Malicious NuGet campaign uses homoglyphs, IL weaving to fool devs

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: RL researchers discovered a malicious NuGet campaign using homoglyphs and IL weaving to fool devs. Also: The U.S. Supreme Court’s latest ruling threatens the future of agency-run cybersecurity regulation.?

This Week’s Top Story

Malicious NuGet campaign uses homoglyphs, IL weaving to fool devs?

Back in 2023, the RL threat research team reported on a malicious campaign targeting the NuGet repository, a popular open source package manager for .NET code, where more than 700 malicious packages were identified. After tracking the malicious campaign for almost a year, our team recently discovered this threat actor shifting their tactics in an effort to continue spreading malware on the repository. The threat actor has since moved away from exploiting MSBuild integrations, and is now inserting simple, obfuscated downloaders into legitimate PE binary files using Intermediary Language (IL) weaving.?

IL weaving is a .NET programming technique for modifying an application’s code after compilation. In these types of attacks, the threat actor takes a compiled .NET binary from a legitimate NuGet package and patches it in order to inject a module initializer. Such a patch occurs when the original binary is decompiled, then the desired functionality is added, or “weaved,” into it, before being put back together. By weaving the two (the original binary and the malicious code), the malicious campaign becomes harder for threat researchers to detect.??

The threat actor used this technique to create a malicious version of Guna.UI2.WinForms, a popular open source package that is used to create desktop UIs. By using IL weaving, they were able to modify the legitimate package’s code to inject a module initializer, and then named the modified package G??a.UI3.W?nf?rms – an obvious “typo-squat” on the name of the legitimate package – followed by publishing it to NuGet for users to download.??

The threat actor was also able to build trust in its malicious version of the package, because “Guna” is a reserved prefix name on the NuGet repository, meaning only the authors that own and manage that prefix can publish packages starting with the name. This means that NuGet users may have believed at first-glance that the malicious, typo-squatted package was built by the legitimate Guna authors. However, upon closer inspection by our team, it became clear that the malicious package does not use “Guna” at all, but rather a combination of letters and homoglyphs – unique characters that look identical, while having totally different features (sounds) and digital identifiers – to mimic the prefix Guna.?

This new technique unfortunately evades YARA rule detection, but RL threat researchers were able to combine indicators using RL Spectra Assure to create a good threat hunting heuristic. This heuristic and other Indicators of Compromise (IoCs) for the campaign can be found within the blog post linked at the end of this article. RL has reported the packages and they have since been taken down from NuGet. (ReversingLabs)

This Week’s Headlines

Supreme court ruling threatens the framework of cybersecurity regulation?

On June 28, 2024, the Supreme Court overruled the Chevron Doctrine, a 40-year-old principle that allowed federal agencies to interpret ambiguous laws using their subject matter expertise. This shift mandates that courts, rather than agencies, now hold the authority to interpret statutory ambiguities independently. This ruling will significantly alter the regulatory landscape by reducing agencies' autonomy and expertise in enforcing regulations, including those pertaining to cybersecurity. Most cybersecurity regulation has traditionally been managed by agencies like the FDA, SEC, DHS, and more. The decision is expected to lead to increased litigation, as businesses may more frequently challenge agency-run cybersecurity regulations, potentially resulting in a more burdensome and complex regulatory environment. It also may slow regulatory adaptation to technological advancements, creating vulnerabilities and legal ambiguities that could hinder effective cybersecurity measures. (Security Week)

What’s bugging the NSA? A vuln in its Skill-Tree training platform

The U.S. National Security Agency (NSA) has patched a cross-site request forgery (CSRF) vulnerability in its open source employee training platform known as SkillTree, an online education platform created in-house at NSA. This patch is an example of how difficult this class of bug is to catch prior to production release. CSRFs tend to go unpatched – or unspotted – since teams prioritize vulnerabilities that lead to the exposure of sensitive information – or the team misses the bug due to it not interfering with the application’s ability to run. (Dark Reading)

Bipartisan Senate bill takes aim at ‘overly burdensome’ cybersecurity regs?

