Zlonamerni npm paketi Scarf Up žetoni Discord, informacije o kreditni kartici

Štirje paketi, ki vsebujejo zelo zakrito zlonamerno kodo Python in JavaScript, so bili odkriti ta teden v repozitoriju Node Package Manager (npm). 

Glede na poročilo
from Kaspersky, the malicious packages spread the “Volt Stealer” and “Lofy Stealer” malware, collecting information from their victims, including Discord tokens and credit card information, and spying on them over time.

Volt Stealer se uporablja za krajo Discord žetoni and harvest people’s IP addresses from the infected computers, which are then uploaded to malicious actors via HTTP. 

Lofy Stealer, a newly developed threat, can infect Discord client files and monitor the victim’s actions. For example, the malware detects when a user logs in, changes email or password details, or enables or disables multifactor authentication (MFA). It also monitors when a user adds new payment methods, and will harvest full credit card details. The collected information is then uploaded to a remote endpoint.

The package names are “small-sm,” “pern-valids,” “lifeculer,” and “proc-title.” While npm has removed them from the repository, applications from any developer who already downloaded them remain a threat.

Vdor v žetone Discord

Targeting Discord provides a lot of reach because stolen Discord tokens can be leveraged for spear-phishing attempts on victims’ friends. But Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, points out that the attack surface will of course vary among organizations, depending on their use of the multimedia communications platform.

“The threat level would not be as high as a Tier 1 outbreak like we have seen in the past — for example, Log4j — due to these concepts around the attack surface associated with these vectors,” he explains.

Users of Discord have options to protect themselves from these kinds of attacks: “Of course, like any application that is targeted, covering the kill chain is an effective measure to reduce risk and threat level,” Manky says.

To pomeni, da imate nastavljene pravilnike za ustrezno uporabo Discorda glede na uporabniške profile, segmentacijo omrežja in drugo.

Zakaj je npm namenjen napadom na dobavno verigo programske opreme

Repozitorij programskih paketov npm ima več kot 11 milijonov uporabnikov in več deset milijard prenosov paketov, ki jih gosti. Uporabljajo ga tako izkušeni razvijalci Node.js kot ljudje, ki ga priložnostno uporabljajo kot del drugih dejavnosti.

The open source npm modules are used both in Node.js production applications and in developer tooling for applications that wouldn’t otherwise use Node. If a developer inadvertently pulls in a malicious package to build an application, that malware can go on to target the end users of that application. Thus, software supply chain attacks like these provide more reach for less effort than targeting an individual company.

“That ubiquitous use among developers makes it a big target,” says Casey Bisson, head of product and developer enablement at BluBracket, a provider code security solutions.

Npm doesn’t just provide an attack vector to large numbers of targets, but that the targets themselves extend beyond end users, Bisson says.

“Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developer’s machine or enterprise systems are generally also rather fruitful,” he adds.

Garwood Pang, višji varnostni raziskovalec pri Tigeri, ponudniku varnosti in opazljivosti za vsebnike, poudarja, da čeprav npm zagotavlja enega najbolj priljubljenih upraviteljev paketov za JavaScript, niso vsi vešči njegove uporabe.

“This allows developers access to a huge library of open source packages to enhance their code,” he says. “However, due to the ease of use and the amount of listing, an inexperienced developer can easily import malicious packages without their knowledge.”

It’s no easy feat, though, to identify a malicious package. Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, cites the sheer quantity of components making up a typical NodeJS package.

“Being able to identify correct implementations of any functionality is challenged when there are many different legitimate solutions to the same problem,” he says. “Add in a malicious implementation that can then be referenced by other components, and you’ve got a recipe where it’s difficult for anyone to determine if the component they are selecting does what it says on the box and doesn’t include or reference undesirable functionality.”

Več kot npm: Napadi na dobavno verigo programske opreme v porastu

Večji napadi na dobavno verigo so imeli a pomemben vpliv o ozaveščenosti o varnosti programske opreme in sprejemanju odločitev, z več naložbami, načrtovanimi za spremljanje napadalnih površin.

Mackey poudarja, da so bile dobavne verige programske opreme vedno tarče, zlasti če pogledamo napade, ki ciljajo na okvire, kot so nakupovalni vozički ali razvojna orodja.

“What we’re seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming,” he says.

Mackey tudi pravi, da je veliko ljudi domnevalo, da je programska oprema, ki jo je ustvaril prodajalec, v celoti avtor tega prodajalca, toda v resnici lahko obstaja na stotine knjižnic tretjih oseb, ki sestavljajo celo najpreprostejšo programsko opremo - kot je prišlo na dan z Log4j fiasko.

“Those libraries are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks,” he says.

That’s prompted calls for the implementation of seznami materialov programske opreme (SBOM). In maja, MITER začela
prototipni okvir za informacijsko in komunikacijsko tehnologijo (IKT), ki opredeljuje in kvantificira tveganja in varnostne pomisleke v dobavni verigi – vključno s programsko opremo.