A recently copied and defaced open source exploit from a respected security firm, intended to aid threat researchers, is the latest example of the new tactics hackers will use to spread malware.
PoCs of known vulnerabilities are created to be shared by students, researchers, and IT professionals to improve software and strengthen defenses. The danger is that anything posted online can be abused.
CSOonline reported on the original – and safe – PoC exploit, LDAPNightmare, created by SafeBreach to exploit Windows Lightweight Directory Access Protocol (LDAP) on Jan. 3. However, today, Trend Micro said it found a malicious version of that PoC. sitting on GitHub.
In an interview, Tomer Bar, SafeBreach’s vice president of security research, emphasized that the company’s PoC was not compromised, but copied and misused. An actual proof of concept implementation has been published on SafeBreach’s official GitHub site.
“We always publish full open source code,” he added, “so people can make sure it’s valid and not malicious.”
“The malicious repository containing the PoC appears to be a fork from the original creator,” Trend Micro said in its report. “In this case, the original Python files are replaced with executables poc[dot]exe which was populated using UPX. “
Fortunately, the existence of an executable file in a Python-based project was a clue to the infosec pros that something was amiss.
The ‘classic Trojan horse’
The bad cache has since been taken down. But its discovery is another example of why anyone in IT should be wary of downloading code from anywhere, including open source repositories, said David Shipley, CEO of Canadian intelligence training company Beauceron Security.
“Trojan’s gonna Trojan,” he said in an interview, describing the effort to attract the unprepared as “a classic social engineering tactic.”
“This is the classic Trojan Horse: You’ll go looking for a legitimate, research-based PoC and find one that looks like a PoC, but find one that works.”
The reason scare actors use this tactic, he said, is because it works. Among the defenses: Check the proof of concept in a remote computer environment.
“Any code that appears on the web should be considered unclean until you know it’s safe,” added Shipley.
It’s not a new trick
The trick of using PoC to hide a malware or backdoor is not new. In 2023, for example, Uptycs reported on a widely shared negative proof of concept on GitHub aimed at addressing the Linux kernel vulnerability CVE-2023-35829. And according to a 2022 study by Cornell University researchers on PoCs hosted by GitHub, about 2% of the 47,285 repositories they examined had indicators of malicious intent. “This figure shows a worrying increase in malicious PoCs among the exploit code distributed on GitHub,” the study concluded – and that was over two years ago.
Last fall, SonicWall released another report on the rise of malicious PoCs. “Although security researchers are often very well equipped to deal with and see this situation,” it concludes, “it is easy to become overconfident, which leads to complacency.”
Use only trusted collections
Cybersecurity professionals, including blue and red teams, should only download content from trusted multi-starred open source repositories, says SafeBreach’s Bar, and never download exploits from untrusted sources.
In addition, Trend Micro advised IT staff to:
- always download code, libraries, and dependencies from official and trusted repositories;
- be aware of repositories with suspicious content that may appear to be the site of the tool or program it is supposed to host;
- if possible, verify the identity of the warehouse owner or organization;
- review the history of the cache commitment and recent changes for anomalies or signs of malicious activity;
- be aware of repositories with very few stars, forks, or donors, especially if they are heavily used;
- look for reviews, issues, or discussions about the repository to identify potential red flags.
Source link