Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Programming

How a Malicious Actor Targeted a Go Package On GitHub (michenriksen.com) 26

ArghBlarg (Slashdot reader #79,067) shares some research from a senior application security engineer at GitLab: Michael Henrikson describes his investigations into Go package manager "supply chain" attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent, a good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust.
From the article: I honestly expected the list to be bigger, but I was of course happy to see that the Go ecosystem isn't completely infested (yet) with malicious typosquat packages...

It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 122.51.124.140 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won't give them any access to systems, it's highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting...

I think Go is in a better situation than other programming languages because the source of packages is always explicitly written every time they are used, but code editor automation could make typosquat attacks more likely to happen as the developer doesn't write the import paths manually as often.

This discussion has been archived. No new comments can be posted.

How a Malicious Actor Targeted a Go Package On GitHub

Comments Filter:
  • by SuperKendall ( 25149 ) on Sunday March 07, 2021 @10:43AM (#61132948)

    This type-squatting library going to Tencent is pretty insane if you think about it carefully...

    It is a massive [wikipedia.org] company in China, doing business in all kinds of areas and near the top in most.

    Think what it means they are found to be scarping logs from go libraries everywhere. it would be like finding that Google or Facebook had deployed malicious type-squatting libraries...

    That does not happen by chance, it goes to show how deeply ingrained the Chinese government is at every level of business - for after all, why would a company as large as Tencent even want with random logging data? And why would they risk being exposed doing so unless they knew there would be zero repercussions from the government from being found doing this...

    So the world will shrug, and Tencent will continue to engage in malicious coding at scale.

    • by algaeman ( 600564 ) on Sunday March 07, 2021 @11:06AM (#61132984)
      Uh, no. It would be like finding that Google or Amazon is hosting a service for someone maliciously collecting user information. You know, their core business model.
      • Uh, no. It would be like finding that Google or Amazon is hosting a service for someone maliciously collecting user information.

        Think about that harder, would normal bad actors set up an account in Amazon to collect malware data?

        No, because that would provide avenues for tracking them down.

        This library that scrapes log data send everything to a specific IP address 122.51.124.140. If you were just using some server space you had rented you'd use some kind of domain, as the hosting company might shift aroun

        • by AC-x ( 735297 )

          Think about that harder, would normal bad actors set up an account in Amazon to collect malware data? No, because that would provide avenues for tracking them down.

          Well this is embarrassing

          https://www.cloudpro.co.uk/clo... [cloudpro.co.uk]

          "Amazon Web Services (AWS) hosts the most malware in the world, alongside GoDaddy and Google, a recently published report claims."

          This library that scrapes log data send everything to a specific IP address 122.51.124.140. If you were just using some server space you had rented you'd use some kind of domain, as the hosting company might shift around the address of your server - unless you paid even more for a fixed IP from Google/Amazon, does that sound like malware creators to you?

          This is also embarrassing

          https://intl.cloud.tencent.com... [tencent.com]

          "Tencent Cloud offers two types of IPv4 addresses for private and public network access. These IPs will not change unless you unbind or change them."

          Would it have killed you to do at least a cursory bit of research before commenting?

          • Ok, you have me convinced. Read through those two items and I agree with you that it does seem more than possible Tencent is just the host in this case.

            I still find it pretty amazing that hosting with those companies doesn't lead to more malware authors getting caught, but I guess if you sign up using fake addresses and stolen credit cards you have no exposure? I wonder how they work that.

            Thanks for the information, I appreciate it.

            • by AC-x ( 735297 )

              but I guess if you sign up using fake addresses and stolen credit cards you have no exposure?

              Exactly, you could use stolen credit cards, prepay debit cards, compromise other peoples accounts, if you wanted to live dangerously you could even slip a vulnerability into your own server then pretend to exploit it from another IP address so you have plausible deniability for why there is malware there.

              And please please please look things up before making such sure statements! :)

    • This type-squatting library

      I swear that originally was entered as "typo", can't think of many more pure examples of irony than an autocorrect mechanism changing typo to type...

      • > I swear that originally was entered as "typo", can't think of many more pure examples of irony than an autocorrect mechanism changing typo to type...

        Was it posted from your iPhone?

