“Yearlong Supply-Chain Breach Affects 390,000 Credentials of Security Experts”

### An Elaborate Supply-Chain Attack Aims at Hackers: The Multifaceted Campaign of MUT-1244

In a disturbing discovery, cybersecurity experts have revealed a lengthy, intricately designed supply-chain attack targeting both malicious and ethical hackers. The operation, led by an enigmatic group known as **MUT-1244**, has utilized Trojanized open-source software to compromise the devices of security researchers and developers, exfiltrating valuable credentials and installing cryptomining malware. This article explores the complexities of the attack, its techniques, and the potential ramifications.

### The Attack Exposed: Trojanized Open-Source Software

The campaign initially surfaced due to investigations conducted by security companies **Checkmarx** and **Datadog Security Labs**. The main attack vector employed by MUT-1244 involved Trojanized versions of open-source software disseminated through popular repositories such as **GitHub** and **NPM**. These packages, which seemed legitimate and harmless, were tactically updated over time to incorporate malicious components.

One such package, **@0xengine/xmlrpc**, originally presented itself as a JavaScript implementation of the XML-RPC protocol for Node.js. Throughout the year, it experienced 16 updates, gradually morphing into a sophisticated malware tool. Its harmful capabilities remained inactive until activated by specific commands, complicating detection significantly.

Another package, **yawpp**, found on GitHub, was promoted as a WordPress credential-checking utility. Although yawpp itself did not harbor malicious code, it depended on @0xengine/xmlrpc as a requirement, guaranteeing that the malware was installed along with it.

### The Goals: Information Theft and Cryptomining

MUT-1244’s objectives seem to be diverse. The attackers mainly aimed to exfiltrate sensitive data, including:

– **SSH private keys** and configurations.
– **Amazon Web Services (AWS)** access keys.
– **Command histories** from compromised devices.
– **WordPress administrative credentials**, with over 390,000 stolen credentials located in a Dropbox account.

Moreover, the malware installed cryptomining software on infected machines, generating cryptocurrency such as **Monero**. As of last month, at least 68 machines had been actively mining cryptocurrency for the attackers.

### Infection Methods: Spear Phishing and Proof-of-Concept Exploits

MUT-1244 utilized various infection methods to broaden its impact:

1. **Spear Phishing Attacks**: The attackers targeted researchers publishing on platforms like **arXiv**, sending deceptive emails prompting recipients to download a counterfeit CPU microcode update. These communications, dispatched between October 5 and October 21, were crafted to appeal to high-performance computing researchers.

2. **Trojanized Proof-of-Concept Exploits**: The group uploaded at least 49 malicious GitHub repositories featuring Trojanized proof-of-concept exploits for security vulnerabilities. These repositories were designed to attract both malicious entities and security experts.

3. **Credible-Looking Sources**: Some harmful packages were integrated into legitimate sources like **Feedly Threat Intelligence** and **Vulnmon**, further bolstering their credibility and increasing the chances of installation.

### Stealth and Longevity: How the Malware Functioned

The malware’s stealth and longevity strategies were crucial to its effectiveness. Once installed, it camouflaged itself as a legitimate session authentication service named **Xsession.auth**. Every 12 hours, the malware meticulously collected sensitive system information, which included:

– **SSH keys** from `~/.ssh`.
– **Command history** from `~/.bash_history`.
– **System settings** and environment variables.
– **Network and IP details** through **ipinfo.io**.

The exfiltrated data was subsequently uploaded to cloud storage services like Dropbox or file.io, allowing the attackers to access it from afar.

### Compromise Indicators and Detection

Both Checkmarx and Datadog have issued comprehensive reports detailing indicators of compromise (IOCs) to assist organizations and individuals in discerning if they have been targeted. These encompass specific file names, command flags, and network patterns associated with the malware.

### The Broader Context: Consequences and Open Questions

The MUT-1244 campaign prompts several significant inquiries:

1. **Who Are the Perpetrators?**: The identity and motivations of MUT-1244 remain elusive. Despite showcasing a high degree of technical prowess, their ultimate objectives are ambiguous.

2. **Why Focus on Security Researchers?**: If the main aim was cryptomining, the targeting of security experts appears suboptimal. Conversely, if the intent was to undermine researchers, the inclusion of cryptomining malware seems counterintuitive, as it raises the chances of detection.

3. **What Are the Long-Term Consequences?**: The campaign emphasizes the vulnerabilities present in the open-source landscape. It highlights the necessity for thorough vetting and monitoring of open-source packages, especially those utilized in sensitive settings.

### Conclusion: An Urgent Alert

Read More