해커는 오타 무단거주를 사용하여 Ruby 저장소에서 700 개의 라이브러리를 트로이 목마화

newsroom 4/19 '20 posted 뉴스 IT

• 구체적으로 살펴보면, 이 라이브러리는 합법적인 라이브러리의 복사본이며 악성 파일을 추가하여 수정되었습니다.

• 결론적으로,이 모든 악성 라이브러리는 ReversingLabs가 사건을 RubyGems 보안 팀에 보고한 후 2 일 27 일에 제거되었습니다.

• "프로그래밍 언어와 긴밀하게 통합되어 있기 때문에 저장소는 타사 구성 요소의 사용과 관리를 용이하게합니다" 사이버 보안 회사는 밝혔습니다.

• 그러나 버튼을 클릭하거나 간단한 명령을 실행하는 것만으로도 위험 할 수 있습니다. 개발자 계정 및 빌드 환경을 저해하거나, 패키지 이름을 오타하거나하여 위협자도 이 편의에 관심을 보이고 있기 때문이다 "고 덧붙였습니다.

• 다시 말해,이 특정 공급망 공격은 루비 개발자들에게 이 시스템을 사용하여 비트 코인 거래를 했던 Windows 시스템을 대상으로했습니다.

• 먼저“% PROGRAMDATA % \ Microsoft Essentials \ Software Essentials에 주요 악성 루프가 포함된 새 VBScript 파일을 만듭니다.

• 이 유형의 공격을 사용하면 위협 행위자는 의도하지 않은 사용자가 이름을 잘못 입력하고 의도하지 않게 악성 패키지를 설치하기 위해 악의적인 패키지 이름을 의도적으로 인기있는 패키지 (예 : rspec-mock 대신 rspec-mokcs)와 비슷하게 지정합니다.

• 그림 3과 4에 나타낸 바와 같이, 이 악성 gem은 2,100 다운로드이 있고 RubyGems 보안 팀에보고 한 시점에서 정당한 gem "atlas_client"이 가지고 있던 총 다운로드 30 % 가까이었습니다.

• 이러한 유형의 "스프레이 앤 프레이" 공급망 공격에 성공하기에 가장 적합한 후보는 Ruby 개발자이며, 선택한 환경은 Windows 시스템으로 BitCoin 거래를 하는 데 정기적으로 사용됩니다.

• ReversingLabs 연구원은“이를 통해 위협 행위자는 모든 잠재적인 암호 화폐 거래를 지갑 주소로 리디렉션하려고합니다.

Hackers use typosquatting to trojanize 700 libraries in Ruby Repository [www.hackread.com]

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository [thehackernews.com]

Mining for malicious Ruby gems [blog.reversinglabs.com]

Clipboard hijacking malware found in 725 Ruby libraries [www.zdnet.com]

Supply-chain attack hits RubyGems repository with 725 malicious packages [arstechnica.com]

RubyGems typosquatting attack hits Ruby developers with trojanized packages [www.csoonline.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

4/19 '20 answered

These kind of attacks are getting more common, they will explode with growing crypto value: https://t.co/PzS8tg1HWi @KomodoPlatform wallets, like upcoming atomicdex, are now among the most hardened & secure of this space since lessons of last year attack have been taken seriously
— Mr.KomodoWorld (@MrKomodoWorld) April 18, 2020

* 760 malicious RubyGems published in February from two accounts
* typosquatting attack - "atlas-client" swapped underscore for dash succesfully
* malware captures clipboard data, looks for bitcoin addresses to redirect, tries to establish persistencehttps://t.co/Yg6ui2pxqs
— Maya Kaczorowski (@MayaKaczorowski) April 18, 2020

More terrifying software supply chain security attacks https://t.co/1dEznem3oa
— Dino A. Dai Zovi (@dinodaizovi) April 18, 2020

Hackers typo-squatted 725 popular Ruby libraries. When the victim installs the malware, it sets up a clipboard hijacker that tries to steal bitcoin. https://t.co/k2PfdpD5bd
— Ben Sandofsky (@sandofsky) April 17, 2020

Clipboard hijacking malware found in 725 Ruby libraries

- Libraries uploaded on RubyGems between Feb 16 and 25
- Removed on Feb 27
- Malware would replace BTC addresses in the Windows clipboard to hijack BTC paymentshttps://t.co/mKo2XnOTDF pic.twitter.com/g7y40X34Zn
— Catalin Cimpanu (@campuscodi) April 17, 2020

Hackers use typosquatting to trojanize 700 libraries in Ruby Repository #CyberSec #Security #ThreatIntel #cybersecurity #dataprotection #privacy #cyberthreats #hackers #cybercrime #darkweb #digitalrisk #databreaches #cyberintelligence https://t.co/nDsm4yUUoL
— Javier Carriazo (@javier_carriazo) April 18, 2020

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository #CyberSec #Security #ThreatIntel #cybersecurity #dataprotection #privacy #cyberthreats #hackers #cybercrime #darkweb #digitalrisk #cyberintelligence https://t.co/qshjuU4yVG
— Javier Carriazo (@javier_carriazo) April 17, 2020

WARNING: To target #software developers, supply chain attackers recently caught distributing over 700 malicious libraries—written in Ruby #programming language—through the official RubyGems repository using #typosquatting gems.

