Fire pakker, der indeholder meget sløret ondsindet Python- og JavaScript-kode, blev opdaget i denne uge i Node Package Manager (npm) repository.
Ifølge en indberette
from Kaspersky, the malicious packages spread the “Volt Stealer” and “Lofy Stealer” malware, collecting information from their victims, including Discord tokens and credit card information, and spying on them over time.
Volt Stealer bruges til at stjæle Discord-tokens and harvest people’s IP addresses from the infected computers, which are then uploaded to malicious actors via HTTP.
Lofy Stealer, a newly developed threat, can infect Discord client files and monitor the victim’s actions. For example, the malware detects when a user logs in, changes email or password details, or enables or disables multifactor authentication (MFA). It also monitors when a user adds new payment methods, and will harvest full credit card details. The collected information is then uploaded to a remote endpoint.
The package names are “small-sm,” “pern-valids,” “lifeculer,” and “proc-title.” While npm has removed them from the repository, applications from any developer who already downloaded them remain a threat.
Hacking af Discord-tokens
Targeting Discord provides a lot of reach because stolen Discord tokens can be leveraged for spear-phishing attempts on victims’ friends. But Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, points out that the attack surface will of course vary among organizations, depending on their use of the multimedia communications platform.
“The threat level would not be as high as a Tier 1 outbreak like we have seen in the past — for example, Log4j — due to these concepts around the attack surface associated with these vectors,” he explains.
Users of Discord have options to protect themselves from these kinds of attacks: “Of course, like any application that is targeted, covering the kill chain is an effective measure to reduce risk and threat level,” Manky says.
Det betyder at have politikker opsat for passende brug af Discord i henhold til brugerprofiler, netværkssegmentering og mere.
Hvorfor npm er målrettet mod softwareforsyningskædeangreb
npm-softwarepakkelageret har mere end 11 millioner brugere og titusindvis af milliarder af downloads af de pakker, det hoster. Det bruges både af erfarne Node.js-udviklere og folk, der bruger det tilfældigt som en del af andre aktiviteter.
The open source npm modules are used both in Node.js production applications and in developer tooling for applications that wouldn’t otherwise use Node. If a developer inadvertently pulls in a malicious package to build an application, that malware can go on to target the end users of that application. Thus, software supply chain attacks like these provide more reach for less effort than targeting an individual company.
“That ubiquitous use among developers makes it a big target,” says Casey Bisson, head of product and developer enablement at BluBracket, a provider code security solutions.
Npm doesn’t just provide an attack vector to large numbers of targets, but that the targets themselves extend beyond end users, Bisson says.
“Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developer’s machine or enterprise systems are generally also rather fruitful,” he adds.
Garwood Pang, senior sikkerhedsforsker hos Tigera, en udbyder af sikkerhed og observerbarhed for containere, påpeger, at selvom npm leverer en af de mest populære pakkeadministratorer til JavaScript, er det ikke alle, der er kyndige i, hvordan man bruger det.
“This allows developers access to a huge library of open source packages to enhance their code,” he says. “However, due to the ease of use and the amount of listing, an inexperienced developer can easily import malicious packages without their knowledge.”
It’s no easy feat, though, to identify a malicious package. Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, cites the sheer quantity of components making up a typical NodeJS package.
“Being able to identify correct implementations of any functionality is challenged when there are many different legitimate solutions to the same problem,” he says. “Add in a malicious implementation that can then be referenced by other components, and you’ve got a recipe where it’s difficult for anyone to determine if the component they are selecting does what it says on the box and doesn’t include or reference undesirable functionality.”
Mere end npm: Software Supply Chain-angreb på vej
Store forsyningskædeangreb har haft en betydelig påvirkning om softwaresikkerhedsbevidsthed og beslutningstagning, med flere investeringer planlagt til overvågning af angrebsflader.
Mackey påpeger, at softwareforsyningskæder altid har været mål, især når man ser på angreb rettet mod rammer som indkøbskurve eller udviklingsværktøjer.
“What we’re seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming,” he says.
Mackey siger også, at mange mennesker antog, at software skabt af en leverandør udelukkende var forfattet af denne leverandør, men i virkeligheden kan der være hundredvis af tredjepartsbiblioteker, der udgør selv den enkleste software - som det kom frem med Log4j fiasko.
“Those libraries are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks,” he says.
That’s prompted calls for the implementation of softwarestyklister (SBOM'er). Og i maj MITRE lanceret
en prototyperamme for informations- og kommunikationsteknologi (IKT), der definerer og kvantificerer risici og sikkerhedsproblemer over forsyningskæden - inklusive software.
