HQ/EMEAFind out how we can help your business
A new software supply chain attack has used expired Amazon S3 buckets to offer rogue binaries without raising suspicions from modules. Moreover, these supply chain attacks scan abandoned open-source projects.
This newly discovered campaign has utilised malicious binaries that could steal user IDs, passwords, local hostnames, and local machine environment variables. The threat operators then exfiltrate the stolen information to the hijacked bucket.
The malicious campaign that abuses the Amazon S3 buckets uses a pre-built binary version.
According to investigations, the attack first occurred in the form of an npm package called bignum. The attackers exploited an Amazon S3 bucket to download pre-built binary versions of an add-on called node-pre-gyp.
Last month, a research group claimed that the earlier mentioned binaries are now inside an abandoned S3 bucket which a malicious third-party group has since claimed. However, this group currently serves binaries containing malware that exfiltrates information from a user’s computer.
The researchers also added that an unknown threat actor allegedly seized on the opportunity that the S3 bucket offered when it was active to deliver malware to unsuspecting users to download the suspicious package.
An expert explained that the pointer would continue to exist after the bucket’s removal if a package designates a bucket as its source. This configuration to the S3 packages allowed the attackers to reroute the points to the previously abandoned bucket.
A separate researcher also reverses engineered the malware sample, discovering that it could plunder user credentials and infrastructure details and transmit the data to the same hijacked bucket.
Other researchers found numerous packages that use abandoned S3 buckets, making them usable as novel attack transmitters. This development implies threat actors search for different methods to damage the software supply chain environment.
This new revelation also comes nearly a week after a security group uncovered 160 malicious Python packages that different users could have downloaded thousands of times. These packages also include extracting login credentials and credit card details.
