CrowdStrike worked with Google and Shadowserver, a nonprofit organization that scans and monitors internet cyberattacks, to stop a botnet that cybercriminals were using to push malware and steal passwords from open source software developers.
According to CrowdStrike, the purpose of the takedown operation was to disrupt the activities of the cybercriminals behind the so-called Glassworm botnet, which has been targeting a wide range of open source software supply chains for two years.
In recent months, several hacker groups have targeted developers and open source projects to deliver malicious software to businesses and organizations for use. These attacks can be effective because they exploit the trust that companies place in code hosted on platforms like GitHub and the workers behind that code.
“Threatening attackers are no longer targeting just products, but the developers who create those products,” CrowdStrike wrote in a report on takedown operations. “Developers represent a uniquely high-value target. Compromising a single developer’s workstation can cascade into a supply chain compromise, impacting thousands of downstream organizations and users.”
Glassworm hackers used several strategies to push out malicious code. This includes publishing malicious extensions on marketplaces used by developers. Malvertising — The practice of hackers paying for sponsored search results to trick victims into downloading malware. Credentials stolen from previous hacks also enabled the hijacking of developer accounts and the implantation of malware into the code.
Ultimately, the hackers were able to compromise more than 300 GitHub code repositories, CrowdStrike said.
inquiry
Want more information about the Glassworm hacking group? Or about other supply chain attacks? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
CrowdStrike announced that it was able to shut down four command and control channels used by the Glassworm hackers, cutting off the hackers’ access to infected computers and preventing them from distributing further malware.
According to CrowdStrike, the command and control server relied on the Solana blockchain, BitTorrent peer-to-peer network, Google Calendar, and virtual private servers.
It is unclear what legal or technical authority CrowdStrike and others had to halt the operation. In response to questions from TechCrunch, CrowdStrike spokesperson Kirsten Speas declined to comment beyond the company’s blog.
Last week, hackers compromised several open source projects pushing out malicious updates in another hacking campaign called “Mini Shai-Hulud.” At least two OpenAI developers were compromised by this hacker group. In another supply chain attack in March, suspected North Korean hackers took over Axios, a popular open source software development tool used by millions of developers.
Updated number of compromised OpenAI developers and added comment from CrowdStrike.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
