Over the last week, troubling new reports have arisen about state-sponsored threat actors leveraging modified open source applications to compromise employees’ machines at technology companies, governments, and non-profit organizations. Microsoft, Mandiant, and Ars Technica all covered the technicalities of the attack type, where bad actors pose as recruiters who target specific individuals as their victims.

These victims are led to believe to be undertaking a technical assessment for recruitment. They are asked to use a specific bundle of tools, which are modified versions of popular open source tools such as PuTTy or RealVNC. When the unsuspecting target executes any of these tools, they load the system with services that can be used to load further malware. The threat actor gets into the victim’s workstation and is able to infiltrate data or further explore the victim’s network for secondary targets.

This strategy has been extremely successful for the threat actors. Combining elements of targeted attack with our implicit trust in known good open source tools and trust in that the process seems legitimate and does not deviate from how we’d usually expect things to work.

This subversion of an existing ‘institutional’ structure is not unique to targeted attacks but a broader phenomenon affecting the entire open source world. We here at Sonatype have observed a similar pattern of malicious activity throughout the years affecting open source packages – essentially building blocks of software – that has the same Modus Operandi, to leverage the implicit trust held in open source packages by developers, and to use this as a vehicle of compromise.

Examples of such attacks are numerous – from actors taking over legitimate open source packages and using them to redistribute their malware. Recent examples include the takeovers of the Coa and Rc packages as well as ua-parser-js. In (Read more...)