The rash of supply-chain attacks hitting open source software over the past year shows little signs of dropping after two separate ones were discovered this week the background has been inserted into a dozen libraries downloaded by hundreds of thousands of server administrators.
The first backyard came to light in Webmin, a web-based administration tool with more than 1
The unknown attacker made a fine change to a Webmin script called
password_change.cgi . The change allowed the attackers to send a command via a special URL that the infected Webmin server would then execute with root privileges. In version 1.890, which had more than 421,000 downloads between June 2018 and last weekend, the tailgate was included by default. For versions 1.90, 1.91, 1.91, and 1.92 – which have totaled more than 942,000 downloads – the back door is only active when administrators change a default setting that allows them to change expired passwords. Backdoored versions were distributed in SourceForge, which is the main distribution source that the Webmin website points to.
The statistics collected by the Shodan Search Engine – here, here, here and here – showed tens of thousands of Internet-focused servers running these versions of Webmin, although it cannot be ruled out that some of these servers are running Webmin built from unaltered Github code or other source that does not include the back door.
Enter RubyGems (Again)
seconds backdoor came to light on Monday in 11 libraries available in the RubyGems repository. According to developer Jan Dintel's analysis, the back allows attackers to use pre-selected remote command execution credentials of their choice on infected servers. The malware included various other options, including code that uploaded environment variables – which often contain credentials used to access databases, service providers, and other sensitive resources – to a server located at
mironanoru.zzz. com.ua [19459012
RubyGems employees have also discovered a malicious code involving a cryptocurrency miner. Overall, the figures from RubyGems show that libraries have been downloaded nearly 3,600 times.
Other client versions 1.6.10, 1.6.11, 1.6.12 and 1.6.13 - representing slightly more than 1200 of these downloads - were backed by someone who compromised an aging developer account that was protected from advance cracked password. It is not clear how the other RubyGems libraries were infected. RubyGems staff did not respond to an email seeking comment on this post.
Webmin compromises and RubyGems libraries are just the latest supply chain attacks to hit open source. Most people do not think twice about installing software or updates from the official site of a famous developer. As developers continue to make software and websites more difficult to exploit, black hats have increasingly used this trust over the past few years to spread malware by poisoning the code at its source.
The rash of attacks began in earnest last October, with the opening of two unrelated supply attacks against two open source projects in a week. The first application was the interface of the VestaCP control panel and the other was a package called "Colorama" that was placed in the official Python repository.
A month later, malicious code designed to steal funds from bitcoin portfolios found its way into a
event-stream 2 million download code library used by Fortune 500 companies and small startups. Officials at NPM, the open source project manager hosting the backend software, said the malware was intended to direct people to a Bitcoin portfolio developed by Copay, one of many companies that included a
stream-event in your app. It took NPM six days to issue a tip after learning of the attack.
Last March, researchers discovered that another RubyGems library called
bootstrap-sass was also supported. Then something similar happened at the beginning of last month to a RubyGems library called
strong_password . Like the one discovered this week that infected 11 RubyGem projects, and
strong_password backward used the browser's cookie feature to allow attackers to execute infected code servers. A strong password back window also interacted with
smiley.zzz.com.ua a domain that has more than a passing resemblance to the domain
mironanoru.zzz.com.ua used in the domain of recent attacks.
Low Suspended Fruit
To be fair, closed source software also becomes a booty for supply side attacks - as seen by those who hit the computer make ASAU twice, the malicious update of the tax accounting MEDoc reporting software that spawned NotPetya's 2017 outbreak, and another backdoor that infected users on the CCleaner hard drive in the same year.
But the low-hanging fruit of the supply chain attacks seems to be open source, in part because many do not make multi-factor authentication and code signing mandatory among its large pool of participants.
"Recent findings make it clear that these problems are becoming more common and that the security ecosystem around publishing and package management is not improving fast enough," Vice President of Research and Development HD told Ars Moore Atredis Partners. "The frightening thing is that each of these instances may have led to even more developer accounts being compromised (via captured passwords, authorization tokens, API keys and SSH keys).
Moore said that the impact of open source infections on the supply chain is often difficult to assess. because backdoored applications can be included as a dependency on the top stream from another package. "The way in which dependency management tools insist on the latest default packages makes a successful attack in case of dependency retention is even more likely," he added.
Open source attacks can also have a great impact because they affect the powerful servers used to do things like deliver email and serve web pages. The only recourse after the server installs a back-end application is to perform a full recovery, a task that is so difficult that it can be skipped by many of the 100,000 or more systems that received one of the malicious forged packages discovered this week.
"Without a clean reinstallation of the operating system and application, coupled with the rotation of keys and credentials, there is a significant risk that the system will remain compromised," Ars Ken White, director of the Open Crypto Audit Project, told Ars. "I gave up more than one commitment because the operators believed that they could manually check the system, for example through file differences and make a valid assessment themselves. This is the least naive. “