    • by william.mcsweeney ( 873695 ) on Sunday March 07, 2021 @11:14AM (#61133012)
      Or not... Being a big tech company they no surprise offer wide variety services (https://intl.cloud.tencent.com/) that anyone can pay to use. If someone hosts something malicious on AWS does that mean Amazon and the US government are complicit participants? Not everything is a conspiracy.
    • What, precisely, is "insane"? Hacking attacks evolve with with many poorly written, unsophisticated tools written constantly and tried around the world, though especially in nations with lax prosecution of hackers. A company as large as tendent may have many hosts that would serve as a convenient stage for such attacks: the attacker need not be a tencent employee. Genuine spyware on Chinese software and electronics should not be a surprise. Look up the BXAQ software installed on tourists' cell phones. "Phon

      • Github has been very good about publishing source code and making it visible for local review and compilation.

        It’s almost as if that’s their entire reason for existing!

        • Yes. The public git and Subversion and, years ago, the public CVS repositories have been very good about this. Some of them have gotten confused about this at times: Sourceforge rebundling binaries of GIMP for Windows with adware was an unwelcome adware, simply becuase the GPL software hosted on their site, was an infamous example of repository abuse. Though they seem to have recovered their moral stance since that incident.

    • +4 insightful conspiracy theory. Oh no, I found malware hosted on a cloud service provider... guess the cloud has AIDS... better ban Africa and other Chimpanzees from the internet.

      • Oh, btw. Did the research do any kind of follow-up with Tencent about this behavior. E. g. reporting a potential malicious user? Nope... exactly.

        • Oh, btw. Did the research do any kind of follow-up with Tencent about this behavior. E. g. reporting a potential malicious user?

          Fair question.

          Nope... exactly.

          Oh wait, it was rhetorical. Well go ahead then, show us the evidence that you have that they didn't do any followup.

          • It's not rhetorical. I genuinely want to know. The article mentions no attempt to speak to the provider, so the assumption is none was made.

            Asking for proof of abscene of evidence is currently the stupidest trend on the internet. The researcher's due diligence is to reach out to the provider. The abscene of evidence regarding this, suggests a lack of due diligence. I don't have to prove anything, the context speaks for itself.

            • Clearly you are convinced that you already know the answer, and that everyone should infer the same answer as you. That's what rhetorical means.

              • (of a question) asked in order to produce an effect or to make a statement rather than to elicit information.

                One can make a statement and elicit information in a single sentence, so it's not rhetorical. Just like any experiment, you shouldn't start without having an idea of what the outcome will be which is called "hypothesis". One of my great teachers pointed me to the truth that a question reveals more than an answer. Answers are often facts, questions are based on perspective.

                That does not happen by chance, it goes to show how deeply ingrained the Chinese government is at every level of business - for after all, why would a company as large as Tencent even want with random logging data?

                The perspective of the author is one of antagonizing China while likely not knowing anything about it or considering the total work done

    • The git repo is gone. It's sad that we don't have a public snapshot of that commit.

      It's likely to be a regular script kiddie user of Tencent Cloud, which is a copycat of Amazon Web Services, only if the commit appeared before 2021-02-17.
      If the IP or instance was purchased after 2021-02-17T13:08:49Z, things get much more interesting: 122.51.64.0/18 is announced as Guangzhou Haizhiguang communication technology Limited afterwards: https://bgp.he.net/net/122.51.... [he.net]

      This HaiZhiGuang aka SeaBright [hzgit.com] is a de [chinaipo.com]

  • I'm confused, I'm using c++ which was supposed to be extremely unsafe.

    I've never had a need to "audit my imports". Mostly because typing a random import line in my "unsafe" language doesn't automatically install crap from third party servers.

    These hipsters....

    • Different kinds of unsafe. Like the difference between locking your keys in your car and getting AIDS...

      But it does bring up the question how valuable walked gardens are for package repository. It seems like a problem APT has solved reasonably.

      • There are some things "apt" has, indeed, done well. Some of the practices commonplace to apt packagers have proven quite dangerous. Running system applications like httpd and tomcat out of /home/apache or /home/tomcat directories, and the tendency to accumulate poptentially conflicting or incompatible repositories are dangerous and require some attention to manage. But overall, I'm quite impressed with the system.It seems to have resisted some of the unwelcome and unnecessary features of RPM, such as the "m

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...