Man
Professional
- Messages
- 3,093
- Reaction score
- 634
- Points
- 113
Spoofing system commands opens up new opportunities for cybercriminals.
Researchers from Checkmarx have documented a new technique for attacking supply chains in open source ecosystems that allows attackers to use command-line manipulation (CLI) to covertly inject malicious code. Such attacks are becoming increasingly dangerous because they allow traditional security measures to evade detection.
Programmers often use so-called "entry points" to make it easier to work with packages. However, it is through them that hackers can launch malicious commands when calling standard tools. This method does not require a full-fledged one-time hacking of the system, but involves gradual penetration, increasing the chance of bypassing the protection.
An example of such an attack is Command Jacking, which is the substitution of popular commands such as "aws" or "docker". If successful, attackers can intercept credentials or steal sensitive company data when deploying infrastructure in the cloud.
It is also possible to spoof system commands such as "ls" or "curl". If the priority path in the PATH variable points to a malicious packet, the user unwittingly runs malicious code. This is especially dangerous in development environments, where local directories often have a higher priority.
For greater secrecy, attackers use the Command Wrapping technique - creating wrappers around the original commands. In this case, the malicious code is executed invisibly for the user, and the command returns the expected result, avoiding suspicion.
In addition, the attackers target popular development tools such as pytest or Flake8. By creating malicious plugins, they can interfere with the code testing and validation process, leaving vulnerabilities undetected.
Particular attention is paid to the ".whl" package format. Unlike traditional «.tar.gz", they do not execute scripts during installation, which previously complicated the work of attackers. However, the use of input points allows you to bypass this limitation and run the code when certain commands are called.
The exploitation of input points is becoming a threat not only in Python, but also in other ecosystems: npm, Ruby Gems, NuGet, Rust Crates, and Dart Pub.
Some information security teams are already actively using systems for monitoring suspicious activities in Open Source projects, paying special attention to the analysis of entry points in order to identify potential threats in time and prevent them. Detecting these attacks early will help protect developers and businesses from sophisticated supply chain attacks.
Source
Researchers from Checkmarx have documented a new technique for attacking supply chains in open source ecosystems that allows attackers to use command-line manipulation (CLI) to covertly inject malicious code. Such attacks are becoming increasingly dangerous because they allow traditional security measures to evade detection.
Programmers often use so-called "entry points" to make it easier to work with packages. However, it is through them that hackers can launch malicious commands when calling standard tools. This method does not require a full-fledged one-time hacking of the system, but involves gradual penetration, increasing the chance of bypassing the protection.
An example of such an attack is Command Jacking, which is the substitution of popular commands such as "aws" or "docker". If successful, attackers can intercept credentials or steal sensitive company data when deploying infrastructure in the cloud.
It is also possible to spoof system commands such as "ls" or "curl". If the priority path in the PATH variable points to a malicious packet, the user unwittingly runs malicious code. This is especially dangerous in development environments, where local directories often have a higher priority.
For greater secrecy, attackers use the Command Wrapping technique - creating wrappers around the original commands. In this case, the malicious code is executed invisibly for the user, and the command returns the expected result, avoiding suspicion.
In addition, the attackers target popular development tools such as pytest or Flake8. By creating malicious plugins, they can interfere with the code testing and validation process, leaving vulnerabilities undetected.
Particular attention is paid to the ".whl" package format. Unlike traditional «.tar.gz", they do not execute scripts during installation, which previously complicated the work of attackers. However, the use of input points allows you to bypass this limitation and run the code when certain commands are called.
The exploitation of input points is becoming a threat not only in Python, but also in other ecosystems: npm, Ruby Gems, NuGet, Rust Crates, and Dart Pub.
Some information security teams are already actively using systems for monitoring suspicious activities in Open Source projects, paying special attention to the analysis of entry points in order to identify potential threats in time and prevent them. Detecting these attacks early will help protect developers and businesses from sophisticated supply chain attacks.
Source
