Barazanar tsawaita VSCode: satar bayanai, satar bayanan baya da kuma RAT mai amfani da blockchain

Gida » Python » Barazanar tsawaita VSCode: satar bayanai, satar bayanan baya da kuma RAT mai amfani da blockchain

Masu haɓakawa suna ƙara fuskantar haɗarin haɓakawa a cikin editan da suke amfani da su kowace rana, kuma Kayayyakin Kayayyakin Kayayyakin Kayayyakin Kayayyakin (VSCode) yana tsakiyar sabbin ƙararrawa. Bincike ya danganta gungun jerin kasuwanni zuwa tara bayanai masu tayar da hankali, satar sahihan bayanai, har ma da damar shiga nesa a kan injinan da ake amfani da su don ayyukan software.

Abin da ya sa lamarin ya zama mai laushi shi ne cewa fakiti da yawa sun kasance ana iya saukewa kamar na sabbin rahotanni, wanda ke nufin matsalar ba ta ka'ida ba ce. Ayyukan ya mamaye kasuwannin hukuma da Buɗe VSX, yana nuna yadda IDE fadada muhalli sun zama manufa mai mahimmanci don hare-haren sarkar kayayyaki.

Abin da masu bincike suka samo a cikin VS Code ecosystems

Ƙungiyoyi da yawa, ciki har da HelixGuard da sauran masu binciken tsaro, sun rubuta aƙalla abubuwan aika mugunta dozin akan Kasuwar Microsoft VSCode da Buɗe VSX. Mahimmanci, an bayar da rahoton cewa huɗu daga cikinsu suna raye: Christine-devops1234.scraper, Kodease.fyp-23-s2-08, GuyNachshon.cxcx123, Da kuma sahil92552.CBE-456.

Waɗannan fakitin sun kai nisa fiye da na'urorin sadarwa mara lahani. Manazarta sun lura da satar abubuwan gano injin, sunayen aikin, cikakkun fayilolin tushen, tarihin bincike a cikin edita, faɗakarwar taɗi ta AI, guntuwar lamba da aka zaɓa, abubuwan da ke cikin allo, har ma da hotunan kariyar da aka kama yayin aikin yau da kullun.

Ɗaya daga cikin mahimman bayanai da aka ambata akai-akai yana haifar da haɗarin mafi girma: nazarin ilimi game da yanayin yanayin da aka kiyasta cewa kimanin kashi 5.6% na 52,880 da aka bincikar kari na VSCode dabi'un halayen tuhuma - kuma waɗannan shigarwar masu haɗari masu haɗari sun haɗa da fiye da haka 613 miliyan shigarwa.

Yadda zazzagewar ke faruwa a zahiri

Halayen sun bambanta da kunshin, amma makasudin yana da daidaito: fitar da bayanai masu mahimmanci ba tare da kashe mai amfani ba. Misali, manazarta sun ce Christine-devops1234.scraper yana ba da fa'ida mai fa'ida na mai amfani da cikakkun bayanan aikin - gami da duk abubuwan da ke cikin fayil da tambayoyin in-IDE - don abubuwan more rayuwa a 35.164.75.62:8080.

A halin yanzu, Kodease.fyp-23-s2-08 hanyoyin da aka sace snippets ta hanyar Ngrok, suna ɓarna ɓarna a matsayin sifa don tsara sharhin salon AI. Lambar da aka bincika tana daidaita abun ciki (misali, cire sararin samaniya) kuma a aika shi cikin buƙatun HTTPS POST don haka zirga-zirgar zirga-zirgar ta haɗu a matsayin halaltaccen aikin taimako.

Bayan satar lambar, nau'ikan nau'ikan nau'ikan sa ido suna cikin haɗe-haɗe. A plugin gano kamar BX-Dev.Blackstone-DLP an gan shi yana ɗaukar hotunan kariyar kwamfuta da saka idanu kan allo, haɗin da zai iya yin siphon a hankali takardun shaida, alamu, da kuma gutsutsutsu masu hankali na dabaru na mallakar mallaka.

Masu binciken kuma sun yi alama da wani kari mai suna VKTeam.ru wanda ke zaɓe ya yi niyya ga mahallin kamfani. Yana bincika membobin yankin VK.com kuma, lokacin da yanayi ya dace, yana girbi bayanan yankin Windows kamar sunayen masu amfani, sunayen masu masauki, da bayanan tsarin - wanda aka keɓance. nazarin muhalli mataki.

