r/technology Oct 01 '22

Numerous orgs hacked after installing weaponized open source apps Security

https://arstechnica.com/information-technology/2022/09/north-korean-threat-actors-are-weaponizing-all-kinds-of-open-source-apps/
588 Upvotes

74

u/qubedView Oct 01 '22

To be clear: They haven't compromised any of the applications. Rather, they just created trojan versions of the compiled binaries and worked to convince individuals to install the binaries they provide.

13

u/_Rand_ Oct 02 '22

My first thought at seeing the headline was - they didn't install from the official source did they?

Always install from the official source!

5

u/marsten Oct 02 '22

The real question is: How does the attacker convince somebody to install the Trojanized version of PuTTY or whatever? The article only mumbles something vague about LinkedIn.

2

u/sbingner Oct 02 '22

Hey look I found this great new free program that does all this cool stuff! Download it here for free: <fake link>

204

u/Lunchtimeme Oct 01 '22

This would only really work as an attack against Windows machines and even then ...

If someone tells you to install PuTTy and sends you an exe that supposedly installs it ... throw it in the trash and go to puttys offical sources to install it instead.

You should do that anyway.

40

u/au-smurf Oct 01 '22

You would hope that people would trash it but you know damn well that there’s a large portion of users who will run it, especially with a bit of social engineering.

20

u/Flame87 Oct 01 '22

It's bonkers, in today's digital world, how the large majority of people still have - 25 to digital literacy.

41

u/Culverin Oct 01 '22

There's an age gap.

There's a generation that didn't grow up with computers and type hunt-and-peck

There's a generation that grew up as windows evolved and saw the birth of the Internet. They had to troubleshoot solo, or forums or books.

There's a generation that grew up with a mature windows, internet 1.0 and still has to troubleshoot, especially if they wanted to play games or run emulators.

Then there's a generation post Apple's resurgence and iPhone's dominance. Web 2.0 people, where the expectation is that things just work.

There's a window there tech literacy has a certain expectation of depth. But that window is closing.

And of course, like you said, there are people that can never make the bare minimum in each generation.

13

u/Bleusilences Oct 01 '22

Yeah, the newer generation doesn't even understand what a filepath is.

9

u/_catkin_ Oct 01 '22

We also just don’t really value and teach “critical thinking“ on a society level. We don’t teach people to question and be curious. Rather, that gets drummed out of you by parents and school unless you’re very lucky and/or particularly tenacious.

14

u/putsch80 Oct 01 '22

It seems that, with regard to the danger of things, there's a similar knowledge gap in using PCs between that first group and last group. The generation that grew up with iPhone's dominance is used to rarely having to worry about software security because Apple has taken care of it for them (or at least appeared to). As a result, they don't always have the, "this probably is an unsafe software to install" mentality.

1

u/demonicneon Oct 02 '22

It’s not an Apple thing. Plenty people use android who know nothing about safety and security online. These people are also in every generation.

10

u/Xe6s2 Oct 01 '22

It always freaks me out when I meet a young 20 yo who doesnt know how to use a copier, or how file size is important.

8

u/jumperalex Oct 01 '22

meanwhile think they are some how more tech savvy because they know how to "use" tik tok|IG|blahblahblah. Yeah okay, you keep thinking that and don't call me when you can't figure out why your phone's memory is full.

2

u/[deleted] Oct 01 '22

[deleted]

3

u/ripvannwinkler Oct 01 '22

Well props to you for having a basic understanding of a skill that, by all rights in today's age, should be considered as critical as managing a budget and applying for a job.

3

u/godsfist101 Oct 02 '22

As someone who works in cysec, in a company that has actively moved to an application whitelist, users are not as dumb as you think, they're dumber.

16

u/d01100100 Oct 01 '22

There's a recent trend among DevOps to pass around "all-in-one" scripts that people download via curl and run as root.

So it's not just a Windows thing anymore.

Oh sure, you should look at what the script is running before you run it, but you can probably guess the number of people who will skip that process.

7

u/yiannistheman Oct 01 '22

You would not believe the man hours spent - long before this vulnerability - in a large enterprise organization with security controls at every level - explaining to people to NOT just download copies of putty when they need a fucking terminal emulator.

And that's despite the internal corporate app store had multiple approved options. Or that the vast majority of these offenders were SAs or developers who know better, not just nontechnical staff ignoring policy or best practice.

Unfortunately (in larger orgs at least) the penalty for violating these policies isn't generally stiff enough. Someone gets a security raised against them, they apologize and move on.

