Malicious threat actors are exploiting expired Amazon AWS S3 buckets to place malicious code into legitimate packages in the npm repository with out having to make modifications to any of the code.
Checkmarx, a software security firm started its investigations after GitHub late last month posted an advisory about several releases of the bignum npm package being compromised by cyber criminals and serving malicious binaries that would steal information like user ID’s, password, and local host names of their victims’ systems.
The Checkmarx infosec engineer compiled a report that describes the issue. They noted that while the the threat to this package was mitigated with a new version release. They also discovered that dozens of other open source packages in the npm repositories were also vulnerable to this same type of attack.
Guy Nachshon a software engineer with Checkmarx can be quoted saying the following:
“Since it was the first time such an attack was observed, we conducted a quick search across the open source ecosystem. The results were startling. We found numerous packages and repositories using abandoned S3 buckets that are susceptible to this exploitation.”
Under Attack - Source Code Repositories
With the latest trend of malicious threat actors and groups are looking to exploit the software supply chain as a simple and easy way to deploy their malware and have it quickly reach victims on a large scale.
Threat actors keep an eye out to have their malicious code added to packages that are in turn downloaded and used by developers in their respective applications. Some of the repositories that are attacked are GitHub, Python Package Index (PyPI) and Ruby Gems.
In this particular situation, malicious threat actors managed to find their way into abandoned S3 buckets. S3 buckets form part of Amazon AWS object storage service. This services enables businesses to store and retrieve large amounts of data, such as files, documents, images, etc from the cloud.
These buckets are accessed through a unique URL and are mainly used for such jobs as website hosting and data backups.
node-gyp is used by the bignum package. This is a command line tool that is written in node.js. This is used to download a binary file that initially was hosted on an S3 bucket. If the bucket was inaccessible the package was looked for locally.
Nachshon can be quoted as saying the following:
“However, an unidentified attacker noticed the sudden abandonment of a once-active AWS bucket. Recognizing an opportunity, the attacker seized the abandoned bucket. Consequently, whenever bignum was downloaded or re-installed, the users unknowingly downloaded the malicious binary file, placed by the attacker.”
Credential Exfiltration & Stealing
The malicious binaries function like the original one, but there is one exception and that is the stealing of credentials and sending them to the hijacked S3 bucket. The data was exfiltrated using a GET request.
There was a C/C++ compiled binary called by JavaScript applications. With this foot in both the JavaScript and C/C++ libraries. This allowed the Node.js modules to reach lower level code. As a result this expanded the attack surface.
Nachshon was able to reverse engineer the compiled file even though it proved to be a challenge. A problem that he observed that scanning the file with VirusTotal did not flag it as malicious. Upon further investigation at the strings in the file strange behavior was observed and a deeper dive was required.
The larger scope of the issue is that other packages and repositories were using expired S3 buckets, which leaves them vulnerable to this kind of attack.
Nachshon goes on to say:
“The danger it poses can be huge if an attacker manages to exploit it as soon as this kind of change occurs. Another risk is posed to organizations or developers using frozen versions or ‘artifactories.’ as they will continue to access the same, now hijacked, bucket.”
A New & Improved Version of Bignum
In bignum versions 0.12.2 and 0.13.0 it used node-pre-gyp for downloading pre-build binaries. With the latest version, 0.13.1 no longer uses node-pre-gyp. It also no longer allows the downloading of pre-built binaries in order to avoid malicious downloads.
Head of product at zero trust security software vendor Keeper Security Zane Bond told The Register that even though this is a unique attack method, SQL injection based attacks are not unusual.
“Finding the exact string that allows you to compromise a system is quite difficult, but this attack type is one of the most simple and common ones out there. This is a case of an adversary getting lucky while doing typical adversary activity.”
According to Patrick Tiquet, vice president of security and architecture with Keeper Security, the problem is a similar scenario could play out when ever a trusted distribution location (S3 buckets) are no longer used and abandoned.
Leave a Reply