The attack I am talking about is one that was disclosed in June of 2023 by Phylum and later by GitHub in July 2023. This attack followed a sophisticated attack pattern and has now been attributed to “threat actors with strong ties to North Korean objectives” by GitHub. In a report sent to me by Phylum we get some additional context and details about the attack including the initial method of contact/access and the details of the attack chain for the malicious packages involved.
Initial access – Let’s make contact
According to both GitHub and Phylum researchers the group (possibly Jade Sleet) would reach out to targets and extend an invitation to the attacker-controlled repository on NPM which contained the malicious files identified by Phylum back in June of 2023. “Only when they extended a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny.” Phylum researchers believe that this attack style allowed the group to only push the package once the invite had been accepted leaving no historical artifacts to be found in the environment. It also meant (as the quote indicates above, it limited the packages exposure to security tools and teams that scour NPM and other development repos for this type of attack. It is a clever attack pattern and one that likely has a lot of moving pieces in the background, such as social engineering efforts to build trust with the target. These types of supporting efforts for an attack should not be ignored or taken lightly especially in the light of new capabilities from attacker-oriented AI applications or the simple use of free LLM and Image AI systems to help make the fake account appear more realistic.
The attack pattern
In Phylum’s initial report back in June they observed that the attackers were publishing the payloads in pairs. The package pairs would work together to gather any additional resources needed to move further along the attack chain. Starting with a simple json file (package.json) we see the attackers start the ball rolling with a preinstall hook. The preinstall hook installs a sync-request before running main.js. This is not what you would expect in a normal operation for a few reasons which are both hygiene and performance related. Either way it is something that should be a red flag when looking into how a package runs. To add to the fun the use of package pairs that we previously mentioned was a clear attempt to evade detection. According to Phylum executing one package would retrieve a token that would be used by a different package to grab a script. The first package also shuts off TLS certificate validation using “process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0” as part of the initial code execution.
Once the system has had TLS validation turned off and the token has been downloaded to the target device, we are ready for the second stage of the attack.
The second package in the pair runs a similar preinstall hook which looks for the token that the first stage grabbed. The script repeats some items we see in the first stage, such as turning off TLS certificate validation and also hits a page on the remote server named “/getfullhistory[.]php”. This, when executed will return a base64 encoded string which should then be executed. Due to the evasion techniques mentioned above, Phylum was only ever able to get a return of “no history available”.
Since the initial publication of Phylum and GitHub’s reports the attack group has published some new package pairs with obfuscated code (base64), but which are basically the same code observed before.
Attacker Motivations – The Why
The attack group in this campaign seems to have a financial motivation. They are targeting the supply chain associated with Web3 and Cryptocurrency. The reasons for this are probably the same as those of other groups that have financial motivations. Cryptocurrency is anonymous and there are not many ways to reverse a transaction without affecting the entire blockchain. If you know the wallet that received the funds you can seize it and perform a transfer back to the original owners, but that can be complicated if the attacker is clever and bounces between chains. Considering the attribution this campaign might also be a way around certain sanctions imposed on North Korea. Other than the financial motivation, most of this is speculation as attribution is not an exact science.
This and the many, many other attacks on the development supply chain show a true need (not want, need) for better controls on development. The market and ecosystem for development has become extremely dependent on open-source packages. Even major vendors use them inside their closed license offerings. Scanning of repos by security researchers and waiting for a report is not enough. There needs to be a better component to SDLC which not only ensures a Software Build of Materials (SBOM), but also inspects the individual components before they are executed on a development system or integrated into an overall build. I am not talking about the general vulnerability scans that are being run, but a concerted effort where security is properly integrated into development operations including application penetration testing and source code review.
Yes, I know that this is an expensive proposition, but attackers are already aware (obviously) of this gap and are clearly exploiting it. They say that doing the same thing you have always done and expecting a different result is the true definition of insanity, let’s stop the insanity and start to make the shift to group-up/top-down security so that the industry can start to make a real impact on how threat actors operate. Ok, soapbox really put away.
You can read Phylum’s full reports below
July 22 2023 report
June 23 2023 report