Details ➤ https://t.co/JZpPKkCQKk #cybersecurity
— Swati Khandelwal (@Swati_THN) April 16, 2020

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository https://t.co/j1rxc1KPiD
— Nicolas Krassas (@Dinosn) April 16, 2020

* 760 malicious RubyGems published in February from two accounts
* typosquatting attack - "atlas-client" swapped underscore for dash succesfully
* malware captures clipboard data, looks for bitcoin addresses to redirect, tries to establish persistencehttps://t.co/Yg6ui2pxqs
— Maya Kaczorowski (@MayaKaczorowski) April 18, 2020

Mining for malicious Ruby gems https://t.co/qmXpJ8DqiA pic.twitter.com/u7LVf3q4Ru
— Hiroshi SHIBATA (@hsbt) April 17, 2020

ℹ️ Typosquatting:

"threat actors intentionally name malicious packages to resemble the popular ones [...] in hopes that an unsuspecting user will mistype the name and [...] install the malicious package"

About finding typosquatting RubyGems ⬇️https://t.co/rwUXm9rC44
— Karsten Hahn (@struppigel) April 17, 2020

This is why @bc_vault #bcvault #cryptowallet has BIG SCREEN! It is of utter importance to always check crypto addresses you are sending money to! Good luck with “Tiny screen” devices...https://t.co/hGbmCmJMlq
— Alen Salamun (@AlenSalamun) April 17, 2020

Clipboard hijacking malware found in 725 Ruby libraries. https://t.co/AuvZibTI2j #Malware #ruby #CyberSecurity
— Shieldly (@shieldly) April 17, 2020

The malware would replace Bitcoin addresses copied to the clipboard with one controlled by the attacker. #dynamiccio #linux #girlswhocode #tech @rneelmani @hacback17 https://t.co/3kEL5jAAWI
— Dynamic CIO (@DynamicCIO) April 17, 2020

These kind of attacks are getting more common, they will explode with growing crypto value: https://t.co/PzS8tg1HWi @KomodoPlatform wallets, like upcoming atomicdex, are now among the most hardened & secure of this space since lessons of last year attack have been taken seriously
— Mr.KomodoWorld (@MrKomodoWorld) April 18, 2020

Supply-chain attack hits RubyGems repository with 725 malicious packages https://t.co/xAOLhfD2o5
— Christopher Parsons (@caparsons) April 17, 2020

ouch!https://t.co/snU020kid2
— Brando (@_branzo_) April 18, 2020

Almost every programming language of woahfully unprepared to deal with supply chain attacks.

Package repositories plus complete trust in modules and ambient authority everywhere is a fucking disaster.https://t.co/t6thVcg21O
— ¯\_(ツ)_/¯ (@SeanTAllen) April 17, 2020

permanent link

Open Wiki - Feel free to edit it. -

4/19 '20 answered

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository #ruby #rails https://t.co/QygPMjK2kM
— Rails Links (@railslinks) April 18, 2020

"Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository". Elm tackles this kind of issue by requiring all packages to consist of pure functions. All effects have to be wired in explicitly in application code. https://t.co/z0vFwqRrbr #elmlang
— Alex Korban (@alexkorban) April 18, 2020

Over 700 malicious RubyGems packages were uploaded between February 16 and February 25. Most of them had the capability to steal cryptocurrency by replacing the wallet address on the clipboard to the attacker's wallet address. https://t.co/JZccp64dZr #Infosec
— John Opdenakker - Lockdown counter: 33 (@j_opdenakker) April 18, 2020

Researchers from @reversinglabs discover #malware pre-packaged in #RubyGems repositories designed to replace #Bitcoin addresses with the #BTC address of the attacker. #infosec #Cybersecurity #DFIR #cybercrime #CISO #IOC #crypto #SupplyChain https://t.co/3jfVrL8Ozg
— Brent Muir (@bsmuir) April 19, 2020

Alternative headlines for the supply-chain "attack" on RubyGems repository https://t.co/hibOvvQKVj
"Malicious content found on the internet"
"Chrome downloads Trojan horse after user clicks on link"
"curl doesn't block latest virus"
"PyPI and NPM contain badly written stuff"
— Christian Heimes (@ChristianHeimes) April 18, 2020

“There are very few protections out there for software developers to make sure that packages they install from these repositories are malware free…There is a huge gap in the market at the moment which is being exploited by malware authors.” https://t.co/7Lvp77lno8
— Christopher Allen (@ChristopherA) April 19, 2020

permanent link

Featured

Important Notice: Discontinuation of Our Wiki Service

Dear Valued Users,

We hope this message finds you well. We are writing to inform you of an important upcoming change to our services. After careful consideration and analysis, we have made the difficult decision to discontinue our wiki site, effective one month from 2024/04/30.

This was not an easy decision to make, as we understand the importance of the resources and community that have been built around our wiki. However, due to evolving market conditions and strategic realignments, we must redirect our resources and efforts towards other ventures that will allow us to serve you better in the future.

What This Means for You:

Access to Content: You will continue to have full access to all content on the wiki until the discontinuation date. We encourage you to save or migrate any content you wish to retain.
Final Date of Service: The wiki will become inaccessible starting 1st June 2024, after which all content will be permanently removed.

We are immensely grateful for the support and contributions of our user community throughout the years. The wiki is being retired, but our team will be back soon with new services and apps.

Thank you for being a part of our journey.

Warm regards,

editoy Inc.

Related

Featured