Dozens of Red Hat packages backdoored through its official NPM channel
Dozens of Red Hat packages backdoored through its official NPM channel
数十个 Red Hat 软件包通过其官方 NPM 渠道被植入后门
Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said. 研究人员表示,Red Hat 的官方 NPM 账户已遭入侵,并被用于发布一种恶意蠕虫病毒。该蠕虫可在机器之间传播,窃取敏感凭据,旨在进一步获取更多机密数据。
The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services. 据安全公司 Aikido 的研究人员称,此次供应链攻击始于周一,且在本文发布时仍处于活跃状态。攻击者控制了 npm 仓库中专门用于发布 Red Hat 官方软件包的合法渠道 @redhat-cloud-services。因此,该渠道深受依赖 Red Hat 云服务的开发人员信任。
It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected. The packages execute an obfuscated payload that can run during the npm install process, which occurs before a developer imports or actually uses the package in a production environment.
目前尚不清楚攻击者具体是如何控制该命名空间的,但几乎可以肯定涉及访问凭据的泄露,这可能是通过之前的供应链攻击实现的。目前似乎有超过 30 个软件包受到影响。这些软件包会执行一段混淆后的有效载荷,该载荷在 npm install 过程中运行,即在开发人员导入或在生产环境中使用该软件包之前就会触发。
Security firm Socket said an analysis of the malware revealed that it’s designed to collect sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes and Vault material, and credentials for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts the infected device has access to. Most, but not all, of the packages had been taken down in the hours following the incident. 安全公司 Socket 表示,对该恶意软件的分析显示,其旨在收集敏感凭据,包括 GitHub Action 密钥、npm 令牌、Kubernetes 和 Vault 相关资料,以及其他云服务的凭据。随后,该蠕虫会通过将植入后门的软件包重新发布到受感染设备可访问的第三方账户中进行传播。在事件发生后的几个小时内,大部分(但并非全部)软件包已被下架。
“Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.”
Socket 的研究人员写道:“各组织应将任何安装了受影响 @redhat-cloud-services 软件包版本的系统视为潜在的受感染系统。由于有效载荷是在 npm install 期间执行的,即在应用程序代码导入或使用该软件包之前,因此风险取决于安装或 CI(持续集成)执行过程,而非运行时使用。”
Once a system is infected, it encrypts the credentials and sends them through a web request. A fallback mechanism allows the malware to publish the encrypted data into a compromised GitHub repository, assuming it has possession of the credentials for it. The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. 一旦系统被感染,恶意软件会加密凭据并通过 Web 请求将其发送出去。如果攻击者拥有相关凭据,该恶意软件还具备一种后备机制,可将加密数据发布到被入侵的 GitHub 仓库中。这种被称为“Shai-Hulud”的蠕虫病毒,具备了上个月作为免费开源软件发布的恶意软件的所有特征。
TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a rash of previous supply-chain attacks. Now that the worm is in the hands of many other threat groups, supply-chain attacks may ramp up further. TeamPCP 是第一个使用 Shai-Hulud 的组织,他们曾发起一场竞赛,承诺向使用该恶意软件实施最大规模供应链攻击的黑客支付 1,000 美元。TeamPCP 此前也曾策划过一系列供应链攻击。现在,随着该蠕虫落入其他多个威胁组织手中,供应链攻击可能会进一步加剧。
The malware devotes considerable attention to CI/CD (continuous integration/continuous delivery) systems, which allow for faster and more reliable software releases by automating the building, testing, and deploying of code changes. The malware spread in Monday’s attack was published through GitHub Actions OIDC (OpenID Connect), indicating that Red Hat’s CI/CD pipeline was compromised. OIDC is a security measure designed to interact with cloud services through the use of temporary credentials. 该恶意软件非常关注 CI/CD(持续集成/持续交付)系统,这些系统通过自动化构建、测试和部署代码变更,实现了更快、更可靠的软件发布。周一攻击中传播的恶意软件是通过 GitHub Actions OIDC (OpenID Connect) 发布的,这表明 Red Hat 的 CI/CD 流水线已遭入侵。OIDC 是一种旨在通过使用临时凭据与云服务进行交互的安全措施。
Once installed, the malware targets other organizations’ CI/CD credentials. The compromise of Red Hat’s GitHub Actions OIDC was very possibly the result of a previous supply-chain attack that infected an employee’s machine. 一旦安装,该恶意软件就会瞄准其他组织的 CI/CD 凭据。Red Hat 的 GitHub Actions OIDC 被入侵,极有可能是之前供应链攻击感染了某位员工机器的结果。
In an email sent after this post went live, Red Hat said it has removed the malicious packages. “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system,” the email said. “While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.” 在本文发布后发送的一封电子邮件中,Red Hat 表示已删除了这些恶意软件包。邮件称:“这些软件包仅限于内部开发使用,恶意代码从未通过 console.redhat.com 系统发布给客户使用。虽然我们的调查仍在进行中,但我们尚未发现对客户或合作伙伴环境以及 Red Hat 生产系统造成任何影响。”
Given the success of other recent supply-chain attacks, anyone who touched one of the affected packages in the past 36 hours should assume compromise of their workstations, CI/CD pipelines, and all credentials for cloud services and repositories. That means employees should drop whatever they’re doing at the moment and investigate thoroughly. 鉴于近期其他供应链攻击的成功案例,任何在过去 36 小时内接触过受影响软件包的人员,都应假设其工作站、CI/CD 流水线以及所有云服务和仓库的凭据已遭泄露。这意味着员工应放下手头工作,立即进行彻底调查。
In a recent supply-chain attack that hit Checkmarx, the security firm failed to fully drive out the party responsible. Checkmarx was then hit two more times. The Checkmarx credentials used in the first attack came from a supply chain attack on the Trivy software developer. The pivot to Checkmarx and its failure to fully remediate the initial breach demonstrates the difficulty of completely recovering from such security lapses and the risks that result. 在最近针对 Checkmarx 的一次供应链攻击中,该公司未能完全清除攻击者,导致随后又遭受了两次攻击。第一次攻击中使用的 Checkmarx 凭据源于对 Trivy 软件开发商的供应链攻击。攻击者转向 Checkmarx 以及该公司未能完全修复最初的漏洞,证明了从此类安全疏忽中彻底恢复的难度以及由此产生的风险。
Both Socket and Aikido have lists of affected Red Hat packages and other indicators of compromise that any potentially affected person or organization should make use of promptly. Socket 和 Aikido 都提供了受影响的 Red Hat 软件包列表以及其他入侵指标,任何可能受影响的个人或组织都应尽快利用这些信息进行排查。