CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 684
- Points
- 83
Trend Micro researchers detailed methods for compromising trusted repositories.
One of the most worrying trends in recent years has been the increase in attacks on software supply chains, especially those that affect code repositories. According to a report by the European Cybersecurity Agency (ENISA), between 39% and 62% of organizations were affected by cyber incidents involving third parties. However, only 40% of companies surveyed said they understand the cybersecurity and privacy risks associated with third parties.
Even more worryingly, 38% of respondents are unable to determine whether a cyber incident occurred due to a problem in a third-party component. Recent high-profile cyber attacks affecting supply chains, including Apache's Log4j, SolarWinds Orion, and 3CX's 3CXDesktopApp vulnerabilities, have demonstrated just how costly such miscalculations can be.
In modern software development, developers rely on third-party components to simplify development processes. This allows you to create cost-effective, efficient, and functional applications. However, what happens when one of these trusted components is compromised?
Cybercriminals can break into systems by attacking less secure elements of an organization's supply chain, such as third-party vendors or software repositories. This allows them to compromise even proven components, gaining a foothold in larger, more secure environments.
Malicious code is often embedded in seemingly legitimate repositories. When developers integrate these components, believing them to be genuine, they unknowingly introduce vulnerabilities and other cyber risks into the systems they support.
In a recent Trend Micro analysis, researchers found numerous cases where hackers cloned legitimate GitHub repositories and then injected malicious code into them, strategically filling the description sections of fake repositories with keywords so that as many developers as possible would use them by mistake.
Trend Micro specialists reviewed one of these attacks in detail to understand how the attackers operate.
At the first stage of infection, a new technique is used, which the researchers called "Exec Smuggling". This method places the payload after a long sequence of spaces, thereby removing malicious content from the visible area of the screen, so developers may not notice the trick.
As soon as the developer connected the infected library, the first stage of the virus was triggered. It decoded and executed the next part of the malicious load, downloading it from the hackers ' server.
At the second stage, the environment was prepared using Python scripts. The virus installed additional malicious modules, such as "requests", "pyperclip", and "psutil". The Exodus wallet was also hacked by spoofing its executable files.
Then the third stage was launched - the actual data theft. The virus stole passwords, cookies from browsers, addresses of crypto wallets, and other confidential information. All this was sent to the servers of the attackers. Hacking tools such as "BlackCap-Grabber"were used in the attack.
Using such multi-step techniques and injecting malicious code into popular repositories, cybercriminals often successfully steal valuable developer data.
Given the stealth, power, and risks of such attacks, it is clear that both organizations and independent developers should prioritize comprehensive security measures, including thorough evaluation of all third-party components and continuous monitoring of integrated systems.
One of the most worrying trends in recent years has been the increase in attacks on software supply chains, especially those that affect code repositories. According to a report by the European Cybersecurity Agency (ENISA), between 39% and 62% of organizations were affected by cyber incidents involving third parties. However, only 40% of companies surveyed said they understand the cybersecurity and privacy risks associated with third parties.
Even more worryingly, 38% of respondents are unable to determine whether a cyber incident occurred due to a problem in a third-party component. Recent high-profile cyber attacks affecting supply chains, including Apache's Log4j, SolarWinds Orion, and 3CX's 3CXDesktopApp vulnerabilities, have demonstrated just how costly such miscalculations can be.
In modern software development, developers rely on third-party components to simplify development processes. This allows you to create cost-effective, efficient, and functional applications. However, what happens when one of these trusted components is compromised?
Cybercriminals can break into systems by attacking less secure elements of an organization's supply chain, such as third-party vendors or software repositories. This allows them to compromise even proven components, gaining a foothold in larger, more secure environments.
Malicious code is often embedded in seemingly legitimate repositories. When developers integrate these components, believing them to be genuine, they unknowingly introduce vulnerabilities and other cyber risks into the systems they support.
In a recent Trend Micro analysis, researchers found numerous cases where hackers cloned legitimate GitHub repositories and then injected malicious code into them, strategically filling the description sections of fake repositories with keywords so that as many developers as possible would use them by mistake.
Trend Micro specialists reviewed one of these attacks in detail to understand how the attackers operate.
At the first stage of infection, a new technique is used, which the researchers called "Exec Smuggling". This method places the payload after a long sequence of spaces, thereby removing malicious content from the visible area of the screen, so developers may not notice the trick.
As soon as the developer connected the infected library, the first stage of the virus was triggered. It decoded and executed the next part of the malicious load, downloading it from the hackers ' server.
At the second stage, the environment was prepared using Python scripts. The virus installed additional malicious modules, such as "requests", "pyperclip", and "psutil". The Exodus wallet was also hacked by spoofing its executable files.
Then the third stage was launched - the actual data theft. The virus stole passwords, cookies from browsers, addresses of crypto wallets, and other confidential information. All this was sent to the servers of the attackers. Hacking tools such as "BlackCap-Grabber"were used in the attack.
Using such multi-step techniques and injecting malicious code into popular repositories, cybercriminals often successfully steal valuable developer data.
Given the stealth, power, and risks of such attacks, it is clear that both organizations and independent developers should prioritize comprehensive security measures, including thorough evaluation of all third-party components and continuous monitoring of integrated systems.