The Streamlining Federal Cybersecurity Regulations Act from Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., called on the White House’s National Cyber Director to create a committee that would harmonize the myriad of cybersecurity requirements imposed on companies by federal regulatory agencies. Such a committee would be responsible for identifying “overly burdensome, inconsistent, or contradictory” cybersecurity requirements and recommending updates to them, while establishing minimum standards and reciprocity among agencies. (CyberScoop)

Software supply chain still dangerous despite new protections?

In late March, Microsoft developer and engineer Andres Freund discovered that someone had placed a backdoor in the open source data compression tool XZ Utils, found in Linux installations. This backdoor was one that could have caused a software supply chain attack on par with Sunburst, the incident targeting SolarWinds’ Orion software. Such a narrow miss caused organizations to bump up the priority of supply chain security in their overall security posture this past year. But, is it enough? This CSO article argues that software supply chain security still has a long way to go. (CSO)

Trojanized jQuery threatens thousands on npm, GitHub, and CDNs?

Researchers at Phylum, a software supply chain security firm, uncovered a persistent software supply chain attack targeting developers who use the popular JavaScript library jQuery. According to researchers, attackers have published trojanized versions of jQuery in dozens of packages under multiple npm accounts. This attack is especially unconventional, with attackers carefully crafting individual packages that contain legitimate jQuery code with slight, malicious modifications - a level of care implies that there was manual assembly and publication of each package. For anyone who uses jQuery, experts suggest updating any npm packages that rely on the package. Going forward, it’s recommended that software producers scan third-party code prior to deployment. (HackRead)

Legacy systems are the achilles’ heel of critical infrastructure cybersecurity

China and other nation-state actors are actively probing the defenses of critical infrastructure globally, specifically targeting legacy and outdated systems. These systems, which are frequently found in critical infrastructure, pose significant risks due to their vulnerabilities from being end-of-life (EOL) or unsupported. For CISOs, it is crucial to continuously identify and manage these legacy systems to avoid creating blind spots in their security posture. The challenge of technical debt—accumulated fixes and outdated systems—further complicates the security of critical infrastructure. This debt makes systems more susceptible to attacks, as demonstrated by past incidents involving EOL systems. CISOs need to maintain awareness and implement frameworks to manage risks associated with legacy systems, ensuring patches, updates, and planning are in place to defend against potential adversaries. (CSO)

GitLab patches critical flaw allowing unauthorized pipeline jobs?

GitLab has released updates to address several security vulnerabilities, including a critical flaw (CVE-2024-6385) with a CVSS score of 9.6 that allows attackers to run pipeline jobs as arbitrary users, affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2. A high-severity bug (CVE-2024-5655) with the same CVSS score was also fixed last month, along with a medium-severity issue (CVE-2024-5257) allowing certain users to modify group namespace URLs. These updates have been applied to versions 17.1.2, 17.0.4, and 16.11.6 of both Community and Enterprise Editions. Meanwhile, CISA and the FBI issued a bulletin urging the elimination of OS command injection flaws to prevent remote code execution attacks, emphasizing the need for improved input sanitization and validation. (The Hacker News)

Resource Round-up

Report I Gartner?: Leader’s Guide to Software Supply Chain Security

This new report from Gartner indicates that software supply chain attack costs will increase 200% by 2031. To help companies address these issues, Gartner has introduced three pillars for software supply chain security. Learn more about the three pillars and get critical attack insights provided by the ReversingLabs team. [Read it here]

Webinar I Quarterly Product Review & Roadmap Q2 2024

Join RL VP of Product, Erik Thoen and VP of Product Marketing, Dan Petrillo as they break down the past quarter's product updates and peel back the curtain on some of the advancements to our software supply chain security and malware analysis solutions targeted for the coming months. [Secure your spot]

Webinar I Threat Research Round-up Q2 2024

Join the RL Threat Research team as they reveal their latest findings from the past few months. They will cover the discovery of two malicious VS Code extensions, the suspicious NuGet package SqzrFramework480 targeting developers using Chinese industrial technology, a wiper on PyPI linked to a red team exercise, the compromise of the xz-utils open-source compression library, and more. [Save your seat]

On Demand Webinar I From Dev to Deploy: Standing Up A Software Supply Chain Security Program

In the latest edition of the RL Book Club Series, host Paul Roberts interviewed Cassie Crossley, VP of Supply Chain Security at Schneider Electric, about her new book from O’Reilly: Software Supply Chain Security. [Watch it here]