What are VS extensions: Extensions and themes can be added to Visual Studio code to make life easier for developers, as well as to enhance functionality. An extension can add features like debuggers, new languages, or other development tools, while a theme is a type of extension that changes the appearance of the editor, controlling things like colors and fonts.Microsoft created the VSCode Marketplace as an easy place for developers to browse for extensions and themes. But developers who don’t sanitize their work before uploading finished code to VSCode or OpenVSX marketplaces risk revealing access tokens that grant anyone the ability to automatically update the extension. If those tokens are controlled by a threat actor, they can automatically update all instances of the extension to a malicious version.The Wiz report points out that security pros and developers should realize that not only can poorly written or compromised VS extensions be a problem, so can themes. In fact, the Wiz report notes that much of this massive vulnerable install base actually consists of themes.Generally, says the report, themes are viewed as safer than other extensions because they don’t carry any code. However, they still increase the attack surface as there is no technical control to prevent malware from being bundled into them.
Similar report: No organizations were impacted as a result of this issue, Rami McCarthy, principal security researcher at Wiz, told CSO.However, in a separate discovery, this week CSO reported that researchers at Koi Security had discovered there have been more than 17,000 downloads of 11 malicious extensions from the VSC and Open VSX marketplaces, placed by a threat group called TigerJack. Two of the campaign’s popular extensions, “C++ Payground” and “HTTP Format”, have been removed, but the operation continues through re-uploads of the malware-infested code using fresh accounts.One of these malicious extensions, Koi Security said, quietly uploads a developer’s source code to external endpoints, another uses local resources for cryptomining, and the most sophisticated variant can execute JavaScript remotely without needing fresh updates to expand or change functionalities.McCarthy says the issue Wiz Research identified was even more severe, because it could have allowed attackers to weaponize more than a hundred legitimate extensions, automatically installing malware on over 185,000 developer machines. Wiz also found evidence that some attackers inflate download numbers through “download pumping,” which can make reported installation figures unreliable.There isn’t a consistent threat model for extension marketplaces yet, McCarthy said, making it difficult for any platform to anticipate these risks. However, he added, Microsoft’s marketplace has seen deeper security investment than Open VSX, and the research highlights why that matters.He agreed that the report is another example of why developers need to take more care in sanitizing their code before dropping it into open marketplaces. But, he added, it’s also an example of how platforms can build in guardrails to minimize risk from individual developer errors.”Developer security is a shared responsibility between publishers and the ecosystems that host their work,” he said.
Advice to CSOs, developers: Wiz says VSCode users should:
limit the number of installed extensions in their work. Each extension introduces an extended threat surface, which should be measured against the benefit of its usage;review extension trust criteria. Consider installation prevalence, reviews, extension history, and publisher reputation, among other metadata, prior to adoption;consider auto-update tradeoffs. Auto-updating extensions ensures you receive security updates, but introduces the risk of a compromised extension pushing malware to your machine. Corporate security teams should:
develop an IDE extension inventory, in order to respond to reports of malicious extensions;consider creating a centralized allowlist for VSCode extensions;consider sourcing extensions from the VSCode Marketplace, which currently has higher review rigor and controls, over the OpenVSX Marketplace.Leaders should use device management and endpoint security tooling to inventory and enforce allowlists for extensions, said Wiz’s McCarthy. Centrally approving extensions helps reduce risk, but it’s also important to preserve flexibility for developers, to let them use tools that drive innovation. Extensions bring real value, but their long tail can introduce a significant attack surface if unmanaged.There is no good way to verify that an application has not been compromised, warned the SANS Institute’s Ullrich. Standard endpoint and network security solutions can assist in protecting developers, but they need to be tuned to be effective and it is difficult to identify malicious extensions. In particular, developer workstations often have specific benign usage patterns that cause excessive false positives if the solution is not carefully tuned. Thus, developers should attempt to minimize the number of extensions they install.
limit the number of installed extensions in their work. Each extension introduces an extended threat surface, which should be measured against the benefit of its usage;review extension trust criteria. Consider installation prevalence, reviews, extension history, and publisher reputation, among other metadata, prior to adoption;consider auto-update tradeoffs. Auto-updating extensions ensures you receive security updates, but introduces the risk of a compromised extension pushing malware to your machine. Corporate security teams should:
develop an IDE extension inventory, in order to respond to reports of malicious extensions;consider creating a centralized allowlist for VSCode extensions;consider sourcing extensions from the VSCode Marketplace, which currently has higher review rigor and controls, over the OpenVSX Marketplace.Leaders should use device management and endpoint security tooling to inventory and enforce allowlists for extensions, said Wiz’s McCarthy. Centrally approving extensions helps reduce risk, but it’s also important to preserve flexibility for developers, to let them use tools that drive innovation. Extensions bring real value, but their long tail can introduce a significant attack surface if unmanaged.There is no good way to verify that an application has not been compromised, warned the SANS Institute’s Ullrich. Standard endpoint and network security solutions can assist in protecting developers, but they need to be tuned to be effective and it is difficult to identify malicious extensions. In particular, developer workstations often have specific benign usage patterns that cause excessive false positives if the solution is not carefully tuned. Thus, developers should attempt to minimize the number of extensions they install.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074948/threat-actors-are-spreading-malicious-extensions-via-vs-marketplaces-2.html
