A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

• LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
• AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
• LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
• Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
• Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.