ChainJacking — New Type of Software Supply Chain Attack
Popular Admin Tools At Risk
Based on the recent joint research done by Alik Koldobsky (Checkmarx) & Dr. Joakim Kennedy (Intezer) points to ChainJacking, a new software supply chain attack that threat actors could exploit and put common admin tools at risk.
Both these researchers have identified several open-source Go packages that are susceptible to ChainJacking, given that some of these vulnerable packages are embedded part of the popular admin tools.
How does it work?
GitHub is the largest source-code repository on the internet, with most Go packages hosted on it. One feature GitHub provides is allowing users to change usernames.
The change of username process is quick and straightforward. Post the change; there will be a notice stating, traffic from the old repository’s URL will be redirected to the new one.
What GitHub doesn’t mention in this alert is an important implication that it does list in its documentation:
“After changing your username, your old username becomes available for anyone else to claim.“
It means that an attacker can easily claim the abandoned username and start serving up malicious code to anyone who downloads the package, relying on the credibility gained by its former owner. Doing so in a Go package repository could result in a chain reaction that substantially widens the code distribution and infects many downstream products.
Go build tools provide an easy way for developers to download and use open-source libraries in their projects. Go doesn’t use a central repository to download the libraries compared to other languages like Python and Rust. Instead, the Go tooling pulls code packages straight from version control systems such as GitHub.
“The focus here is on Go but other package managers like NPM also allow code pulling from version control systems and are therefore susceptible to this kind of attack as well.”
Example Scenario
A developer named Annastacia opens a GitHub account under the username “Annastacia.” She then publishes a valid Go package in a repository under the name “useful.” Anyone who wants to use this package can either download and install it via “go get github.com/Annastacia/useful,” or import it into their code via “import github.com/Annastacia/useful.” This action will add an entry to the “go.mod” file, allowing the tooling provided by Go to update the package when new versions are released quickly.
Some time has now gone by, and thanks to its usefulness, the package has become popular. Annastacia decides that she wants a shorter name for her repository, and with just a few clicks, she changes her GitHub username to “Anna.” Subsequently, two things will happen:
- The username “Annastacia” is now available to be registered by anyone else.
- All requests for “github.com/Annastacia/useful” are now redirected to “github.com/Anna/useful.”
All current packages using github.com/Annastacia/useful can still use it as before, so nothing breaks, and there are no user complaints yet.
If a malicious actor manages to claim the “Annastacia” username, they can then publish their malicious code under the repository name “useful.” This action breaks the redirect to “Anna/useful,” and GitHub now serves the threat actor’s malicious code from “github.com/Annastacia/useful,” which could compromise anyone using the old URL.
The concept is relatively simple. Now, every new installation of this package can potentially infect the installing developers’ machines. Even more potentially damaging, any new package or third-party product is written in the future that depends on this infected package will also cause infections on any machine installed.
Recommended Mitigation
The nature of transitive trust between open-source security (OSS) makes this technique highly difficult to defend at the developer level using open-source software. To help the infosec community protect against this type of attack, Checkmarx developed an open-source tool to scan source code and detect if packages downloaded from GitHub and other sources are vulnerable. You can also scan the binaries of any program in Intezer Analyze to make sure they don’t contain vulnerable packages or ChainJacking vulnerable Git repositories.
Reference:
Dark Sky Technology was created to help our country weather the current cybersecurity storm that’s crippling our critical infrastructure, exposing our intellectual property, and putting our nations businesses and government and risk by establishing trust in the open-source software that’s built into our software and systems.
