RATs found hiding in the npm attic
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world curated by the team at ReversingLabs.
This week: ReversingLabs researchers discover infostealer malware hiding in npm, NIST calls for participants in new security practices project, and more.
This Week’s Top Story
RATs found hiding in the npm attic
This week, researchers at ReversingLabs discovered two malicious packages on the npm open source repository that contained TurkoRat, an open source infostealer. The packages lurked on npm for two months prior to being detected by researchers, raising questions about the ability of providers like npm (which a subsidiary of GitHub and Microsoft) to detect malware and other threats lurking in open source packages.
Researchers detected the packages during routine scanning of npm after noticing a combination of certain behaviors and characteristics that, when used together, are highly indicative of malicious activity. Those include indicators such as the package’s name and version numbers, which were deemed suspicious enough by researchers to warrant further analysis.
The detected package, nodejs-encrypt-agent, was analyzed by researchers using ReversingLabs Software Supply Chain Security platform, yielding that the package was in fact malicious. The package contained a portable executable (PE) file that runs several malicious commands, including the ability to write to and delete from Windows directory systems, execute demands, tamper with domain name system (DNS) settings, and more.
With greater analysis of the PE file, researchers were able to identify the malicious executable known as TurkoRat, an open source “infostealer” that sports sandbox and debugger evasion features and gives malicious actors the ability to steal sensitive information from infected systems, such as login credentials and crypto wallets.
This incident on npm is just one of many software supply chain attacks discovered on the open source software platform in recent years. However, the delay in detecting the packages suggests that threat actors are working even harder to make these malicious packages undetectable, increasing the risk for the millions of developers who rely on platforms like npm, GitHub and others.
NIST casts net for participants in software supply chain & DevOps security practices project
The National Institute of Standards and Technology (NIST) has asked organizations to submit letters of interest to participate in a project to create and document an applied, risk-based approach and recommendations for software supply chain and secure DevOps practices. The project is designed to help organizations maintain the volume and velocity of software delivery via a cloud-native strategy and leverage automated platforms.
The notice serves as the first step for the National Cybersecurity Center of Excellence to work with technology companies through a cooperative research and development agreement to address challenges related to DevOps and software supply chain security. (ExecutiveGov)
Trafficstealer exploits container APIs for malicious redirects
Researchers caught Trafficstealer, a new piece of software, actively abusing Docker Container APIs to redirect users to malicious websites. Threat actors use Trafficstealer to monetize traffic while staying under the radar. According to Trend Micro, they noticed the new software exploiting the usual internet traffic for monetization. Trend Micro researchers specifically found a container abusing their lab network to redirect traffic to malicious websites and ads. The researchers were able to gather information about the attackers by analyzing their JSON honeypot logs. (Latest Hacking News)
Recommended by LinkedIn
Want to prevent a cyber attack? Prepare a software bill of materials
Recent cyber attacks have highlighted the general lack of knowledge about code dependencies and attacks on software supply chains. Software bills of materials (SBOMs) point out these relationships between the various components used in building software, which include libraries and modules that can be open source or proprietary, and free or paid. Continue reading this article to learn how SBOMs can become a vital part of your organization’s DevOps process. (Open Source For U).
Toyota’s bungling of customer privacy is becoming a pattern
Toyota has admitted yet again to mishandling customer data – this time saying it exposed information on more than two million Japanese customers for the past decade, thanks to a misconfigured cloud environment. Toyota explained in a Japanese-language statement that it took measures to block external access to the insecure cloud system as soon as it noticed the issue – but the fact it took a decade to catch on isn't exactly reassuring. As told by a spokesperson for Toyota: "There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public." (The Register)
Resource Round Up
ReversingGlass: AI and Software Supply Chain Security: Proceed with Caution
In this episode, Matt touches on the newfound popularity of AI in relation to Software Supply Chain Security, pointing out the concerns he has for this technology being used by both good and bad actors.
Software Package Deconstruction: Deconstructing Tabby & Notepad ++
Third party risk management (TPRM) uses behaviors and network traffic capabilities to assess common open source tools. These packages represent an overlooked link in the software supply chain, but one that can be addressed with minimal effort provided the necessary visibility.
ReversingLabs' Paul Roberts and Matt Stephenson present the findings of ReversingLabs’ Software Supply Chain Risk Survey, and discuss the broader implications for companies' risk postures.