CrowdStrike and Google take down botnet used by hackers to target open source software developers
CrowdStrike and Google take down botnet used by hackers to target open source software developers
CrowdStrike 与 Google 联手摧毁针对开源软件开发者的黑客僵尸网络
CrowdStrike, working with Google and Shadowserver, a nonprofit organization that scans and monitors the internet for cyberattacks, took down a botnet that cybercriminals used to push malware and steal passwords from open source software developers. CrowdStrike 联合 Google 以及专门扫描和监控互联网网络攻击的非营利组织 Shadowserver,共同摧毁了一个僵尸网络。该网络此前被网络犯罪分子用于传播恶意软件,并窃取开源软件开发者的密码。
The takedown operation had the goal of disrupting the activities of the cybercriminals behind the so-called Glassworm botnet, who have been targeting the broader open source software supply chain for two years, according to CrowdStrike. 据 CrowdStrike 称,此次行动旨在打击名为“Glassworm”的僵尸网络背后的犯罪分子,这些黑客两年来一直将目标锁定在更广泛的开源软件供应链上。
In recent months, several hacking groups have targeted developers and open source projects to push malicious software to companies and organizations who in turn use that software. These attacks can be effective because they exploit the trust that companies put into code that’s hosted on platforms like GitHub, and the workers behind that code. 近几个月来,多个黑客组织将目标对准了开发者和开源项目,旨在向使用这些软件的企业和组织推送恶意程序。此类攻击之所以有效,是因为它们利用了企业对 GitHub 等平台上托管代码的信任,以及对这些代码背后开发者的信任。
“Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike wrote in its report about the takedown operation. “Developers represent uniquely high-value targets: compromising a single developer’s workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users.” “攻击者不再仅仅针对产品,他们现在瞄准的是构建这些产品的开发者,”CrowdStrike 在关于此次行动的报告中写道。“开发者是极具价值的目标:攻破一名开发者的工作站,可能会引发连锁反应,导致供应链受损,进而影响成千上万的下游组织和用户。”
The Glassworm hackers used several strategies to push out their malicious code. This included publishing malicious extensions on a marketplace used by developers; malvertising — where hackers pay for sponsored search results that trick victims into downloading malware; and using credentials stolen in previous hacks, which allowed the hijacking of developer accounts and the planting of malware in their code. Glassworm 黑客采用了多种策略来传播恶意代码。这包括在开发者使用的市场中发布恶意扩展程序;利用恶意广告(malvertising)——即黑客付费购买搜索结果广告,诱骗受害者下载恶意软件;以及利用此前黑客攻击中窃取的凭据,劫持开发者账户并在其代码中植入恶意软件。
In the end, the hackers were able to poison — as CrowdStrike put it — more than 300 GitHub code repositories. 最终,正如 CrowdStrike 所言,黑客成功“污染”了超过 300 个 GitHub 代码仓库。
CrowdStrike said it was able to take down four command-and-control channels used by the Glassworm hackers, which cut the hackers’ access to infected computers and stopped them from delivering more malware. The command-and-control servers relied on the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers, according to CrowdStrike. CrowdStrike 表示,他们成功摧毁了 Glassworm 黑客使用的四个命令与控制(C2)通道,切断了黑客对受感染计算机的访问,并阻止了他们进一步传播恶意软件。据 CrowdStrike 透露,这些命令与控制服务器依赖于 Solana 区块链、BitTorrent 点对点网络、Google 日历以及虚拟专用服务器(VPS)。
It’s not clear on what legal or technical authority CrowdStrike and others operated under to take down the operation. When asked by TechCrunch, CrowdStrike spokesperson Kirsten Speas declined to comment beyond the company’s blog. 目前尚不清楚 CrowdStrike 等机构是在何种法律或技术授权下执行此次行动的。当 TechCrunch 询问时,CrowdStrike 发言人 Kirsten Speas 拒绝发表除公司博客内容之外的评论。
Last week, hackers compromised several open source projects that pushed out malicious updates in a different hacking campaign that was called “Mini Shai-Hulud.” At least two OpenAI developers were compromised by this group of hackers. In another supply chain attack in March, a suspected North Korean hacker hijacked the popular open source software development tool Axios, which is used by millions of developers. 上周,黑客在另一场名为“Mini Shai-Hulud”的黑客行动中攻破了多个开源项目,并推送了恶意更新。至少有两名 OpenAI 的开发者受到了该黑客组织的影响。在三月份的另一起供应链攻击中,一名疑似朝鲜黑客劫持了广受欢迎的开源软件开发工具 Axios,该工具被数百万开发者所使用。