The flood of supply-chain attacks on open source software last year leaves two separate signs after discovering this week's backdoors have been moved to a dozen libraries downloaded by hundreds of thousands of server administrators.
The first backdoor to emerge was Webmin, a web-based administration tool with more than 1
The unknown attacker made a subtle change to a Webmin script named [19459011vor] password_change.cgi . The change allowed attackers to send a command through a special URL that an infected Webmin server would then execute with root privileges. In version 1.890, which had more than 421,000 downloads between June 2018 and last weekend, the back door was enabled by default. In versions 1.90, 1.91, 1.91, and 1.92, which together had more than 942,000 downloads, the backdoor was only active when administrators changed a default setting that could be used to change expired passwords. Backdoor versions have been distributed to SourceForge, the main source of distribution referenced by the Webmin website.
Shodan search engine statistics – here, here, here and here – tens of thousands of Internet-facing servers running these servers showed versions of Webmin, although it could not be ruled out that Webmin was running on some of these servers that was created from unmodified code from Github or another source without backdoor.
Enter RubyGems (again).
One second The backdoor was visible on Monday in 11 libraries in the RubyGems repository. According to an analysis by the developer Jan Dintel, attackers could use the backdoor to select credentials to remotely execute commands of their choice on infected servers. The malware contained a number of other features, including code that was used to upload environment variables, often containing credentials for accessing databases, service providers, and other sensitive resources, to a server at
RubyGems officials also found that the malicious code contained a cryptocurrency miner. Overall, RubyGems figures showed that the backdoor libraries were downloaded nearly 3,600 times.
Remaining client versions 1.6.10, 1.6.11, 1.6.12, and 1.6.13 made just over 1,200 downloads – done by a backdoor person who manipulated an outdated developer account a previously cracked password was protected. It is not clear how the remaining RubyGems libraries got infected. RubyGems employees did not respond to an email that looked for comments on this post.
The trade-offs between Webmin and the RubyGems libraries are just the latest attacks on the supply chain affecting open source software. Most people do not think twice about installing software or updates from a well-known developer's official website. As developers become more and more difficult to exploit software and websites, black hats have in recent years increasingly used this trust to spread malicious goods by poisoning the source code.
The outbreak of attacks began in October last year with the discovery of two independent supply-side attacks against two open-source projects in a week. The first application was the VestaCP control panel interface, and the other was a package called Colourama, which was moved to the official Python repository.
A month later, malicious code designed to steal funds from Bitcoin wallets found entry into
event-stream a 2 million download code library used by Fortune 500 companies and small startups alike. Officials from NPM – the open source project manager who hosted the backdoor software – said the malicious code was designed to work with one of Copay, one of the many companies that
event-stream into Wallet, app targeted on persons. NPM took six days to give a hint after hearing the attack.
In March of last year, researchers found that another RubyGems library named
bootstrap-sass was also protected by backdoors. Then something similar happened at the beginning of last month with a RubyGems library called
strong_password . Like the one who infected the 11 RubyGem projects this week, the backdoors
strong_password used a browser cookie feature to give attackers the ability to code on infected ones Servers. The strong password backdoor also interacted with
smiley.zzz.com.ua a domain that has more than a passing similarity to the domain used in
mironanoru.zzz.com.ua recent attacks.
Low hanging fruit
To be fair, closed source software is also a victim of supply side attacks – as evidenced by those who hit the computer, ASAU makes twice the malicious update to the tax accounting software MEDoc triggered the EmergencyPetya outbreak of 2017, and another backdoor that infected users of the CCleaner disk utility the same year.
But the cause of supply chain attacks seems to be partially open source projects because many do not mandate authentication and signing of codes for multiple factors.
"Recent discoveries make it clear that these issues are increasing and the security environment plays no role in publishing and managing packages." "Upgrading fast enough," said HD Moore, vice president of research and development at Atredis Partners to Ars. "The scary part is that each of these instances was likely to cause even more developer accounts to be compromised (by collecting passwords, authorization tokens, API keys, and SSH keys). The attackers probably have enough credentials to do this repeatedly until all credentials are reset and the appropriate MFA and signature set up. "
Moore said the impact of open source infections in the supply chain is often difficult to assess because backdoor applications can be included in another package as an upstream dependency. "The way dependency management tools retrieve the latest packages by default increases the likelihood of a successful attack in case of a backdoor dependency," he added.
Open source attacks can also have a significant impact as they affect powerful servers to deliver things like email and websites. Once a server has a backdoor app installed, you just need to do a full rebuild. This task is so cumbersome that many of the 100,000 or more systems that received one of the maliciously crafted packages discovered this week are sure to skip it.
"Without reinstalling the operating system and application and without changing key and permissions, there is a significant risk that the system will continue to be compromised," said Kenn White, director of the Open Crypto Audit project, to Ars. "I have more rejected as an order because the operators thought they could manually check the system, for example, based on file differences, and make a valid assessment themselves. That's naive, to say the least. "