There has been a recent Cyber-attack, from north Korea threat actors targeting big tech organization employees, using social engineering techniques.
According to reports from the GitHub official blog, It is said the attack which is a recorded low-volume social engineering campaign, focuses on targeting accounts belonging to employees of technology organizations, by employing a combination of tactics which involves repository invitations and malicious npm package dependencies.
Most of the targeted accounts are said to be connected to various web3 services such as block-chain, cryptocurrencies, and online gambling sectors.
Although no GitHub or NPM systems were compromised as at the time the attack was noticed, however, a few of the targets were said to be associated to the cybersecurity sector.
Details about the threat Group:
It was noted from research conducted by the security team of GitHub, that the campaign was associated with a Espionage group from North Korea, which is identified by the name Jade Sleet according to CISA , Microsoft Threat Intelligence and TraderTraitor in the United States.
The threat groups niche is mostly on users who possess cryptocurrency; other blockchain related firms, and vendors who uses their services.
Threat Group Attack Chain:
The threat group attack chain involves a series of procedures, which is described below:
- The threat firstly impersonates a developer or an organization recruiter by creating a false account on GitHub and other social media organizations. The various social media platforms that the impersonated accounts existed includes LinkedIn, slack and telegram. Most of the accounts are either false profiles or legitimate account that has been compromised. The threat actor further pushes the conversation after getting hold of a victim, to another platform.
- The threat actor then establish contact with an intended victim, by asking them to collaborate on a project on a GitHub Repo. This repository is a malicious content of npm dependencies. Attacker then ask the target to clone and execute the contents there-of. The malicious contents used by the threat group includes Media players, and tools used in cryptocurrency trading.
- The npm packages which is malicious, is the first stage malware, that communicates and download the second-stage malware on the targeted victim’s computer.
In other to safeguard their malicious code, the threat actor only publishes the malicious packages when they are inviting a target to clone the repository. Other methods use in distributing the malicious code by the threat group includes: file sharing platforms, direct messaging, and bypassing the repository invitation/clone procedures.
First Stage of the Malware Propagation:
The first stage of the malware propagation was conducted by both GitHub and Phylum. The attack which starts with a package.json file with a simple preinstall hook. This allows the npm dependencies to first install a sync-request library directly and then runs the main.js file. This is a bad practise as sync-request is not advisable to be used in a production application.
The attack chain is expanded across packages, and as well the order in which these packages are to be installed is essential. The first package fetches a token, from a list of remote servers and it is then stored within a subdirectory of the user’s home directory.
The research done by phylum describes in details of the stages of each package, the path is writes to, the domain, and the Endpoint. However, be careful when reading information from the blog, as it has been reported that it contains a trojan by an anti-spyware.
Mitigation by GitHub:
In order to protect its users from possible exploits, GitHub has gone to suspend accounts and npm that is associated with the campaigns. Also, GitHub published indicators to alert users on the domains running these exploits, and further filed abuse reports with webhosting services, where the domains are still running as at the time it was detected.
GitHub took a further step to alert users on possible actions to take in the case of receiving messages from list of sources outlined on their webpage requesting for a clone or collaboration. These actions include the following:
- Reviewing of Security logs: Users are advised to review their security-log and lookout for action:repo.add_member events to determine if they have in time past accepted invite to a list of accounts repository listed.
- Also, they users to be mindful of messages from various social media accounts and platforms, requesting for a collaboration or install npm related packages software that depends on them, as this might be a trick from the threat group to infect the victim’s computer.
- Users are also advised to scrutinize all dependencies and installation scripts that were recently published. Additional scrutiny should be placed on net-new packages, scripts or dependencies that comprises of network connections during installations.
- Employees of cybersecurity firms, who are targeted by the campaign should take swift action by contacting the cybersecurity department of their organization, and notify them immediately.
- Resetting devices which they have used in executing contents related to this campaign, changing the password of their accounts, and rotation sensitive credentials/token that are stored on the device that were affected.
FixitgearwareSecurity, advises users, or organizations who are always working on projects via collaborations to be extremely careful on links they click. As social media or GitHub accounts take over, by these threat group, to gain access to high profile employees in an organization are mostly conducted via phishing mechanism.
We hope that this mitigation outlined by GitHub is taken seriously by all, and hopefully the chain of attack of these group would be put to a halt.
Please do let us know in the comment section what are your thoughts about this.