Cybersecurity researchers have found multiple accounts on GitHub and social media platforms claiming to distribute proof-of-concept (PoC) exploits for a number of zero-day vulnerabilities allegedly found in popular software. However, a deeper inspection uncovered that all of the accounts were fake, and that the PoCs were nothing more than hidden malware.
The news was broken by cybersecurity researchers from VulnCheck, which said that unnamed threat actors created a network of accounts on both GitHub, and Twitter, belonging to fake cybersecurity researchers. These accounts were using profile pictures belonging to actual security experts, which led VulnCheck to believe that whoever was behind the attack went to great lengths to establish some credibility.
On these accounts, the fake experts were sharing proof-of-concept exploits for alleged zero-day vulnerabilities found in popular software such as Signal, Discord, Google Chrome, or Microsoft Exchange Server.
“The individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security,” VulnCheck noted.
The criminals would use the account to distribute a Python script which downloads a malicious binary and executes it on the target endpoint. The malware worked on both Windows and Linux, it was said.
At press time, all of the malicious GitHub repositories have been removed, but here’s a list just in case:
These Twitter accounts, on the other hand, are yet to be removed:
Considering the amount of effort placed into the campaign, the end result doesn’t make much sense, the researchers hint, because the malware being delivered was “very obvious”, they said. “It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”
Analysis: Why does it matter?
This is a very elaborate supply chain attack, whose consequences could have been painful. GitHub is arguably the world’s largest repository of open source code, and the products found there are software building blocks used by countless organizations as they build out their solutions and tools. If a threat actor manages to compromise an existing repository, or manages to squeeze through malicious code, it can trickle down to numerous software, theoretically compromising thousands of endpoints. Depending on the type of malware distributed this way, threat actors could get their hands on sensitive data, could engage in identity theft and ransomware attacks, as well as wire fraud.
The popularity of GitHub made it one of the biggest targets for supply chain attacks. Often, threat actors will engage in “typosquatting”, a form of cyberattack in which they’d create a malicious package with a name almost identical to an existing one. That way, an overworked or distracted developer might use the wrong one and compromise their systems, as well as those of their customers/clients.
Supply chain attacks are both common and very destructive. One of the best examples of the enormous potential of supply chain attacks is the SolarWinds attack, which happened in late 2020. Back then, an update to one of SolarWinds’ products was tainted with malware, which was then pushed to its users, some of which included high-profile companies and government institutions.
Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies, in addition to many private-sector companies, subsequent analysis has shown.
What have others said about it?
In its write-up, Bleeping Computer says that it’s yet unknown what the malware being distributed actually does. The publication stresses the importance of being careful when downloading scripts, especially from unknown repositories, as “impersonation is always possible.” Furthermore, BleepingComputer reminds its readers about multiple high-profile supply chain attacks that happened in the past, such as the January 2021 campaign by North Korean state-sponsored threat actors, Lazarus.
Back then, the group created fake vulnerability researcher personas on social media to target researchers with malware. Later that year, they also tried to distribute a trojanized version of the IDA Pro reverse engineering software this way.
CSO Online, on the other hand, called it an “unusual” attack campaign, that targets mostly security researchers. It also says that it’s most likely the work of an advanced persistent threat (APT) actor looking to obtain sensitive information usually found on endpoints belonging to cybersecurity researchers. It also adds that experienced security researchers “generally take precautions when working with potentially malicious code”, suggesting that targeting researchers by offering fake PoCs might not be the brightest of ideas. “If they’re testing a proof-of-concept exploit, this is most likely to happen on a test system inside a virtual machine that’s well monitored and later wiped,” they concluded.
Via: The Hacker News