KEY FINDINGS
Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular communication and e-commerce platforms.
The targeted platforms include Telegram, Alibaba Cloud, and AWS.
Attackers are injecting malicious code into open-source projects and compromising systems.
They leveraged Starjacking and Typosquatting techniques to lure developers to the malicious packages.
The campaign was active throughout September 2023.
Cybersecurity firm Checkmarx discovered a new supply chain attack, which they believe was launched by a low-key threat actor it tracks as kohlersbtuh15. This campaign was active in September 2023.
The recent surge in these malicious attacks prompted the Open Source Security Foundation (OpenSSF) to introduce its latest initiative, the Malicious Packages Repository, just last week.
As per the Checkmarx report authored by Yehuda Gelb, the attacker used the Python programming software repository (Pypi) and launched attacks using Starjacking and Typosquatting techniques.
Further probing revealed that the actor is exploiting vulnerabilities in platforms, such as Telegram, Amazon Web Services (AWS), and Alibaba Cloud Elastic Compute Service (ECS) to target developers and users. They are exploiting Aliyun’s services, and these three platforms are a part of it.
The attacker injects malicious code into the open-source projects these platforms are using to compromise users’ devices and steal sensitive data, financial and personal information, and login credentials. The malicious code is injected into specific software functions, which makes it pretty challenging to detect foul play and address the issue.
The code embedded into these packages doesn’t execute automatically but is strategically hidden inside different functions and triggers when one of these functions is called. Reportedly, kohlersbtuh15 launched a series of malicious packages to the PyPi package manager, targeting the open-source community.
Using typosquatting, the attackers craft a package mirroring the legitimate one, but the fake package has a hidden malicious dependency, which triggers the malicious script running in the background. The victim would not suspect anything as everything happens behind the scenes.
Starjacking refers to linking a package hosted on a package manager to an unrelated package repository on GitHub. Through this technique, unsuspecting developers are tricked into considering it an authentic package. To enhance the scope of this attack, threat actors have combined these two techniques in the same software package.
For instance, the Telethon 2 package is a typosquatted version of the popular Telethon package that also performs starjacking via the official Telethon package’s GitHub repository. This indicates the threat actor has copied the source code exactly as it is from the official package and embedded malicious lines in the telethon/client/messages.py file. The malicious code is executed with the command Send Message only.
“By targeting popular packages used in platforms such as Telegram, AWS, and Alibaba Cloud, the attacker demonstrated a high level of precision. This was not a random act, but a deliberate effort to compromise specific users who rely on these widely-used platforms, potentially impacting millions of people,” Gelb wrote.
The damage caused by this attack is far greater than compromised devices as all types of data linked with these platforms, like communication details from Telegram or AWS cloud data and business-related data from Alibaba Cloud, could be accessed and exploited. This attack highlights that supply chain attacks continue to be a threat as attackers are eyeing vulnerabilities in third-party services/software to access targeted systems and steal data.
RELATED ARTICLES
- Understanding Software Supply Chain and How to Secure It
- Luna Grabber Malware Hits Roblox Devs Through npm Packages
- 6 official Python repositories plagued with cryptomining malware
- CISA warns of trojanized versions of JavaScript library’s NPM package
- VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
- Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript