Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

Over the last several years, we’ve been raising awareness of breaches to popular open source software components and the worrying trend that they are more frequently being attacked at the source – bad actors are growing bolder and the velocity of attacks increasing. Last month, the RubyGems strong_password component was breached. The attack involved remote code execution in applications using or bundling `strong_password`. Any developer downloading this component, also downloaded the malicious code. This latest RubyGems compromise is another attack on open source, at the source and as hacks go is about as bad as it gets in terms of the mechanics. Compromising the code source allows hackers to get creative about how they leverage open source libraries for nefarious purposes and do it with unprecedented speed. 

The story of this new hack begins with a topic that’s just about as old as technology time, password hygiene. In the case of ‘rest-client’, the project maintainer was still using a password that had been leaked in an earlier breach. Not having logged on to the project in years, changing his gem password wasn’t exactly top of mind. It’s an oversight that could happen to any of us. We’re human after all. The sequence of events that happened after the maintainer’s password was hijacked, make that oversight unpleasant for many developers. 

From Github, regarding CVE-2019-15224:

• On August 14, attackers published a series of rest-client versions from 1.6.10 to 1.6.13 using the credentials of a rest-client maintainer whose RubyGems.org account was compromised. The affected versions were downloaded a small number of times (~1000).
• On August 19, @juskoljo observed the malicious gem version and created this issue. Later that day, the RubyGems security team yanked the offending gem version and locked the affected maintainer’s account. Several (Read more...)