Last week news broke about how 700 typosquatting libraries had made their way into the famous RubyGems repository. The complete list, first published by Reversing Labs, reveals how crafty attackers can take advantage of the open source software supply chain by relying on human typographical errors, to which not even the most sophisticated developers are immune.
Vulnerability Identifier: sonatype-2020-0196
Type of Vulnerability: CWE-506 / Malware
CVSS 3.1 Score: 10.0 (Critical)
CVSS 3.1 Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected components: multiple; IQ scan is recommended.
Vulnerable version ranges: multiple; IQ scan is recommended.
Although the list reveals names of some 725 packages now removed by RubyGems, the actual number of unique components affected could be much higher, given multiple versions associated with each gem, and their possible use as dependencies in others.
The malicious intent is of particular significance due to three factors:
- It relies on typos to trick users into installing malware which mimics names of real world packages (e.g. atlas-client imitating the legitimate atlas_client package)
- It installs persistent Bitcoin-leeching malware which frequently monitors clipboard for a Bitcoin address, replacing it with the attacker’s wallet address.
- It takes advantage of borderline steganography techniques, by disguising malicious code in quasi-image (PNG) files.
All of this means, a single slip of a keystroke by an unsuspecting developer lands themselves and anybody who uses their package (i.e. if the malicious RubyGem was bundled as a dependency) in a place where all cryptocurrency transactions now redirect funds to the attacker’s wallet address, unless the user is super diligent when copy-pasting.
Moreover, because the malicious code spun up by the components is saved within innocuous-looking image files (e.g. “aaa.png”), it would likely bypass the scrutiny of the human eye, and various static analysis tools. Only at a specific point during the installation would the “image” files be renamed to “*.exe,” allowing them to execute on compromised Windows machines. The base64-encoded payload also meant latent copies of malware created by the program would remain on the infected system silently, and would persistently rerun on every reboot.
Sonatype’s Recommended Remediation:
These packages are inherently malicious so we recommend removing them completely. Since they may have intended to impersonate one or more legitimate packages, reconfirm that dependencies are spelled correctly before attempting to download the legitimate package. Any hosts that downloaded this package should be considered compromised and remediated as appropriate.
Attacks like these are a reminder of the times. These kinds of attacks reinforce the tremendous value enterprises can leverage from securing their software supply chain. Tactics evolve; we can only surmise what the next iteration of such a campaign will look like.
DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Sonatype Nexus customers were notified of sonatype-2020-0196 within hours of the discovery. Their development teams automatically received instructions on how to remediate the risk. Their bitcoins, and software supply chains, are safe!
If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.
Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one. Or subscribe to automatically receive Nexus Intelligence Insights hot off the press.