Listen to this Post
We now know that the cause for the ByBit hack was a supply-chain attack resulting from a vendor they used called Safe{Global}. The supply-chain attack was achieved using AWS credentials stolen from a developer’s device after it was compromised. While Safe{Wallet} didn’t disclose how that employee’s device was compromised, an infostealer infection is a likely explanation.
Being that the employee was a developer, an infostealer infection is an even more probable explanation. Developers are at a greater risk of infostealer infections due to how cybercriminals target them. Cybercriminals aren’t just using video game cheats and cracked software to infect devices anymore, more and more they are creating malicious open-source projects on GitHub that look completely safe and benign to infect unsuspecting users.
Threat actors exploit the false sense of safety that open-source projects often imbue. The common through process is that since anyone can read the code of an open source project and ensure it’s safe, it’s likely safe. However, just because anyone can read the code, doesn’t mean people actually do.
Just a few months ago, it was discovered that a seemingly legitimate open-source project built for the crypto community was hiding an infostealer: https://lnkd.in/gQuJkTNS
Victims often don’t have any idea that they’ve run malicious code as the open-source project will either error out or work normally, leading to no suspicion of infection. Even if you have security measures like MFA, threat actors can simply hijack authenticated sessions using session keys stolen from the victim’s browser cookies.
Since developers often have admin access to sensitive systems, this is a lucrative attack vector for cyber criminals. This will lead to a proliferation of malicious open-source projects hiding infostealer malware in plain sight.
To protect yourself, your employees, or your company from this threat, you should consider infostealer monitoring from Farnsworth Intelligence: https://lnkd.in/gxPiVeg7
Instead of finding out after the incident that a developer was infected and it led to a $1.5 billion loss, you can find out as soon as their credentials go up for sale, and get their passwords changed and session keys invalidated before they are used to access internal systems.
You Should Know:
1. Detecting Infostealers on Linux:
sudo clamscan -r --bell -i /home
This command scans your home directory for malware using ClamAV.
2. Monitoring Network Traffic:
sudo tcpdump -i eth0 -w capture.pcap
Capture network traffic to analyze for suspicious activity.
3. Checking for Open Ports:
sudo netstat -tuln
List all open ports and services running on your system.
4. Inspecting Running Processes:
ps aux | grep -i suspicious_process
Identify and monitor running processes that may be malicious.
5. Securing AWS Credentials:
aws configure set aws_access_key_id <new_access_key> aws configure set aws_secret_access_key <new_secret_key>
Rotate AWS credentials regularly to minimize the risk of compromise.
6. Invalidating Session Keys:
sudo systemctl restart apache2
Restarting services can help invalidate stolen session keys.
7. Using MFA with SSH:
sudo nano /etc/ssh/sshd_config
Edit the SSH configuration to enforce multi-factor authentication.
8. Scanning for Malicious GitHub Repositories:
git clone <repository_url> grep -r "malicious_pattern" .
Clone and scan repositories for known malicious patterns.
What Undercode Say:
The increasing sophistication of cybercriminals in disguising infostealers within open-source projects is a significant threat to developers and organizations. By leveraging tools like ClamAV for malware detection, tcpdump for network monitoring, and regularly rotating AWS credentials, you can mitigate the risk of infostealer infections. Additionally, enforcing MFA and invalidating session keys can further secure your systems. Always scrutinize open-source projects before use, and consider professional monitoring services to stay ahead of potential threats. For more information on securing your systems, visit Farnsworth Intelligence.
References:
Reported By: Devaidan We – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
