Photo credit: www.csoonline.com
An open source proof of concept (PoC) exploit initially developed by a reputable security firm has been copied and maliciously altered, illustrating the evolving techniques hackers employ to disseminate malware.
PoCs are typically designed for educational and research purposes, allowing students, researchers, and IT professionals to enhance software security and reinforce defenses. However, the risk remains that such shared resources can be misused by malicious actors.
On January 3, CSOonline reported on a legitimate and secure PoC called LDAPNightmare, developed by SafeBreach, which targets a vulnerability within the Windows Lightweight Directory Access Protocol (LDAP). Recently, Trend Micro discovered a malicious version of this PoC being hosted on GitHub.
Tomer Bar, the vice-president of security research at SafeBreach, emphasized that their original PoC had not been compromised; instead, it was copied and altered. The authentic version of the exploit is available on SafeBreach’s official GitHub account.
“We consistently publish the full open-source code,” Bar stated, “allowing users to confirm its validity and ensure it is not harmful.”
According to Trend Micro’s report, the harmful repository appeared to be a fork of the original code, with original Python files swapped for an executable named poc[dot]exe, which had been packed using UPX compression software.
The presence of an executable in what was supposed to be a Python-centric project raised alarms for many cybersecurity experts, serving as a warning sign that something was off.
A ‘classic Trojan horse’
Although the malicious repository has since been removed, its existence underscores the necessity for caution when downloading code from any source, including open source platforms. David Shipley, CEO of Beauceron Security, described the situation as a “classic social engineering strategy,” emphasizing that it embodies the age-old concept of a Trojan Horse.
“This exemplifies the typical Trojan Horse scenario: you search for a legitimate, research-supported PoC, but instead, you encounter one that is disguised as the genuine article but is actually harmful,” he noted.
Shipley explained that the escalating use of such tactics by threat actors is mainly because they yield successful results. One recommended defense is to evaluate any PoC in an isolated computing environment.
“Any code obtained from the internet should be regarded as potentially hazardous until thoroughly vetted for safety,” he advised.
Not a new tactic
The strategy of embedding malware within a PoC is not novel. In fact, Uptycs highlighted a malicious PoC on GitHub in 2023 that falsely claimed to address a significant vulnerability in the Linux kernel, CVE-2023-35829. Furthermore, a 2022 study conducted by Cornell University discovered that nearly 2% of the 47,285 PoCs analyzed from GitHub displayed signs of malicious intent, indicating a concerning trend.
Last year, SonicWall reported on the rise of malicious PoCs, warning that while many security researchers are skilled in identifying threats, overconfidence can lead to vulnerabilities.
Only use trusted repositories
Cybersecurity teams, including both offensive and defensive units, are advised to download resources exclusively from reputable open source repositories characterized by high user ratings and popularity. SafeBreach’s Bar further cautioned against downloading executables from unknown sources.
In addition, Trend Micro recommends that IT professionals:
- Always download code, libraries, and dependencies from verified and trusted repositories.
- Exercise caution with repositories that contain suspicious or out-of-place elements, suggesting malicious intent.
- Verify the identity of the repository owner or organization whenever possible.
- Review the commit history and recent updates of a repository for any unusual activity or signs of compromise.
- Avoid repositories that have few stars, forks, or contributors, especially if they claim widespread usage.
- Look for external reviews, discussions, or issues related to the repository to identify potential red flags.
Source
www.csoonline.com