On January 7, 2021, Sonatype became aware of three malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020.
Upon becoming aware of the issue, we immediately blocked access to those components removed them from the Central Repository, and initiated a thorough investigation of the incident.
The three component GAVs, tracked by their respective Sonatype vulnerability identifiers, are:
|
Group ID |
Artifact ID |
Version(s) |
Vulnerability Tracking Identifier |
|
com.github.codingandcoding |
maven-compiler-plugin |
3.9.0 |
sonatype-2021-0012 |
|
com.github.codingandcoding |
mail-watcher-plugin |
1.16, 1.17 |
sonatype-2021 0013 |
|
com.github.codingandcoding |
servlet-api |
3.2.0 |
sonatype-2021-0014 |
These malicious components that attempted to impersonate legitimate Jenkins and Maven plugins by using the same Artifact names were downloaded 846 times in the 10 days since they were published. During the same period, the legitimate Jenkins and Maven plug-ins were downloaded a total of 23 million times.
These discoveries come to light in the wake of Sonatype's repeated warnings about threat actors targeting various open source ecosystems with typosquatting and brandjacking malware.
Typosquatting and brandjacking software supply chain attacks like these capitalize on the reputation built by existing brands and open source projects. These attacks bank on an unsuspecting developer pulling malware into their software supply chain by mistaking it for the legitimate component with an identical Artifact name (though using a different group identifier). Similarly to the recent SolarWinds' Orion attack, bad actors hope to infiltrate trusted software development and distribution mechanisms without a software development team's knowledge.
Upon identifying the component, Sonatype acted swiftly to address this issue because, as the stewards of the Central Repository, we understand the severity of such malicious components being made available for download by unsuspecting developers.
Maven namespacing as it relates to brandjacking and permissions for publishing to Central
Sonatype's Maven Central Repository is home to over 6,000,000 open-source Java components commonly used by the developer community. Each month, about 200,000 new component releases are added to the repository. In 2019, Maven Central served 226 billion download requests.
Unlike most other open source software component ecosystems, Maven is built upon a strong namespacing concept that requires that every artifact be addressed using (minimally) a three part coordinate: Group ID : Artifact ID : Version. Group IDs follow the Java Package convention which is the reverse of a development team's DNS. For example, all Apache Software Foundation artifacts have org.apache as the start of their Group ID. Org.apache.maven is Maven, org.apache.struts is Struts etc.
When a new publisher comes along requesting access to publish to Central, the requirements enforce that you can verify control of either the DNS for the Group ID, or for control over the account/repo for coordinates derived from platforms such as GitHub. As a part of this screening, users are asked to verify their GitHub account before they are assigned a Group ID, such as 'com.github.codingandcoding,' as is the ID in this case.
When we see brandjacking occur in repositories without a namespace, you can see that it can be easy to trick users into using foo-bar when the legit project is actually fooBar or foo_bar. In the Maven case however, it becomes a bit harder given the GroupId. As seen in this example, the publisher created something called:
com.github.codingandcoding:maven-compiler-plugin
which is clearly different from
org.apache.maven.plugins:maven-compiler-plugin.
Although this makes brandjacking in the Maven ecosystem slightly more difficult, we must still take these attempts very seriously.
Below are the details that were discovered based on the research of these components conducted by Sonatype's Security Research team following the initial discovery of the malicious components.
Brandjacking malware imitated Jenkins and Maven plugins, targeted Java developers
All versions of the malicious artifacts share the same Maven Group ID "com.github.codingandcoding" and were published by the same user as both JARs and HPI packages as a part of a brandjacking software supply chain attack.
Despite having some functional similarities, the three malicious components vary in what legitimate open source components they imitate, and how at least one of them hides a malicious payload using base64 encoding.
Sonatype security researcher Ali ElShakankiry who decompiled and analyzed the malicious JARs explains, "All three backdoored components seem to be aimed at infecting developers' machines or their build system servers."
"It is notable that the components can receive different payloads from the command-and-control (C2) server on every request they make, giving the malicious actors total control over the types of attacks they would like to execute, from exfiltrating information to system takeover, such as carrying out subsequent attacks through the infected machines. The backdoors are aimed primarily at Unix-based machines running the Java Virtual Machine," said ElShakankiry.
1. sonatype-2021-0012 - maven-compiler-plugin
This malicious artifact "maven-compiler-plugin" is named after a legitimate Apache Maven plugin by the same name, except that the malicious variant has a different group identifier i.e. "com.github.codingandcoding."
The component had only one version on Maven Central, 3.9.0, prior to its removal by Sonatype.
