Supply chain attack hits 26 open source projects on GitHub
Threat actors conducted an unprecedented supply chain attack by using malware known as Octopus Scanner to create backdoors in open source projects, which were uploaded to GitHub.
GitHub revealed Thursday that 26 open source projects on its platform had been compromised in a massive supply chain attack.
In March, an anonymous security researcher discovered open source software (OSS) supply chain malware, dubbed Octopus Scanner, in a set of repositories on the GitHub platform. The researcher, who goes by the name "JJ" and writes a security blog called DFIR IT, notified GitHub's security incident response team. "The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files," JJ wrote in the report to GitHub.
After investigating the malware, the GitHub's security incident response team uncovered 26 OSS projects that were compromised by the malware and actively serving backdoored code. Additional analysis revealed the malware was designed to enumerate and backdoor Netbeans projects and uses the build process and its resulting artifacts to spread itself. According to Nico Waisman, head of GitHub Security Lab, this is the first time they have seen such malware.
"We've seen many different supply chain attacks at different scales; however, this unique malware aimed at developers is unique to our team," Waisman said.
In the report on Octopus Scanner, GitHub Security Lab researcher Alvaro Muñoz noted the threat actors' decision to focus on NetBeans was interesting because it's not the most common Java integrated development environment. "If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MSBuild, Gradle and others as well and it may be spreading unnoticed," he wrote.
Once the malware behavior was identified, uncovering all 26 backdoors was achieved through a code search, Waisman said. "It was rather simple. The only issue we encountered was that the malware samples were not detected broadly by an antivirus [scan]," he added.
While there could be new variants in the future, Waisman said the command and control server for Octopus Scanner has been deactivated, "so the malware campaign is over."
This wasn't the first instance of a widespread compromise discovered on GitHub by JJ.
Backdoor backstory
According to GitHub, JJ first detected signs of widespread OSS compromises more than a year ago. In a blog post aptly titled "The Supreme Backdoor Factory," published in February 2019, JJ explained that they observed unusual behavior in an installer for JXplorer, a Lightweight Directory Access Protocol browser, found in a GitHub repository. The researcher later discovered the presence of a BlazeBot, which is Java-based bot program designed to purchase limited edition sneakers in large numbers and bypass any per-customer limits.
In addition, the modified version of JXplorer contained hardcoded URLs that downloaded other software, including what appeared to be a remote access Trojan that would grant backdoor access to systems that installed browser; the same RAT was found in the compromised open source projects this year. After more investigating, JJ found a small network of interconnected GitHub accounts that "starred" or followed the malicious JXplorer repository, and those accounts were hosting backdoored open source programs of their own.
One account, registered to the name "Andrew Dunkins," contained 305 backdoored binaries across nine GitHub repositories. JJ uncovered an additional 73 repositories with nearly 90 connected accounts.
"I initially planned to keep this write-up short and focus on dissecting suspicious JXplorer binary," JJ wrote in the 2019 post. "However, analyzing the JXplorer binary turned out to be only the first step into the world of backdoored software." GitHub removed all of the malicious repositories and deleted the suspicious accounts. "So is this the end?" JJ wrote in the conclusion of his post. "I don't think so."
While there are similarities between the backdoored repositories JJ found last year and the compromised open source projects discovered this year, it's unclear if the same threat actors were involved.
While supply chain attacks are no longer uncommon, Muñoz said the Octopus Scanner case indicated a "disturbing trend."
"In an OSS context, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems," Muñoz wrote. "The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact."
Security news director Rob Wright contributed to this report.