Marketplaces targeted: The Koi Security report is the latest in a series of warnings that threat actors are increasingly targeting VS Code marketplaces in supply chain attacks. Last week, Koi Security exposed a threat actor dubbed TigerJack spreading malicious extensions. And researchers at Wiz just published research showing the widespread abuse of the OpenVSX and VS Code marketplaces.The use of Unicode to hide malware was exposed as recently as last month by researchers at Radware, who found it being used to compromise ChatGPT.These reports should come as no surprise. Open code marketplaces, where developers can upload code for others to use in their applications, have long been targets for threat actors as vehicles for inserting malicious code into projects. The code then spreads into developer or customer environments to steal credentials and data. Collectively, these are known as supply chain attacks.Among the most targeted repositories are GitHub, GitLab and NPM.Microsoft gives developers the ability to add extensions and themes to Visual Studio Code to make life easier for developers, as well as to enhance functionality. An extension can add features like debuggers, new languages, or other development tools, while a theme is a type of extension that changes the appearance of the editor, controlling things like colors and fonts.
Leverages blockchain: Koi Security researchers came across the wormed extension in OpenVSX when their risk engine flagged suspicious activity in an update of an extension called CodeJoy. a developer productivity tool with hundreds of downloads. However, version 1.8.3 introduced some suspicious behavioural changes. The source code included what looked like massive gap between lines that was actually malicious code encoded in unprintable Unicode characters that can’t be viewed in a code editor.Worse, the malware uses the public Solana blockchain as a command and control infrastructure (C2) for its goal of hunting for login credentials, especially those for crypto wallets. The malware also reaches out to a Google Calendar event as a backup C2 mechanism.The stolen NPM, GitHub, Git, and OpenVSX credentials also help the malware spread as a worm.Finally, the malware injects a remote access trojan onto the workstations of victim developers, turning them into SOCKS proxy servers. The workstations can then be used to access an organization’s IT systems, becoming internal network access points, persistent backdoors, proxies for attacking other internal systems and data exfiltration channels.
Developers are ‘prime target’: Developers are a prime target for attacks these days, pointed out Johannes Ullrich, dean of research at the SANS Institute. What they often don’t realize is that any extension they install, even if it appears benign, has full access to their code and may make modifications without explicitly informing the developer.CISOs must include developers in discussions about securing development tools, he advises. Limiting permitted tools is often counterproductive, as developers will identify workarounds to get work done. Security must cooperate with developers to assist them in using the tools they need securely, and any endpoint protection product needs to be tuned to support the unique usage patterns of developers.This isn’t just a supply-chain problem, said Will Baxter, field CISO at Team Cymru, it’s a new infrastructure layer merging cyber-crime tooling, blockchain resilience, and developer-tooling pivoting. Registry operators, threat researchers and blockchain-monitoring partners need to share intelligence and work together more closely to flag these hybrid attacks, he added.
More advice to CSOs: Janca says to lower the risk of supply chain attacks, security leaders and application security professionals should:
reduce attack surface whenever possible: Only install features and other software that they use, for instance, uninstall any VS Code extensions that are not used, and remove all unused dependencies from code;monitor all employee workstations for anomalous behavior, with more focus on those who have privileged access, such as software developers.apply least privilege for identity and access management, especially for developer machinesimplement a fast and efficient change management process that includes software supply chain changes;train developers on secure coding, protecting their supply chain, and their role during incident response, to help prevent issues like this in the future or to respond faster and more gracefullyThere are various security scanning tools that can be used to reduce risk and catch issues before they become security incidents, such as extension scanners, secret scanners, supply chain security tooling (SCA and SBOM), and endpoint protection;follow proper secret manage best practices, so that malicious packages like these cannot harvest credentials;only approved repositories, marketplaces, etc. should be used in an organizations. Block all unknown or untrusted places for downloading code, packages, images, and extensions;harden the entire software supply chain, not just third-party components and code. This includes regular updates and locking down access to the CI/CD, developer IDEs and workstations, artifacts, and more.push governments to provide a solution to the very insecure open source software ecosystem that so many of us rely on. Or, give preference closed-source development languages and frameworks, though this, she admits, wouldn’t have helped in this case, as .Net is closed source but VS Code Marketplace is not.This article originally appeared on InfoWorld.
More advice to CSOs: Janca says to lower the risk of supply chain attacks, security leaders and application security professionals should:
reduce attack surface whenever possible: Only install features and other software that they use, for instance, uninstall any VS Code extensions that are not used, and remove all unused dependencies from code;monitor all employee workstations for anomalous behavior, with more focus on those who have privileged access, such as software developers.apply least privilege for identity and access management, especially for developer machinesimplement a fast and efficient change management process that includes software supply chain changes;train developers on secure coding, protecting their supply chain, and their role during incident response, to help prevent issues like this in the future or to respond faster and more gracefullyThere are various security scanning tools that can be used to reduce risk and catch issues before they become security incidents, such as extension scanners, secret scanners, supply chain security tooling (SCA and SBOM), and endpoint protection;follow proper secret manage best practices, so that malicious packages like these cannot harvest credentials;only approved repositories, marketplaces, etc. should be used in an organizations. Block all unknown or untrusted places for downloading code, packages, images, and extensions;harden the entire software supply chain, not just third-party components and code. This includes regular updates and locking down access to the CI/CD, developer IDEs and workstations, artifacts, and more.push governments to provide a solution to the very insecure open source software ecosystem that so many of us rely on. Or, give preference closed-source development languages and frameworks, though this, she admits, wouldn’t have helped in this case, as .Net is closed source but VS Code Marketplace is not.This article originally appeared on InfoWorld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4076718/self-propagating-worm-found-in-marketplaces-for-visual-studio-code-extensions-2.html
