Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Dangerous friendships (or how a disguised collaboration on Github can ruin your day)
It is always fascinating to observe how evil makes use of creativity to cultivate new crops. This phenomenon occurs especially when the techniques that were once productive for them end up burning out; either because the trick has been seen too many times or because the technology concerned is retired.
Of course, there are real revivals, for example, the resurgence of malware that infects through Office macros. Something that was thought to be over and that, by a quirk of fate (actually, no, there are technical reasons that help the trick to work again) is back in the limelight. In fact, in reality, it is not so much the technique that matters, but whether or not it is profitable.
We have already said several times that finding a new vulnerability is a costly undertaking, especially if we expect its impact to be severe and its vector to require the least user interaction.
The easy way out is for the user himself to contribute to getting infected, of course, at the expense of setting up a good hoax.
Why would you rack your brains looking for a serious bug when human behavior already comes with a few of them as standard?
This is what has happened to a handful of repositories on Github, which have received altruistic collaborations disguised as DependaBot (we'll define this later) with malicious code that was intended to steal credentials in a naughty way.
Source: https://thehackernews.com/2023/09/github-repositories-hit-by-password.html
If some clueless developer accepted the code collaboration (in the form of a pull request) what it did was to inject malicious code into the repository to steal the data marked as "secret" (not shared with the public).
In addition, it modified the Javascript files of the project to intercept requests coming from forms and steal them.
Attack sequence
The sequence goes like this: you are a maintainer of a popular project on Github. A Python library that is used in a multitude of web application projects. That is, you are a dependency for those projects, a third party that provides them.
In turn, you will have dependencies of other third parties in your own project. All normal and correct. In addition, Github has a wonderful bot that manages those dependencies and tells you when you should update them, especially for security bug fixes (great tool). That bot is DependaBot and it solves the problem we mentioned: being aware of the updates of your dependencies.
The thing is that you get so used to DependaBot that you attribute a lot of reliability to it and many developers, when they receive a request from DependaBot, press the "merge" button (accept the modifications to your project) without thinking twice. There is trust, the value of collaboration is high and if you do not collaborate it means that you have a vulnerable dependency to solve.
Well, this bond of trust is the one that has been exploited.
Under the guise of DependaBot, from third party accounts, they have taken its icon and name to make changes in certain projects.
As the developers trust DependaBot, many of them accepted the changes under the premise that we have already mentioned: trust, without knowing that they were actually making more changes than they should have and leaving the library infected.
Trawling for cedentials and user data
The next step was to wait for other projects that depend on that library to update to the vulnerable version and, once the project was deployed to production, trawling took place, capturing user credentials and data through the forms of the affected website.
Basically, it is a poor variant of more sophisticated supply chain attacks that we have witnessed. Where to attack a third party, they first approached the company that owned control of a dependency and slyly injected their fishing gear into a bookstore to open the attackers' kitchen door.
In fact, it is already a chapter of your own to manage not only the security of your company or your intellectual property, but also to keep a close eye on the dependencies you let into your projects and, from now on, the public collaborations, both yours and of those you invite to your home. See the corresponding section in ATT&CK.
Something to take away
Here, once again, trust is exploited. That human component as necessary as it is weak to build a society.
Paying attention to the scenario set up to give credibility to the hoax, it is not much different from any well-done phishing scam, using the image and the common verb to pull the wool over the eyes of the public.
In fact, this would fall more into the category of phishing using an uncommon vehicle than a supply chain attack, although it has traits of both constituencies. The former is not scary, but confusing, and the latter you don't see it coming and by the time it hits you it's too late for surprise.
In the end, the same of these occasions: In cyber security, if something flies and has wings it may not be a bird but a cannonball on its way to the Santa Barbara.
Image from Yancy Min on Unsplash.