Daga leken asiri zuwa cikakken na'ura sulhu

Shigarwa da yawa suna nufin tattara bayanai da suka wuce kuma suna motsawa zuwa aiwatar da umarni. Kunshin teste123444212.teste123444212 rahotanni sun tabbatar da ci gaba da haɗin kai zuwa albarkatun AWS masu sarrafa maharin, yadda ya kamata yana samar da tashoshi don m umurnin kisa akan mai masaukin baki.

Wani misali, ToToRoManComp.diff-tool-vsc, yana ƙaddamar da harsashi mai jujjuyawar Perl na Base64 wanda ya kai ga 89.104.69.35 kan tashar jiragen ruwa 445, ba da damar haɗin kai da zarar ya haɗa. Irin wannan nauyin biyan kuɗi yana ba wa abokin gaba cikakken iko fiye da editan kansa.

The qeta aiki daure zuwa Deriv-AI.deriv-ai ya ƙara haɓaka ta hanyar ɗabawa da ƙaddamar da trojan mai suna "nightpaw," yana ba da damar bincike mai zurfi da dorewa. nesa ba kusa ba akan tsarin daidaitawa.

Bude shari'ar VSX: SleepyDuck yana ɓoye a bayan kayan aikin Solidity

A kan Buɗe VSX rejista na al'umma, masu bincike sun bibiyi wani trojan mai nisa mai laƙabi. BarciDuck yin kamanni azaman tsawaita Solidity mai suna juan-bianco.solidity-vlang. Ya zana fiye da 53,000 saukewa kuma ya kasance a bayyane tare da gargadin dandamali; mai mahimmanci, ya fara da kyau bayan ƙaddamarwa kuma ya sami ɓangaren ɓarna a cikin sabuntawa na gaba.

Babban dabarar SleepyDuck shine juriya: yana ba da damar wani Ethereum smart kwangila don adanawa da sabunta bayanan umarni-da-sarrafawa. Idan tsoho C2 a sleepyduckxyz ya ɓace, malware na iya tambayar blockchain don sabbin umarni, gami da sabon adireshin uwar garken da tazarar zabe.

Ana kunna hanyoyin kunnawa don ayyukan masu haɓakawa. Tsawaita yana buɗewa a farkon edita, akan buɗe fayil ɗin Solidity, ko lokacin da aka kira umarnin tattara Solidity. Yana sauke fayil ɗin kulle don tabbatar da yana gudana sau ɗaya ga kowane mai watsa shiri kuma ya kira abin kunya webpack.init() daga rubutun tsawaitawa zuwa gauraya ciki, sannan ya loda kayan aikin mugunta.

Bayan farawa, manazarta sun lura da malware suna tattara abubuwan gano tsarin asali (sunayen mai watsa shiri/masu amfani, MAC, da yankin lokaci) da shirya akwatin sandbox don aiwatar da umarni. Yana gano wurin ƙarshen ƙarshen Ethereum RPC mai sauri, yana karanta kwangilar wayo don daidaitawa na yanzu, kuma yana shigar da madaidaicin jefa ƙuri'a wanda ke sanya bayanan mai masaukin baki da bincika ayyuka don aiwatarwa.

Wani lamari na daban wanda ke nufin masu haɓaka Solidity

Tun da farko a cikin shekarar, masu binciken kuma sun ba da rahoton wani fasinja na karya da aka yi wa alama a matsayin "Harshen Ƙarfafawa" mataimaki akan Buɗe VSX. Wanda ake zargin ya gudanar da rubutun PowerShell, ya jefar da kayan aiki mai nisa, kuma ya yi amfani da shi kalmomin sirri na crypto-wallet; wani mai haɓakawa ya fito fili ya yi iƙirarin hasarar kusan US $ 500,000. Jerin ya tara dubunnan abubuwan zazzagewa kafin cirewa kuma an bayar da rahoton sake bayyana da sabbin sunaye jim kadan bayan haka.

Maimaita niyya na masu haɓaka kwangilar wayo ba na haɗari ba ne. Waɗannan masu amfani galibi suna riƙe damar walat kuma suna hulɗa tare da kayan aikin kuɗi, suna yin su maƙasudai masu daraja ga maharan neman samun kudi cikin sauri.

Babban hoto: ma'auni da ƙarfafawa

Lambobin suna ba da hoto mai ban sha'awa: bincike ya nuna cewa a kusa 5.6% na 52,880 kari da aka yi bita yana nuna alamun keta doka ko halaye masu haɗari - kuma jimillar shigarwar irin waɗannan shigarwar ta wuce. 613 miliyan. Tare da babban sawun VSCode da haɓakar AI-taimakon kayan aiki, an ƙarfafa masu yin barazana don ɓoye cikin add-ons masu haɓakawa sun riga sun amince.