Within the JAR of this component, the malicious code exists in the `execute()` method of the `CompilerMojo.class` file, which contains a hardcoded C2 server link.
The malicious domain was not accessible at the time of our analysis.
Image: Hardcoded backdoor in “maven-compiler-plugin”
"The malicious code injected within the CompilerMojo class is equipped with a Java class loader capable of executing arbitrary code downloaded from the C2 server."
"Since the Maven Compiler Plugin is intended to be run by developers compiling sources of their Java projects, this backdoor is aimed at infecting developers' machines on every run," explains ElShakankiry.
2. sonatype-2021-0013 - mail-watcher-plugin
The malicious "mail-watcher-plugin" component impersonates the legitimate Jenkins plugin by the same name, but published under the "com.github.codingandcoding" group identifier.
Two versions of the component, 1.16 and 1.17 (both malicious), existed in Maven Central until these were removed by Sonatype.
Inside the JAR, the backdoored code exists in the `send()` method of `MailWatcherNotification.class` which, once again, contains a different hardcoded C2 server.
Hardcoded backdoor within malicious "mail-watcher-plugin" component
"This backdoored code will similarly download an arbitrary Groovy script that is evaluated on the infected Jenkins server every time a user receives a mail notification from the plugin. This sample is directly aimed at the Jenkins build system intended to be used by Java developers," stated ElShakankiry. In essence, counterfeit components of this kind attack the manufacturing lines of modern software supply chains in order to infect application code being developed.
While the malicious C2 server in this component was up at the time of our analysis, Sonatype did not see any suspicious code being served from it.
3. sonatype-2021-0014 - servlet-api
The malicious "servlet-api" component published under the "com.github.codingandcoding" group identifier, attempts to impersonate multiple legitimate components published under identical names by trustworthy projects like Apache, Eclipse Jetty, Tomcat, etc.
Only one version of the component (v. 3.2.0) was discovered on Maven Central prior to its removal by Sonatype.
The malicious code is present in the `doGet()` method of the `HttpServlet.class` file within the JAR.
Unlike the previous two components, "servlet-api" contains a base64-encoded one liner masking the C2 server IP address and port.
"ElShakankiry explained that this library is intended to be used as a dependency by Java web applications and will directly attempt to open an interactive shell by creating a reverse TCP connection to the command-and-control (C2) server."
"The web application will open a new backdoored connection every time it services an HTTP GET request for a client. This gives the malicious actors direct command-line access to the infected machine, and the ability to run arbitrary shell commands with the same privileges as the backdoored application," explained ElShakankiry.
As shown below, the command launches a TCP reverse shell to the attacker's server at 45.87.122[.]54:8888.
The timeline and Indicators of Compromise (IOCs) associated with this report are provided below:
Indicators of Compromise (IOCs)
Domains and IPs
- swmail.malware.index
- 112.11.168[.]47
- 45.87.122[.]54
Hashes (SHA1) of malicious JARs:
- mail-watcher-plugin-1.16.jar: a52a4d23429861a16cfa621945096b14b60746f6
- mail-watcher-plugin-1.17.jar: 08e7183a431683c3d516e7687552055326b03948
- maven-compiler-plugin-3.9.0.jar: 0a682f3304b6cea152aa5e2812d59850680265fb
- servlet-api-3.2.0.jar: c018607d8597ba2b9e64561518b9dfbb65ff9f2b
Timeline
|
Date |
Action |
|
December 27 - 29, 2020 |
Malicious components are published to Maven Central by a user who had verified ownership of their GitHub account.
|
|
January 7, 2021 |
Sonatype receives a report of 3 malicious components being present in Maven Central via email. |
|
January 13, 2021 |
Public disclosure via this blog post. |
After our notification to them, the GitHub Security team confirmed during their investigation that this incident did not stem from a case of account compromise but that the user account `codingandcoding` had been associated with malicious activity from the start and violated their Acceptable Use Policies. Consequently, following our report, GitHub has suspended the offending user account.
How can Sonatype help?
First, Sonatype removed the malicious components from Maven Central immediately and therefore thwarted any potential attacks upon unsuspecting developers.
Sonatype's world-class open source intelligence, which includes our automated malware detection technology, safeguards your developers, customers, and software supply chains from attacks like these. Anyone using our products is continuously alerted to new vulnerabilities in open source software components they have downloaded or used in their application development practices.
If you're not a Sonatype customer and would like to find out if your code is vulnerable, you can use Sonatype's free Sonatype Vulnerability Scanner (SVS) to quickly find out. SVS will analyze your application in seconds and provide a complete software bill of materials (SBOM) detailing each open source component used by your developers.
