This article first appeared in Dark Reading on May 13, 2019.
Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users’ sensitive information.
In the latest breaches to highlight the dangers of insecure software supply chains, attackers compromised three marketing services by injecting obfuscated JavaScript to install code that scraped information from thousands of websites, including user login information and credit-card details.
On May 12, Willem de Groot, a security analyst with Sanguine Security, announced that digital-marketing tool Picreel, open-source Web form plugin Alpaca, and Best Of The Web’s security logomark program had all been compromised and implanted with obfuscated JavaScript code to collect information on the visitors to any site that used the three online tools. The attack likely allowed the criminals behind the code to record keystrokes from thousands of websites, de Groot says.
“The economics of this is that, if you hack one project or supplier, you get a huge multiplier for your effort, so it is all about return on investment for the attacker,” he says. “So if he has to spend a couple weeks digging through code on a single project, but then be able to compromise thousands of stores, then that is a good investment from his perspective.”
The attack underscores that companies need to better track the risk they assume when using third-party code — especially popular open source components. Anywhere between 40% and 90% of Web application code is typically from open source components, and when companies rely on third-party services, they have to take into account that code as well, says Mike Bittner, associate director of digital security and operations at The Media Trust, a software security firm.
“Most companies have not done an audit of how much third-party code their websites and applications use, the full inventory of what is being used, and then buckling down and staying up to date,” he says. “When an app is rolled out, most companies will do their due diligence and do security testing. But after that, many will not keep up to date on the security and don’t realize their risk.”
Supply chain attacks have become a much bigger problems for companies. Often, online criminals and nation-state actors will compromise the network of a less-secure supplier as a side door into a more-secure target company. However, attackers are also targeting open source software projects and commercial software as a way to insert vulnerabilities or malicious code that can later be activated.
In 2018, for example, security researchers notified system-management utilities maker Piriform — recently acquired by Avast — that the latest version of its Windows utility CCleaner had been infected with malware during development. And late last year, software supply-chain management firm Sonotype revealed that hackers had attempted to inject malicious code into open source software 11 times in the past 30 months.
On Sunday, de Groot announced that hackers had compromised marketing firm Picreel’s website plugin, collecting information from users of the more than 1,200 sites using the tool. Picreel removed the code, according to de Groot, but did not return a request for comment from Dark Reading.
The same day, de Groot reported that content management system provider Cloud CMS had also been impacted by a similar hack, but only a small numbers of Cloud CMS customers that used the Alpaca forms plugin and the default content distribution network (CDN) were actually impacted, according to the company.
“This file is not part of Cloud CMS, cloudcms.com, or any of our products, customer websites, data, or applications,” said Michael Uzquiano, chief technology officer at Cloud CMS, in a statement emailed to Dark Reading. “The security of Cloud CMS, its customers, and its products has not been compromised.”
After being notified by de Groot, the company quickly disabled the free Alpaca CDN, determined the hacker had injected code at the end of the minified Alpaca file, and then reinstantiated the CDN using Amazon S3 and a clean set of files.
“Typically, folks download this from GitHub and build it on their own,” Uzquiano said. “They then integrate it into their products. The free CDN version runs on Amazon Cloud Front, using an origin-backed distribution. It is offered as a convenience to help people try out Alpaca quickly.”
In perhaps the most ironic breach, attackers compromised the JavaScript behind the Best Of The Web security logo program that checks sites before displaying the logomark. The company is investigating the issues, said Brian Prince, CEO of Best of the Web.
“Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised,” he told Dark Reading in an emailed statement. “We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”
The common denominator between the different compromises appears to be that the JavaScript was stored in Amazon Simple Storage Service (S3) buckets. So either the developers left the storage servers open to public access or they may have published the digital keys to the S3 buckets to the cloud, de Groot says.
“These companies have not disclosed the original entry vector,” he says. “However, what you often see is developers mistakenly store the secret access codes into their Github repositories and then they leak. And if you have these access codes, you have control of the content.”