VMConnect Supply Chain Campaign Points To North Korea
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security
This week: researchers discovered new, malicious modules on the PyPI open source repository that suggest the VMConnect software supply chain campaign is ongoing - and may have links to the North Korean APT Lazarus Group.?
This Week’s Top Story
VMConnect supply chain attack continues, evidence points to North Korea
Researchers at ReversingLabs reported this week that they identified three more malicious Python packages that are believed to be a continuation of the software supply chain campaign known as VMConnect, which was first identified in early August.? The packages, named tablediter, request-plus, and requestspro mimicked popular Python Package Index (PyPI) packages in an attempt to get developers to load the malicious modules. Just as important: analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an offshoot of Lazarus Group, a North Korean state-sponsored threat group. In contrast to other, recent supply chain campaigns, such as Operation Brainleeches, the malicious packages that make up the latest VMConnect campaign showed evidence of a concerted effort to deceive developers. That included implementing the entire functionality of the modules they are imitating and standing up corresponding and linked GitHub projects that omitted the malicious functionality found in the PyPI release package.??
This is not the first time that we have observed such behavior. In June, 2022, for example, we discovered an npm malicious package, maintenancewebsite, which used a similar approach to hide crypto-mining features.?
The VMConnect campaign is the just latest example of open source modules being used to propagate malicious code, and more evidence that security assessments of open source code
NIST Requests Comments on Draft Software Supply Chain Security Framework
The National Institute of Standards and Technology (NIST) is seeking public input on a draft report (NIST Special Publication 800-204D) that outlines strategies for enhancing software supply chain security
New data exfiltration attacks leverage malicious NPM packages
Data exfiltration attacks targeting software developers are using malicious NPM packages developed by "lexi2,” according to reports. Installation of the package prompts the automated execution of files, including the "index.js" script, which gathers operating system usernames and working directories in compromised machines that are then delivered to a predefined FTP server, according to a report from Checkmarx. The script scans for .env, .github, .gitlab directories, and .php, .asp, .js files on compromised machines. (SC Magazine)
领英推荐
Microsoft PowerShell Gallery Littered with Critical Vulnerabilities
PowerShell Gallery, Microsoft's repository for PowerShell code, has serious security vulnerabilities, including lax naming policies and authorship spoofing, according to a report by Aqua Security. The flaws pose serious security risks, enabling typosquatting attacks, deceptive package ownership, and unauthorized access to sensitive information. Despite reporting these issues to the Microsoft Security Response Center (MSRC), they remain unresolved as of August 2023, Aqua said. (The New Stack)
Threat Actors Exploiting OTP APIs For Large-Scale SMS Bombing Attacks
Threat actors are using automated software to flood mobile devices with excessive OTP messages, exploiting unprotected APIs, according to a report by the company CloudSEK. The company surveyed numerous GitHub repositories with references to global organizations and their application programming interfaces (APIs). The APIs lack rate limiting and captcha protection, allowing an infinite number of OTP SMS messages to be delivered. India and Russia had the most exposed APIs, and E-commerce was the most targeted sector. (BQPrime.com)
Google debuts Duet AI to tackle new cybersecurity challenges in the cloud
Google introduced new AI-based solutions at the Google Next 2023 conference as it seeks to address the growing threat landscape and security team challenges. Duet AI for Workspace will offer AI-based assistance for various tasks, including code development and natural language processing. (ZDNet.com)
Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel
Malicious packages have been discovered on the Rust programming language's crate registry, according to Phylum. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf.” The malicious packages, which have been removed, had the names: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. The suspicious modules are believed to have been able to harvest operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. (The Hacker News)
Resource Round up
ReversingGlass Video: CISA Secure by Design/Secure by Default is HARD
In this episode, Matt explains why CISA's Secure by Design, Secure by Default policy is great in concept, but is actually difficult to execute in the real-world. This is because the policy can really only be applied to new software that hasn't been released yet to the market. [Watch Now]
Software Package Deconstruction Series: Deconstructing OneDrive and Dropbox | A Cloud Storage App Throwdown
Live on September 7, we will analyze popular cloud storage applications from a third party risk management perspective. We will review behaviors, Internet communications, and other relevant information to evaluate the risk related to each option. [Register Now]?