg
  has 170,000 members.

Data Theft

  In the final stage of the attack, the malware used by the threat group
  steals sensitive information from the victim. It can target popular
  user platforms, including Web browsers like Opera, Chrome, and Edge —
  targeting cookies, autofill data, and credentials. The malware also
  roots out Discord accounts and abused decrypted tokens to gain
  unauthorized access to victim accounts on the platform.

  The malware can steal victim's cryptocurrency wallets, Telegram session
  data, and Instagram profile information. In the latter scenario, the
  attacker uses the victim's session tokens to retrieve their account
  details, employing a keylogger to capture keystrokes, potentially
  compromising passwords and personal messages.

  The stolen data from these individual attacks is then exfiltrated to
  the attacker's server using various techniques, including anonymous
  file-sharing services and HTTP requests. The attackers utilize unique
  identifiers to track each victim.

  To evade detection, the attackers employed intricate obfuscation
  techniques in their code, including whitespace manipulation and
  misleading variable names. They established persistence mechanisms,
  modified system registries, and executed data-stealing operations
  across various software applications.

  Despite these sophisticated tactics, some vigilant Top.gg community
  members noticed the malicious activities and reported it, which led to
  Cloudflare taking down the abused domains, according to Checkmarx. Even
  so, Checkmarx's Kadouri still regards the threat as "active."

How to Protect Developers

  IT security professionals should regularly monitor and audit new code
  project contributions and focus on education and awareness for
  developers on the risks of supply chain attacks.

  "We believe in putting competition aside and working together to make
  the open source ecosystems safe from attackers," Kadouri says. "Sharing
  resources is crucial for having an edge over software supply chain
  threat actors."

  Expect software supply chain attacks to continue, according to Kadouri.
  "I believe the evolution of supply chain attacks is going to increase
  in build pipelines and AI and large language models."

  Recently, repositories for machine learning models, such as Hugging
  Face, have offered threat actors opportunities to [2]inject malicious
  code into development environments , akin to open source repositories
  npm and PyPI.

  Other software supply chain security issues have arisen recently,
  affecting cloud versions of the JetBrains [3]TeamCity software
  development platform manager as well as [4]malicious code updates
  slipped into hundreds of GitHub repositories in September.

  And weak authentication and access controls allowed Iranian hacktivists
  to conduct a [5]supply chain attack earlier this month on Israeli
  universities via a technology provider.

References

  1. https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/
  2. https://www.darkreading.com/cloud-security/ml-model-repositories-next-big-supply-chain-attack-target
  3. https://www.darkreading.com/application-security/critical-teamcity-bugs-endanger-software-supply-chain
  4. https://www.darkreading.com/application-security/supply-chain-attackers-escalate-with-github-dependabot-impersonation
  5. https://www.darkreading.com/cyberattacks-data-breaches/israeli-universities-hit-by-supply-chain-cyberattack-campaign

You are viewing proxied material from 1436.ninja. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.