One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8627273 |
| Date de publication | 2024-12-18 22:08:21 (vue: 2024-12-18 23:08:34) |
| Titre | A new playground: Malicious campaigns proliferate from VSCode to npm |
| Texte | ## Snapshot ReversingLabs researchers have identified a shift in malicious activity from Visual Studio Code (VSCode) Marketplace to the npm community, initially targeting the crypto community and developers using VSCode. Threat actors are leveraging compromised npm packages to distribute malware directly into VSCode environments. ## Description Initially appearing on the VSCode Marketplace, this malicious campaign expanded to npm in November 2024, mirroring previous malicious VSCode extensions. These extensions were marketed as "Solidity Language support for Visual Studio Code," and contained obfuscated JavaScript code that prompted ReversingLabs to investigate further. The npm package named "etherscancontracthandler" was published in five different versions, with three containing an obfuscated malicious payload. The extensions and npm packages included downloader functionality, used to deliver a second-stage payload from multiple domains, some of which were crafted to mimic legitimate endpoints, such as those appearing to be related to Microsoft Visual Studio Code. The campaign highlights the risks associated with installing plugins and extensions in Integrated Development Environments (IDEs) like VSCode, as they can serve as entry points for further compromises in the development cycle. These packages can be included in other npm packages and VSCode extensions, expanding the attack surface. The campaign began targeting the crypto community but by the end of October, extensions published were mostly impersonating the Zoom application. Additionally, each malicious extension had fabricated reviews from their authors to lend credibility. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for an example. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Educate end users about [preventing malware infections](https://learn.microsoft.com/en-us/defender-endpoint/malware/prevent-malware-infection). Practicing the [principle of least privilege and building |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 365/security/defender about accessed accounts activity actors additionally admin administrative against all analyzing antivirus any app appearing application applications apps are article associated attack attacker audit authentication authenticator authors avoid based began best block blog#defending browser browsers build building but campaign campaigns can chain clicking cloud code com/azure/active com/blog/a com/deployedge/microsoft com/en com/microsoft com/security/blog/2022/05/09/ransomware community compromised compromises conduct configure contained containing content copyright cover crafted credential credentials credibility crypto cybercrime cycle defender deliver delivered dependencies description developers development devices different directly directory/authentication/concept directory/authentication/how directory/identity distribute distribution domain domains downloader due each economy edge educate employees enable enabled end endpoint/configure endpoint/malware/prevent endpoint/malware/supply endpoints enforce ensure enterprise entry environments equivalent establish etherscancontracthandler even evolving example excluded expanded expanding extension extensions fabricated features fido first five following from functionality further gig group had have hello help highlights how https://learn https://www hygiene identified identity ides impact impersonating included infection infections infrastructure initially installation installing integrated intrusions investigate javascript keys language learndoc learning least legitimate lend level leveraging like limit local locations machine majority malicious malware managed many marketed marketplace match methods mfa microsoft mimic mirroring mitigations mostly multiple named new not november npm number obfuscated ocid=magicti october off organizations other package packages part password passwordless passwords payload permission personal phones playground playground: plugins points policies policy possible practices practicing preventing previous principle privilege privileges product prohibited projects proliferate prompt prompted protect protection protection/howto protections published publishers ransomware rapidly recommendations recommends reduce refer references related remind remove reproduction require requires researchers reserved restricting reversinglabs reviews rights risks second secure secured security serve service shift should sight site snapshot software solidity some stage stored strictly studio succeeded such supply support surface sync#sync syncing targeting techniques thereof these those threat three times tools turn typed understanding unknown unwanted update us/defender us/nuget/concepts/auditing us/nuget/concepts/security use used users uses using variants vaults versions visual vscode when where which wide windows without workplace written your yourself zoom “yes” |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.