Rogue npm package deploys open-source rootkit in new supply chain attack

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: RL researchers discovered a new supply chain attack on npm that utilizes an open-source rootkit. Also: Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server.

This Week’s Top Story

Rogue npm package deploys open-source rootkit in new supply chain attack?

This week, researchers at ReversingLabs discovered a new malicious campaign on the npm open-source software repository in which a typo-squatted package delivered an open-source rootkit known as r77. RL first identified the campaign in August 2023, and prior to the malicious package being taken down, it was downloaded over 700 times by developers.?

The malicious package mimics a legitimate one, node-hide-console-window. The malicious package’s name differs by one letter: node-hide-console-windows. Typosquatting is a popular tool for threat actors who hope to fool developers into downloading malicious packages from open source repositories like npm. In addition to typosquatting the malicious package, the threat actors also took steps to make the npm page for the package look legitimate and identical to the targeted, legitimate package, with the goal of it appearing trustworthy to hurried developers who are the targets of the attack.

Closer analysis of the suspicious npm package using RL's Software Supply Chain Security platform identified malicious code implanted in a file, index.js. When that file ran, it fetched an executable that was detonated immediately thereafter and fetched a copy of DiscordRAT 2.0, an open source “Discord Remote Administration Tool” that is intended “for educational use only.” In short: open source malware. Further analysis of the DiscordRAT executable revealed the inclusion of a command named !rootkit that allowed malicious actors to launch the r77 rootkit, another instance of open source malware, on the victim's machine.?

Based on the malicious package’s inclusion of r77, RL Software Threat Researcher Lucija Valentic said the campaign “suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware.” r77 is a “fileless ring 3 rootkit” maintained by bytecode77, and is designed to hide files and processes that are bundled with other software.?

The door to supply chain attacks is now “open to low-stakes actors,” says Valentic. This malicious npm campaign serves as an example of how even low-skill threat actors can abuse multiple open-source tools to carry out robust supply chain attacks on developers and organizations. (ReversingLabs)

This Week’s Headlines

Ransomware gangs now exploiting critical TeamCity RCE flaw

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction. (Bleeping Computer)

ShellTorch attack exposes millions of PyTorch systems to RCE vulnerabilities

The Oligo Security research team has unveiled a series of critical vulnerabilities within the PyTorch Model Server, also known as TorchServe. Dubbed ShellTorch by researchers; these vulnerabilities are troubling for the artificial intelligence (AI) and machine learning (ML) community, as they open the door for remote code execution and potential server takeovers.?

Oligo Security’s research has identified thousands of vulnerable instances of TorchServe publicly exposed on the internet, with some belonging to the world’s largest and most prominent organizations. (Hack Read)

Hundreds of malicious Python packages found stealing sensitive data

A malicious campaign that Checkmarx researchers observed growing more complex over the past half year has been planting hundreds of info-stealing packages on open source platforms. In all, those packages accounted for around 75,000 downloads. The campaign has been monitored since early April by researchers, who have discovered 272 packages with code for stealing sensitive data from targeted systems. (Bleeping Computer)

The biggest hack of 2023 keeps getting bigger

Since May, mass exploitation of a vulnerability in the widely-used file transfer software MOVEit has allowed cybercriminals to steal data from a dizzying array of businesses and governments, including Shell, British Airways, and the United States Department of Energy.

Progress Software, which owns MOVEit, patched the flaw at the end of May, and broad adoption of the fix ultimately halted the rampage. But the “Clop” data extortion gang had already orchestrated a far-reaching smash and grab. And months later, the full extent of the damage is still coming into view. (WIRED)

Why open-source software supply chain attacks have tripled in a year

According to data from Sonatype, the number of malicious packages detected across the various open-source ecosystems tripled year over year. Sonatype shared in its report that “This pace of growth is astonishing,” and that “It signals the role of the supply chain as one of the fastest growing vectors for adversaries to execute malicious code.” They also noted that they? “have seen an increase in nation-state actors leveraging these vectors” as well. (CSO)

Resource Round Up

ReversingGlass Video: NIST CSF 2.0 is near and a lot has changed in 5 years.

In this 4-minute episode, RL Field CISO Matt Rose gives an overview of the National Institute for Standards and Technology (NIST)’s newest version of their Cybersecurity Framework (CSF). He points out what’s new in CSF 2.0, such as the addition of governance as a discipline, plus a greater focus on software supply chain security. ?[Watch Now]

Software Package Deconstruction | Episode 10: Uncover Software Vendor Risk: How to use Software Supply Chain Analysis to Assess CI/CD Pipelines

By using information revealed from a software package analysis, you'll gain insight into a vendor’s CI/CD pipeline, which will enhance your risk assessments. Join us to see how it is done using the ReversingLabs Software Supply Chain Security platform. [Register Now]

Upcoming Webinar: Threat Modeling and Software Supply Chain Security: Why it matters more than ever.

In this webinar, Chris Romeo, CEO of Devici and joint-founder of the Threat Modeling Manifesto, will join ReversingLabs Field CISO Matt Rose for a lively discussion about how threat modeling can be applied to supply chain security to better plan your organization’s risk management approach. [Register Now]