CrowdStrike, in partnership with Google and Shadowserver, a non-profit organization that scans and monitors the internet for cyberattacks, took down a botnet used by cybercriminals to push malware and steal passwords from open source software developers.
THE removal function was aimed at disrupting the activities of the cybercriminals behind the so-called Glassworm botnet, who have been targeting the broader open source software supply chain for two years, according to CrowdStrike.
In recent months, several hacker groups have targeted developers and open source projects to push malware to companies and organizations that in turn use that software. These attacks can be effective because they exploit the trust that companies have in the code hosted on platforms like GitHub and the workers behind that code.
“Adversaries are no longer just targeting products, they are targeting the developers who build them,” CrowdStrike wrote in its report on the takedown operation. “Developers uniquely represent high-value targets: a breach of a single developer’s workstation can collapse into a supply chain compromise affecting thousands of downstream organizations and users.”
Glassworm hackers used several strategies to push their malicious code. This included publishing malicious extensions to a marketplace used by developers. malicious advertising — where hackers pay for sponsored search results that trick victims into downloading malware. and using credentials stolen in previous hacks, which allowed developer accounts to be hacked and malware to be planted in their code.
In the end, the hackers were able to poison – as CrowdStrike put it – more than 300 GitHub repositories.
Contact us
Do you have more information about the Glassworm hacking group? Or for other supply chain attacks? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
CrowdStrike said it was able to take down four command and control channels used by the Glassworm hackers, which cut off the hackers’ access to infected computers and prevented them from delivering more malware.
The command and control servers were based on the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar and virtual private servers, according to CrowdStrike.
It’s unclear what legal or technical authority CrowdStrike and others acted on to take down the business. When asked by TechCrunch, CrowdStrike spokeswoman Kirsten Speas declined to comment beyond the company’s blog.
Last week, hackers breached several open source projects that pushed out malicious updates in a different hacking campaign called “Mini Shai-Hulud.” At least two OpenAI developers were hacked by this hacker group. In another supply chain attack in March, a suspected North Korean hacker took over the popular open source software development tool Axios, which is used by millions of developers.
Updated the number of compromised OpenAI developers and included feedback from CrowdStrike.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