Wani abu kuma shi ne gata. Extensions suna aiki tare da damar iri ɗaya da edita - karanta fayiloli, tafiyar matakai, da yin kiran cibiyar sadarwa - wanda ke faɗaɗa radius mai fashewa. Ta hanyar ɓoye ɓarna a cikin fasali kamar shawarwarin lamba ko tsara sharhi, maharan suna yin m zirga-zirga kama aikin ci gaba na al'ada.

Me ƙungiyoyi ya kamata su yi a yanzu

Shugabannin tsaro da masu haɓaka ɗaiɗaikun ɗaiɗaikun na iya rage fallasa tare da ƴan matakai masu ladabtarwa, ba da fifiko ga ganuwa da ƙaƙƙarfan gazawa waɗanda ke hana shigarwa masu haɗari yayin da ake kiyaye yawan aiki. A m mix na mulki da sa ido yana yin babban bambanci.

• Binciken shigar kari akan jadawali; cire duk wani abu da ba a sani ba, sabon ƙirƙira, ko ƙarancin suna. Yi la'akari da wani lissafin izini don amintattun plugins.
• Kula da ficewar daga wuraren ƙarshen masu haɓaka don wuraren da ba a saba gani ba (misali, sanannun C2 IPs, ramukan da ba a zata ba kamar su. Ngrok).
• Bincika tushen tsawaita lokacin da zai yiwu, musamman waɗanda ke taɓa sirri ko m code hanyoyi; pin versions idan dole ne ka yi amfani da su.
• Yi hankali tare da sabuntawa ta atomatik; waƙa da canje-canjen canje-canje da masu bugawa don guje wa mamaki madaidaicin sarkar samar da kayayyaki.
• Ƙarshen ƙarewa tare da EDR/AV, bangon wuta na gida, kuma mafi ƙarancin gata; ware sirrin gini da amfani Alamu-scoped takardun shaidarka.
• Horar da masu haɓakawa akan haɗarin tsawaitawa, tabbatarwa mai wallafawa, da saurin bayar da rahoto/ haɓaka abin tuhuma halayen edita.

Martanin kasuwa da ci gaba da ci gaba

Buɗe VSX, wanda ya shahara tare da AI-enabled IDEs kamar Cursor da Windsurf, ya ba da sanarwar haɓaka tsaro: gajeriyar alamar rayuwa, saurin sokewa. leaks takardun shaidarka, ƙarin bincike mai sarrafa kansa, da ingantaccen raba bayanai tare da ƙungiyar VS Code akan barazanar da ta kunno kai.

Ko da waɗannan matakan, amincin muhalli shine manufa mai motsi. Maharan suna maimaita sauri; suna sake fasalin fakiti, tura sabbin abubuwa masu cutarwa zuwa ayyukan da ba su da lahani a baya, da kuma kama zirga-zirga a karkashin sunan masu tasowa saukaka. Fadakarwar al'umma da saurin saukarwa sun kasance masu mahimmanci.

A duk faɗin kasuwannin biyu, shari'o'in baya-bayan nan sun nuna yadda za'a iya yin exfiltration ya yi kama da ingantattun siffofi da kuma yadda bayan gida za su iya ci gaba ta hanyar amfani da wayo. C2 na tushen blockchain, jujjuya harsashi, da relays na gajimare. Ɗauki kowane tsawo azaman lamba a cikin sarkar samar da kayayyaki, kuma inganta shi tare da irin ƙarfin da kuka yi amfani da su ga abin dogaro.

Waɗannan binciken suna nuni zuwa ga sauƙi amma ba za'a iya sasantawa ba: ɗauki editan a matsayin wani ɓangare na iyakokin tsaro. Tare da ƙarin haɓaka VSCode masu ɓarna da yawa har yanzu ana samun dama, rahotanni na C2 mai goyan bayan Ethereum a cikin daji, da kuma shaidar cewa yanki mai aunawa na yanayin muhalli na iya zama mai haɗari, ƙungiyoyin da ke aiwatar da bincike, masu ba da izini, saka idanu na cibiyar sadarwa, da ilimin haɓakawa za su kasance mafi kyawun matsayi don kiyayewa. tushen code da kuma takardun shaidarka daga hannun maharin.

Labari mai dangantaka:

Maharan sun zagi kwangilar wayo na Ethereum don ɓoye npm malware, ReversingLabs ya gano