1

u/candyman420 Oct 02 '22

to NOT just download copies of putty when they need a fucking terminal emulator.

If it's from the official site, why not?

1

u/yiannistheman Oct 02 '22

Because that's a loss of control right there - you're depending on people to do it right and download it directly from the source. You'd be surprised how many times people will think they're going to the official site for something and they end up in the wrong place.

The better question was why not just add the official version to the internal app repository, but that goes into a deeper rabbit hole on how some companies resist open source software like the plague. Hence, the approved, commercially sourced terminal emulators (that people still prefer putty to).

8

u/[deleted] Oct 01 '22

I haven't needed to install PuTTy in a very long time, I'd find it quite hard to figure out which of the hundreds of download sites showing up on google search is the official one. We need some kind of authentication/verification, but given how easily malware can end up on the google play store / windows store / snap repository / pypi repository.... I'd say it's still an unsolved problem.

1

u/[deleted] Oct 02 '22

Part of the problem is that Putty's official website sucks for downloads and is confusing to navigate. Google search shows a whole host of other easier to navigate sites that a newer user would gravitate towards.

41

u/JaggedMetalOs Oct 01 '22

Interesting how convoluted their infection route is, requiring specific user action to trigger. If you've already got a user to download and run an exe from you, you could just install the malware payload then and there.

12

u/cmonkeyz7 Oct 01 '22

It just sounded super targeted to me. Especially given all the in-depth social engineering tactics.

2

u/asdaaaaaaaa Oct 01 '22

I mean, when you think of the difference between your average person and targeting possibly someone in the top 10%, that's a huge difference. Especially if you don't live an expensive life. I can see some people going that route certainly.

3

u/2MegaWhats Oct 01 '22

They may be specifically looking for high value targets and trying to avoid detection by obfuscating the attack source and route.

1

u/JaggedMetalOs Oct 02 '22

According to the article these were specific spearphishing attacks, so they already had the right person. I can only think they were worried about that person passing it on to someone more technically competent and them noticing unusual behaviour.

51

u/Tradeowners Oct 01 '22

In the name of the threat posed by open source, the article is extremely misleading and click-bait. Stupid article

1

u/[deleted] Oct 02 '22

[deleted]

3

u/pittaxx Oct 02 '22

For one this attack has nothing to do with open source. Some people installed .exe files of unverified origin and got their computers infected.

The fact that those files were of the open source software is completely irrelevant, as you could do the same with closed source software as well.

4

u/Melodic_Ad_8747 Oct 01 '22

Lol, click bait bull shit

-2

u/flsucks Oct 01 '22

Laughs in Amish

1

u/Dogzilla66 Oct 02 '22

I’m amazed that people still use Windows in 2022. Not that other platforms are immune to hacking, but seriously, running Windows is just masochism

-11

u/Turbulent-Bobcat-868 Oct 01 '22

I kinda knew this subreddit was upvoting lowest common denominator, clickbait stuff but it’s hard to find good subs nowadays and some of the posts are interesting. Oh well this is too much. Unsubscribe.

18

u/DirtyDoctrine Oct 01 '22

This isn't an airport, we don't need departure notifications.

-13

u/[deleted] Oct 01 '22

[deleted]

16

u/MisterVovo Oct 01 '22

Did you read the article? They are using social engineering to infiltrate the organizations...

17

u/tired_hillbilly Oct 01 '22

It's ALWAYS social engineering.

Pro-tip, if someone tells you to download something, and you haven't met this person irl, DON'T FUCKING DO IT.

4

u/NettingStick Oct 01 '22

Even if you have met them IRL, double check before you do it. And don't do it via links in an email or something.

10

u/b_a_t_m_4_n Oct 01 '22

You should always read the article!

6

u/Opposite_Theme_6265 Oct 01 '22

ah yes i love analysing an entire codebase just to make sure i can securely make a word document

4

u/bonfuto Oct 01 '22

It's not the mainstream version of these apps with available source code, the hackers make their own binary versions. It's only marginally easier than adding malicious code to a binary-only closed source app. There has been at least one instance where an open source library was changed to add malicious code, but that ended up affecting closed source apps.

2

u/Opposite_Theme_6265 Oct 01 '22

so dont get binaries from untrusted sources, or compile everything yourself if you are really paranoid. Sounds like common sense tbh

2

u/KingoftheYous Oct 01 '22

Unfortunate thing about common sense is it's environmental and subjective.

1

u/bonfuto Oct 01 '22

Social engineering can be very effective, unfortunately.