Security alert: social engineering campaign targets technology industry employees (Jade Sleet/Storm-0954)

Security alert: social engineering campaign targets technology industry employees - The GitHub Blog Alexis Wales · @alexiswales July 18, 2023 | 4 minutes Share: GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor. Threat actor profile We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms. Attack chain The attack chain operates as follows: Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers. Thus far, we have identified fake personas that operated on LinkedIn, Slack, and Telegram. In some cases these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet. The actor may initiate contact on one platform and then attempt to move the conversation to another platform. After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents. The GitHub repository may be public or private. The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools. The malicious npm packages act as first-stage malware that downloads and executes second-stage malware on the victim’s machine. Domains used for the second-stage download are listed below . The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny. In some cases, the actor may deliver the malicious software directly on a messaging or file sharing platform, bypassing the repository invitation/clone step. The mechanics of the first-stage malware are described in detail in a blog by Phylum Security . Phylum’s work, conducted completely independent of GitHub, mirrors our own research. What GitHub is doing We have suspended npm and GitHub accounts associated with the campaign. We are publishing indicators below. We have filed abuse reports with domain hosts in cases where the domain was still available at time of detection. What you can do If you were solicited, by anyone, to clone or download content associated with one of the accounts noted below, then you were targeted by this campaign. You can review your security log for action:repo.add_member events to determine if you ever accepted an invite to a repository from one of the accounts noted below. Be wary of social media solicitations to collaborate on or install npm packages or software that depends on them, particularly if you are associated with one of the targeted industry sectors listed above. Examine dependencies and installation scripts. Very recently published, net-new packages, or scripts or dependencies that make network connections during installation should receive extra scrutiny. If you were targeted by the campaign, we recommend you contact your employer’s cybersecurity department. If you executed any content as a result of this campaign, it may be prudent to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials/tokens stored on the potentially affected device. Indicators Domains npmjscloud[.]com npmrepos[.]com cryptopriceoffer[.]com tradingprice[.]net npmjsregister[.]com bi2price[.]com npmaudit[.]com coingeckoprice[.]com Malicious npm packages assets-graph assets-table audit-ejs audit-vue binance-prices coingecko-prices btc-web3 cache-react cache-vue chart-tablejs chart-vxe couchcache-audit ejs-audit elliptic-helper elliptic-parser eth-api-node jpeg-metadata other-web3 price-fetch price-record snykaudit-helper sync-http-api sync-https-api tslib-react tslib-util ttf-metadata vue-audit vue-gws vuewjs Malicious GitHub accounts GalaxyStarTeam Cryptowares Cryptoinnowise netgolden Malicious npm accounts charlestom2023 eflodzumibreathbn galaxystardev garik.khasmatulin.76 hydsapprokoennl leimudkegoraie3 leshakov-mikhail linglidekili9g mashulya.bakhromkina mayvilkushiot outmentsurehauw3 paupadanberk pormokaiprevdz podomarev.goga teticseidiff51 toimanswotsuphous ufbejishisol External References https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/ Tags: security alert Written by security alert More on security alert Git security vulnerabilities announced Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git. Taylor Blau Git security vulnerabilities announced A new set of Git releases were published to address a variety of security vulnerabilities. All users are encouraged to upgrade. Take a look at GitHub’s view of the latest round of releases. Taylor Blau Related posts Security Securing the open source supply chain across GitHub Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on. Security A year of open source vulnerability trends: CVEs, advisories, and malware Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response. Application security GitHub expands application security coverage with AI‑powered detections CodeQL and AI‑powered detections work together in GitHub Code Security to identify vulnerabilities across more languages and frameworks. Explore more from GitHub Docs Everything you need to master GitHub, all in one place. Go to Docs The ReadME Project Stories and voices from the developer community. Learn more GitHub Advanced Security Secure your code without disrupting innovation. Learn more Enterprise content Executive insights, curated just for you Get started We do newsletters, too Discover tips, technical guides, and best practices in our biweekly newsletter just for devs. Your email address * Your email address Subscribe Yes please, I’d like GitHub and affiliates to use my information for personalized communications, targeted advertising and campaign effectiveness. See the GitHub Privacy Statement for more details. Subscribe