https://arstechnica.com/security/2024/12/yearlong-supply-chain-attack-targeting-security-pros-steals-390k-credentials/ Skip to content Ars Technica home Sections Forum Subscribe * AI * Biz & IT * Cars * Culture * Gaming * Health * Policy * Science * Security * Space * Tech * Feature * Reviews * Store * AI * Biz & IT * Cars * Culture * Gaming * Health * Policy * Science * Security * Space * Tech Forum Subscribe Story text Size [Standard] Width * [Standard] Links [Standard] * Subscribers only Learn more Pin to story Theme * HyperLight * Day & Night * Dark * System Search dialog... Sign In Sign in dialog... Sign in EXPLOITING WEAK LINKS Yearlong supply-chain attack targeting security pros steals 390K credentials Multifaceted, high-precision campaign targets malicious and benevolent hackers alike. Dan Goodin - Dec 13, 2024 4:46 pm | 5 [malware-300x169] [malware] Credit: Getty Images Credit: Getty Images Text settings Story text Size [Standard] Width * [Standard] Links [Standard] * Subscribers only Learn more Minimize to nav A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform. Unusual longevity The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat." The campaign first came to light when Checkmarx recently discovered @0xengine/xmlrpc, a package that had circulated on the NPM JavaScript repository since October 2023. @0xengine/xmlrpc, began as a benign package offering a JavaScript implementation of the widely used XML-RPC protocol and client implementation for Node.js. [0xengine-on-npm] A screenshot showing the NPM page were @0xengine/rpcxml was available. Credit: Checkmarx Over time, the package slowly and strategically evolved into the malware it is today. A significant change eventually introduced heavily obfuscated code hidden in one of its components. In its first 12 months, @0xengine/xmlrpc received 16 updates, giving developers the impression it was a benign and legitimate code library that could be trusted in sensitive environments. MUT-1244 complemented @0xengine/xmlrpc with a second package available, which was available on GitHub. Titled yawpp and available at hxxps[:]//github[.]com/hpc20235/yawpp, the package presented itself as a tool for WordPress credential checking and content posting. There's no malicious code in the code, but because the package requires @0xengine/xmlrpc as a dependency--supposedly because it used @0xengine/xmlrpc for XML-RPC communication with WordPress sites, the malicious package was automatically installed. "The combination of regular updates, seemingly legitimate functionality, and strategic dependency placement has contributed to the package's unusual longevity in the NPM ecosystem, far exceeding the typical lifespan of malicious packages that are often detected and removed within days," Checkmarx researcher Yehuda Gelb wrote last month. The malicious functionality of the @0xengine/xmlrpc package was made all the more stealthy by remaining dormant until or unless executed through one of two vectors: + Direct package users execute any command with the '-targets' or '-t' flag. This activation occurs when running the package's validator functionality, which masquerades as an XML-RPC parameter validation feature. + Users installing the "yawpp" WordPress tool from GitHub automatically receive the malicious package as a dependency. The malware activates when running either of yawpp's main scripts (checker.js or poster.js), as both require the '-targets' parameter for normal operation. [Attack-Flow-checkmarx-white-bkg-640x408] The attack flow as shown in a diagram from Checkmarx. Credit: Checkmarx The malware maintained persistence--meaning the ability to run each time the infected machine was rebooted--by disguising itself as a legitimate session authentication service named Xsession.auth. Every 12 hours Xsession.auth would initiate a systematic collection of sensitive system including: + SSH keys and configurations from ~/.ssh + Command history from ~/.bash_history + System information and configurations + Environment variables and user data + Network and IP information through ipinfo.io The stolen data would then be uploaded to either an account on Dropbox or file.io. Monitoring the wallet where mined Monero cryptocurrency was deposited indicated the malware was running on machines in the real world. [mining-activity] Screenshot showing a graph tracking mining activity. Credit: Checkmarx But wait, there's more On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments. A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers. [phishing-email] A phishing email used in the campaign. Credit: Datadog The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21. [mut1244] Additional vectors discovered by Datadog. Credit: Datadog Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit. "This increases their look of legitimacy and the likelihood that someone will run them," Datadog said. The attackers' use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system. Taken together, the many facets of the campaign--its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors--indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account. The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchers--as other recently discovered campaigns have done--it's unclear why MUT-1244 would also employ cryptocurrency mining, an activity that's often easy to detect. Reports from both Checkmarx and Datadog include indicators people can use to check if they've been targeted. Photo of Dan Goodin Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 5 Comments Comments Forum view Loading Loading comments... Prev story Next story Most Read 1. Listing image for first story in Most Read: The US military is now talking openly about going on the attack in space 1. The US military is now talking openly about going on the attack in space 2. 2. Twirling body horror in gymnastics video exposes AI's flaws 3. 3. The optical disc onslaught continues, with LG quitting Blu-ray players 4. 4. Rocket Report: Chinese national flies drone near Falcon 9, Trouble down under 5. 5. Back where it started: "Do Not Track" removed from Firefox after 13 years Customize Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don't need to know everything, only what's important. More from Ars * About Us * Staff Directory * Newsletters * Ars Videos * General FAQ * RSS Feeds Contact * Contact us * Advertise with us * Reprints Do Not Sell My Personal Information (c) 2024 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices