CVSS 3.1 Score: 10.0 (Critical)
CVSS 3.1 Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected components: multiple; IQ scan is recommended.
Vulnerable version ranges: multiple; IQ scan is recommended.
Although the list reveals names of some 725 packages now removed by RubyGems, the actual number of unique components affected could be much higher, given multiple versions associated with each gem, and their possible use as dependencies in others.
The malicious intent is of particular significance due to three factors:
- It relies on typos to trick users into installing malware which mimics names of real world packages (e.g. atlas-client imitating the legitimate atlas_client package)
- It installs persistent Bitcoin-leeching malware which frequently monitors clipboard for a Bitcoin address, replacing it with the attacker’s wallet address.
- It takes advantage of borderline steganography techniques, by disguising malicious code in quasi-image (PNG) files.
All of this means, a single slip of a keystroke by an unsuspecting developer lands themselves and anybody who uses their package (i.e. if the malicious RubyGem was bundled as a dependency) in a place where all cryptocurrency transactions now redirect funds to the attacker’s wallet address, unless the user is super diligent when copy-pasting.
Moreover, because the malicious code spun up by the components is saved within innocuous-looking image files (e.g. “aaa.png”), it would likely bypass the scrutiny of the human eye, and various static analysis tools. Only at a specific (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: https://blog.sonatype.com/nexus-intelligence-insights-protect-your-bitcoins-from-700-malicious-rubygems-with-sonatype-2020-0196