Reddit: phishing attack exposed code
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the newest software supply chain security headlines from around the world, curated by the team at ReversingLabs . This week: Reddit is warning of a phishing attack on its employees that exposed internal code and documents. Also: a new CISA office will focus on operationalizing software supply chain security.?
This Week’s Top Story
Reddit said on Thursday that a phishing attack on company employees exposed code for the platform as well as internal documents and dashboards. The breach was the result of what Reddit CTO Chris Slowe said was a “sophisticated and highly targeted phishing attack.”?
The incident took place on Sunday, Feb 5, 2023 with the attacker sending out what Slowe described as “plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
Attackers obtained a single Reddit employees credentials, giving them access to “some internal docs, code, as well as some internal dashboards and business systems.” Reddit said it has found no evidence that its primary production systems that run the site were compromised nor that user account information was exposed. However, attackers may have gained access to "limited contact information for hundreds of company contacts as well as current and former employees and advertiser information."
The window of compromise here appears short, as the phished employee immediately realized what had happened and reported it to Reddit, who cut off the attackers access and began an investigation. Reddit is one of the most visited sites on the Internet. It had close to 2 billion visitors in December, 2022 and had more than 50 million daily active users in 2022. (Reddit)
News Roundup
Here are the stories we’re paying attention to…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is making arrangements to build a new office centered on cyber supply chain risk management (C-SCRM), says Federal News Network. The office is being created in an effort to assist government and industry entities in putting C-SCRM into practice, based on the various guidelines and policies put into effect in recent years.?
The idea for the C-SCRM office grew out of the Federal Acquisition Security Council (FASC), a new council created by the 2018 SECURE Act and responsible for developing government-wide policies and criteria for securing IT supply chains.???
For one of its first initiatives, CISA’s C-SCRM office is planning to release training courses on supply chain risk management, as well as a series of roundtables focused on “operationalizing C-SCRM,” according to Shon Lyublanovits, a former General Services Administration official who has been tapped to lead the new office. The programming will offer different tracks for a variety of stakeholders: federal employees, industry, and all levels of government (state, local, etc.). (Federal News Network)
Researchers at ReversingLabs reported that ongoing surveillance of open source repositories turned up more evidence of malware posing as a legitimate npm open source package. The package, aabquerys, has a similar name to another, legitimate npm module: abquery: evidence of “typosquatting,” or attempting to sow confusion and fool developers into downloading a malicious package in place of a legitimate one. Analysis of the package revealed that it was a downloader that infected systems with Demon.bin, a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation command and control framework named Havoc. At the time of publication, the aabquerys module had been removed from npm and no longer posed a threat. (ReversingLabs)
领英推荐
Over at The New Stack, Sarabjeet Chugh takes a look at the trends that will shape the cloud native security landscape in the coming year. One of the biggest forces: software supply chain security. “If what the industry has witnessed in the past three years is any indication, cyberattacks on software supply chains will only increase in both frequency and severity throughout this year, as they have in previous years,” Chugh writes. "From open source and third-party software libraries to developer user accounts and log-in credentials to components required to build, package and sign software — every element of the software supply chain will be subject to attack.” The consequence? “Software component management tools used to track and manage open source software components that developers use will become important,” he writes. (The New Stack)
Open source software is all the rage right now, but the larger open source ecosystem is teetering in the face of “existential challenges”, according to OpenUK CEO Amanda Brock.?
Those challenges range from conflicting regulatory regimes in London, Brussels, and Washington, to a long-running funding gap for open source projects that may see important work wither and die. “We’re either going to win or we’re going to lose,” Brock told IT Pro.?
If companies invested in the success of open source - such as Google - don’t increase their support, investment and curation of the larger ecosystem, things can swing “really hard” the other way, driving corporations and governments away from open source out of concern about the risks of using it. “[They could] turn around and say this open source is rubbish – it didn’t work – I’m going to stop using it,” Brock said. (IT Pro)
The UK government is seeking industry views on how to regulate software security without stifling innovation. Naomi Gilbert, the head of the cyber resilience policy team at the UK’s Department for Digital, Culture, Media and Sport (DCMS) said that the country faced challenges in securing its digital supply chain, including its exposure to open source software risks.
The government is looking for ideas on addressing those risks without hindering technological development, Gilbert said. In her speech, she noted that “the number of attacks targeting open source components is high and growing,” while malicious actors are targeting open source repositories by creating malicious open source software packages that developers inadvertently include in their software. (Infosecurity Magazine)
Organizations will need to make big changes in how they prioritize code security to address the growing risk posed by software supply chain breaches, according to Francis Ofungwu, the Global Field CISO at GitLab. In a piece published on TechBeacon, Ofungwu argues that?increasing security awareness and training for frontline developers is critical: “For engineers to maintain applicable security controls at the development stage, they must be fully empowered in their roles as the first line of defense against threats. Any vulnerability at this stage can impact their ability to efficiently release secure code.”
Developers are best positioned to remediate software risks, but often lack security training and awareness, he says. “Software engineers need to understand the impact of weaknesses in each phase of software development. To that end, they need real-time context on the threats and vulnerabilities that exist in each phase of the SDLC.” (TechBeacon)
In an environment of growing attacks on software supply chains and CI/CD pipelines, developers should take a hard look at GitOps, writes Kubefirst co-founder John Dietz over at The New Stack. “In a world where microservices and microproducts endlessly blossom throughout your platform’s ecosystem, it becomes increasingly difficult over time to manage these tens, then hundreds and soon thousands of microcomponents.
But GitOps is able to reel all this back under control with the simplicity of a single branch of a git repository and some files that describe exactly what’s deployed.” That benefit extends to security, as well. “CI tools are common attack vectors for bad actors. Any access they have is at risk during a breach. With GitOps, your CI tool won’t need access to your cluster. Instead your cluster will pull its deployments and configurations using a read-only connection to your GitOps git repository,” he writes. “Securing that git repository becomes the new game, which is much easier to manage, especially if you manage your git repositories in Terraform.” (The New Stack)