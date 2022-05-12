On April 29, the cybersecurity company Snyk Security Research announced that it had detected a cyber attack targeting several relevant industrial companies based in Germany. The method chosen to carry out the attack was based on include malicious code in npm dependencieswhich would spread it among the developers of this popular NodeJS repository and package manager.

The designated packages (such as gxm-reference-web-auth-server) contained files package.json what included post-install scripts which in turn invoked files .js of the package itself, which allowed collect and extract information of the affected systems, creating backdoors that allowed them to take control of the machine.

Hours after this attack was detected, those responsible for NPM deleted the affected files. But the perpetrators of the attack have yet to be identified..

So, two days ago, another cybersecurity company, JFrog, delved into the study of the malicious packages detected by Snyk, and analyzed the indications they had in this regard, leaving open the possibility that it was not a real cyber attackbut rather a simulation of one with the aim of testing the security of the affected companies:

“On the one hand, we have strong indicators that this would be a sophisticated real threat actor: All code used is custom.

The attack is highly targeted and relies on hard-to-obtain privileged information (private package names).

The payload is extremely malicious and contains features that are not needed in a simple pentest (for example, dynamic configuration parameters).

The uploaded packages had no descriptions or indications that they are being used for pentesting purposes. On the other hand, some other indicators could suggest that we are facing a penetration test (albeit a very aggressive one!): The usernames created in the npm registry did not attempt to hide the target company.

The obfuscator used was public, so it could be easily detected and reversed.”

mystery solved

However, a few hours after the blog post by JFrog, another industry company specializing in threat intelligence and pentesting, Code White, took responsibility of an attack that, as JFrog had been able to intuit, it was really a ‘pentesting’ exercise (penetration test, in which a false attacker tries to violate the security measures of the company that has requested to be valued). Thus, in a tweet directed at SnykThey wrote the following:

@snyksec Tnx for your excellent analysis at https://t.co/UoshhgaDgx and don’t worry, the “malicious actor” is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients. (1/2) — Code White GmbH (@codewhitesec) May 10, 2022

“Thanks for your excellent analysis, and don’t worry, the bad actor is one of our interns: he was tasked with investigating dependency confusion as part of our attack simulations for clients.”

However, a Jfrog official – Shachar Menashe, senior director of security research – commented, after learning of Code White’s self-incrimination, that the way in which this company had carried out its tests “was not very normal and could have problematic implications“. Even worse:

“I am also concerned that there will be a situation where this backdoor code can be hijacked by a real threat actor, and used to cause real harm.”

Via | The Register