Recently, supply chain attacks through malicious packages hidden in open-source repositories have become a significant issue in the cybersecurity industry. The open nature of these repositories, allowing anyone to freely distribute and install packages, makes them an attractive target for attackers seeking to infiltrate numerous IT environments. This article delves into case studies of supply chain attacks leveraging open-source repositories, analyzing the Indicators of Compromise (IoC) and Tactics, Techniques, and Procedures (TTP) used in these attacks.
Sophisticated Supply Chain Attacks Targeting Specific Companies
The SqzrFramework480.dll package in the NuGet repository captures screenshots, sends ping packets, opens sockets, and transmits data. It was found to target a specific company, BOZHON Precision Industry Technology. Among open-source supply chain attack cases, a large proportion of information-stealing software is used to exfiltrate sensitive data. This package’s capabilities, including screenshot capture, ping packet transmission, and socket data transmission, clearly indicate an intent of industrial espionage.
This malicious package, first published on the NuGet repository on January 24, 2024, has been downloaded approximately 3,000 times. While such malicious packages can be permanently removed from the repository, the vast scope of open-source means detecting every malicious package is practically impossible. Hence, a more comprehensive approach beyond current countermeasures is required.
Another recent case involves the npm repository with the malicious package legacyreact-aws-s3-typescript. This package remained dormant for several months before downloading a malicious file. It uses a post-install script to download and execute an ELF file, which acts as a backdoor by opening a socket and executing commands. This demonstrates the potential for malicious behavior in the installation scripts of open-source packages, necessitating thorough vetting before use.
Typo-Squatting: A Deceptive Tactic in Open-Source Attacks
Another characteristic of attacks leveraging malicious packages in open-source repositories is typo-squatting.
Typo-squatting involves creating deceptive names that closely resemble legitimate URLs or package names, directing users to phishing sites or tricking them into installing malware. The npm package legacyreact-aws-s3-typescript mimicked the popular react-aws-s3-typescript package by adding the word “legacy” to appear legitimate.
IP Addresses Used in Open-Source Supply Chain Attacks
Upon analyzing the legacyreact-aws-s3-typescript package from the npm repository, it was found to include a post-install script that downloads and executes an ELF file. This file opens a socket and connects to the IP address 91[.]238[.]181[.]250, receiving commands as a backdoor.
Using the Criminal IP OSINT-based threat hunting tool, we can see this IP address is detected as a C2 IP, categorized under the Snort tag. The IP scoring also classifies it as critical, with a 99% inbound score.
Analyzing the C2 IP Address With Threat Hunting Tools
Services operating on91[.]238[.]181[.]250 includes an Nginx web server (version 1.15.12) and OpenSSH (version 8.9p1). The Nginx server has ports 443 (HTTPS) and 80 (HTTP) open, while the OpenSSH server has port 22 open.
Several vulnerabilities were found in the scanned open ports. Notably, the Nginx server has the CVE-2021-23017 vulnerability, which poses a risk of remote Denial of Service (DoS) attacks. This vulnerability is rated with a CVSSv3 score of 7.7, indicating high risk.
The SSL certificate for port 443 includes the domain ‘chromeupdatingmac[.]com’, issued by Let’s Encrypt’s R3 certification authority, valid from May 14, 2024, to August 12, 2024. The certificate uses the SHA256WithRSA algorithm and supports digital signatures, client authentication, and server authentication. The detected JARM hash represents the server’s TLS configuration fingerprint.
The historical information at the bottom of the IP address report contains data that allows you to check the history of the IP address, including the domains connected to this IP address used in the attack. From 2020 to 2024, you can see a total of three domains connected, ‘chromeupdatingmac[.]com’, ‘xaracc556[.]com’, and ‘endhip[.]agency’, of which ‘chromeupdatingmac[.]com’ is related to the SSL certificate mentioned above.
Considering this IP address analysis information, the IP address poses a high-security threat, and active monitoring and action on the C2 IP address are required.
TTPs and MITRE ATT&CK Techniques in Open-Source Supply Chain Attacks
The key TTPs observed in these supply chain attack cases include:
- Typo-squatting: Distributing malicious packages with names resembling legitimate ones.
- Post-install scripts: Using scripts to download additional payloads.
- Exploiting open-source repositories: Leveraging open-source platforms for software supply chain attacks.
The associated MITRE ATT&CK techniques and stages include:
- T1078: Modifying trusted software for infiltration.
- T1204: Inducing user actions to install malicious software.
The open-source ecosystem has accelerated technological advancements by fostering collaboration among individual developers, companies, and institutions. However, from a cybersecurity perspective, it is crucial to recognize the risks of supply chain attacks and continuously monitor for potential threats.
For further reading, refer to the article Polyfill Supply Chain Attack: Malicious Code Injected Into More Than 100,000 Domains.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io/)
Related article :