Since I am a WordPress user, any security news related to WordPress tends to catch my attention. The this research by Data Dog certainly did. In short A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials. This campaign is huge and has been going on for years. Thus it is far from trivial. Full details in terms of how this campaign worked are in the research that I linked to. But if you want the TL:DR, Matt Bromiley, Lead Solution Engineer at LimaCharlie can help you with that:
“This attack utilized two initial access mechanisms. These techniques are the methods by which adversaries attempt to infect victim users. The two mechanisms were:
- Spearphishing – This mechanism targeted academics. The phishing emails were crafted to look like kernel upgrade notifications, providing a link to run malicious code.
- Trojanized GitHub Repositories – This mechanism mimicked GitHub repositories of legitimate proof-of-concept (PoC) exploits for known CVEs. However, the PoC code was changed to utilize malicious libraries, subsequently infecting the systems of victims who ran the copied repositories.
The term same second-stage payload indicates that regardless of phishing or malicious PoC code, the secondary payload dropped onto the victim systems was the same. Essentially, this means that the attackers had two delivery mechanisms – and targeted victims – to deliver the same payload, which was a backdoor that exfiltrated systems details and credentials, amongst other information.
The report indicated 49 malicious repositories masquerading as legitimate PoC code. They were strategically named to appear legitimate, as not to tip off adversaries. It is not irregular to see these types of numbers, as replicating a code repository with malicious code is trivial.
This is classified as a supply chain attack due to the exploit of libraries or tools utilized in code. In this case, the victims did not executed inherently malicious code. Instead, they executed code that incorporated a malicious package. Thus, analysis of the initial code would not warrant suspicion. It would require that users analyze the imported libraries in order to identify the malicious backdoor.”
This attack is very crafty which is why it has been so successful. It shows that defenders need to alter how they defend so that the next attack that uses methods like these aren’t nearly as successful.
Data Dog Does A Deep Dive Into A WordPress Supply Chain Attack
Posted in Commentary with tags Data Dog on December 17, 2024 by itnerdSince I am a WordPress user, any security news related to WordPress tends to catch my attention. The this research by Data Dog certainly did. In short A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials. This campaign is huge and has been going on for years. Thus it is far from trivial. Full details in terms of how this campaign worked are in the research that I linked to. But if you want the TL:DR, Matt Bromiley, Lead Solution Engineer at LimaCharlie can help you with that:
“This attack utilized two initial access mechanisms. These techniques are the methods by which adversaries attempt to infect victim users. The two mechanisms were:
The term same second-stage payload indicates that regardless of phishing or malicious PoC code, the secondary payload dropped onto the victim systems was the same. Essentially, this means that the attackers had two delivery mechanisms – and targeted victims – to deliver the same payload, which was a backdoor that exfiltrated systems details and credentials, amongst other information.
The report indicated 49 malicious repositories masquerading as legitimate PoC code. They were strategically named to appear legitimate, as not to tip off adversaries. It is not irregular to see these types of numbers, as replicating a code repository with malicious code is trivial.
This is classified as a supply chain attack due to the exploit of libraries or tools utilized in code. In this case, the victims did not executed inherently malicious code. Instead, they executed code that incorporated a malicious package. Thus, analysis of the initial code would not warrant suspicion. It would require that users analyze the imported libraries in order to identify the malicious backdoor.”
This attack is very crafty which is why it has been so successful. It shows that defenders need to alter how they defend so that the next attack that uses methods like these aren’t nearly as successful.
Leave a comment »