Research conducted by Intezer and Checkmarx has revealed a new type of software supply chain attack called ChainJacking, which poses a risk to common admin tools. Vulnerable open-source Go packages have been identified, some of which are embedded in popular admin tools, making them susceptible to ChainJacking. Due to the transitive trust nature of open-source security, defending against this technique at the developer level using open-source software is challenging.
To assist the infosec community in protecting against ChainJacking attacks, an open-source tool has been developed by Checkmarx. This tool can be used to scan source code and detect vulnerable packages downloaded from GitHub and other sources. Additionally, Intezer Analyze allows users to scan binaries to ensure they do not contain vulnerable packages or ChainJacking vulnerable Git repositories.
The attack vector of ChainJacking involves exploiting the ability to claim abandoned GitHub usernames and serve up malicious code under popular Go package repositories. By changing usernames and redirecting traffic to malicious code, threat actors can potentially infect a large number of downstream products and compromise developers and users.
One example scenario provided in the research details how a popular Go package can be targeted by an attacker who claims an abandoned username and serves up malicious code, infecting machines of unsuspecting users. The attack can occur directly or indirectly through dependencies managed by go.mod and go.sum files in a Go project.
The potential impact of ChainJacking is significant, comparable to the SolarWinds attack, as vulnerable Go packages are used as dependencies in popular admin tools running with high privileges. A practical example using the Logrus and go-ps packages illustrates how a vulnerable third-party package can inject malicious code into compiled applications. The package has been utilized by numerous malware programs written in Go. Additionally, we have the option to incorporate an alternative payload using go-binddata.
At the conclusion of one of the files in the package, the following code was included. Initially, a new init function was generated. Go permits multiple init functions within the same package. sentence: Please make sure to check the spelling and grammar of your essay before submitting it. following statement: “The company is implementing new safety protocols to ensure the well-being of all employees.”
“The company is introducing new safety measures to prioritize the health and safety of all employees.” text using different words:
“Please do not hesitate to contact us if you have any questions or concerns.”
Feel free to reach out to us if you need any assistance or have any inquiries. sentence in a different way:
The cat chased the mouse around the house.
The mouse was chased by the cat all over the house.