A new supply chain attack uses unused S3 buckets to spread malicious binaries.

 A worrying new kind of software supply chain attack has surfaced, one that uses abandoned Amazon S3 buckets to spread malicious binaries to open source projects. Threat actors can now utilise these infected buckets to serve rogue binaries to unwitting users without changing the original modules themselves.



Guy Nachshon, a Checkmarx researcher, has shed light on this attack vector and discovered that the malicious binaries are made to collect private data, such as user IDs, passwords, local machine environment variables, and local host names. The hijacked bucket is subsequently used to exfiltrate the stolen data, giving threat actors access to it for their own purposes.

The attack was first identified in connection with the npm package bignum. Up until version 0.13.0 of the package, installation required downloading pre-built binary versions of the node-pre-gyp addon from an Amazon S3 bucket. However, a hostile third party has now claimed a defunct S3 bucket on which the binaries were hosted. Thus, those that downloaded the package after the bucket's expiration unwittingly downloaded malware-containing binaries.

An unidentified threat actor used the opportunity provided by the previously active S3 bucket as part of their assault strategy. The reference inside the package continued to refer to the bucket as its source even after the bucket was deleted. By taking advantage of this anomaly, the attacker changed the bucket's pointer to serve the malicious binaries to users.

The malware sample's capabilities were revealed through a reverse engineering investigation. It has the capacity to steal user credentials and extract information about the environment before sending it to the same hacked bucket. Numerous packages that still rely on abandoned S3 buckets have been found by Checkmarx researchers, making them open to this innovative attack method. The fact that threat actors are continuously looking for novel ways to infiltrate the software supply chain is starkly illustrated by this discovery.





Guy Nachshon from Checkmarx cautioned developers and organisations, "This new twist in the world of subdomain takeovers serves as a wake-up call to developers and organisations." He emphasised that defunct subdomains or hosting buckets shouldn't be written off as lost artefacts. These underutilised resources have the potential to be powerful tools for data theft and penetration in the wrong hands.

This development comes shortly after cybersecurity company Cyble made a recent discovery. Over 45,000 malicious Python packages were downloaded, according to the business, which found 160 of them. These packages had code that might extract login information and payment card information. Together, these episodes show how the open-source ecosystem is facing increased dangers and challenges.

These supply chain assaults have wide-ranging effects since they can have an effect on both ordinary users and businesses that depend on open source software. Organisations and developers must maintain vigilance, putting in place strong security safeguards and undertaking in-depth risk analyses of their software dependencies. Critical steps in reducing the dangers provided by these new attack vectors include timely patching and routine monitoring of potential vulnerabilities, including abandoned resources like S3 buckets.

Maintaining up-to-date knowledge on security alerts and recommended procedures for secure software development should be a priority for software developers and maintainers. To quickly find and fix vulnerabilities, cooperation and information sharing among software developers are crucial.

It is crucial that the cybersecurity community and industry stakeholders work together to bolster defences, improve threat intelligence sharing, and advance safe development practises as threat actors continue to refine their strategies. We can only successfully address the changing threats posed by software supply chain attacks and safeguard the integrity of open source software by working together.

Comments

Post a Comment

Popular posts from this blog

Microsoft Issues a Warning Regarding a New State-Sponsored Hacker Group in Russia With Negative Intent

Image
The General Staff Main Intelligence Directorate (GRU), according to Microsoft, is linked to Cadet Blizzard, a newly detected Russian threat actor. Due to its disruptive actions, the group's distinguishing designation has been given by the tech giant's Threat Intelligence division, which was previously tracking it as DEV-0586. Microsoft claims that despite Cadet Blizzard's high risk, it has less operational security than more established and sophisticated Russian outfits like Seashell Blizzard and Forest Blizzard.                                                             First discovered in January 2022, Cadet Blizzard committed in damaging cyberattacks against Ukraine, mainly employing a special malware called WhisperGate or PAYWIPE, a wiper. These assaults took place in the days before Russia's armed invasi...
Read more

A New Report Exposes Shuckworm's Persistent Hacks Against Ukrainian Organisations

Image
Russian threat actor Shuckworm, a member of the Federal Security Service (FSB) of Russia, has stepped up its cyberattack campaign targeting Ukrainian organisations in an effort to infiltrate their environments and steal important data. According to a Symantec analysis, the most common targets of the current breaches, which started in February or March 2023, were security services, military, and governmental organisations.                               The cybersecurity firm disclosed that the Russian gang had carried out persistent breaches, some of which lasted as long as three months. During these attacks, Shuckworm's goal is to access sensitive data and exfiltrate it. Reports on the fatalities of Ukrainian service members, enemy engagements and airstrikes, reports on the inventory of the armament, reports on training, and more make up the targeted data. Shuckworm has been active at least since 2...
Read more

A Framework for Improved Security: Continuous Threat Exposure Management (CTEM)

Image
 Acronyms are commonplace in the rapidly developing subject of cybersecurity, and new ones are constantly being created. Continuous Threat Exposure Management, or CTEM, is one of the acronyms that are now popular. Companies implementing CTEM programmes may run into unexpected difficulties that impede their development and cause setbacks. This article seeks to clarify CTEM, its objectives, and the challenges that businesses must overcome to successfully apply it.                It's critical to comprehend what Continuous Threat Exposure Management comprises before diving into the difficulties. CTEM is not a technology or a specific product that suppliers sell. Instead, it's a constant 5-stage programme or framework made to assist organisations in tracking, assessing, and lowering their level of exploitability. Its goal is to deliver a standardised and practical security posture correction and improvement plan that corporate executives can...
Read more