Yearlong Supply-Chain Attack Targeting Security Pros Steals 390,000 Credentials (arstechnica.com) 7
An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.
The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."
The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."
Re: (Score:2)
Don't be too sure. One "skilled in the art" will be much less likely to fall for a trap that should appear obvious to them, but everyone has an off day, everyone as periods when they aren't paying enough attention. Just last week I made a mistake adding two numbers together. This was a mistake I shouldn't have made, and when I went back over it a few hours later I caught it. How often have I made a mistake and not caught it? There's no way to tell. (Just yesterday I left the semicolon off at the end o
Re: (Score:2)
Anyone can make the mistake of npm installing a trojanned package. There's too many packages these days, and noone reads the source code for everything you install.
However; I feel like a security pro should not have unprotected Keys sitting on their system for malware to steal in the first place. From what I read it copies SSH keys every 12 hours. The current best practice for SSH keys is always generate them in a Hardware module or cryptographic authenticator and never save your keys as files to a d
Pros? (Score:2)