Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/13/2019
04:00 PM
100%
0%

Attacks on JavaScript Services Leak Info From Websites

Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.

In the latest breaches to highlight the dangers of insecure software supply chains, attackers compromised three marketing services by injecting obfuscated JavaScript to install code that scraped information from thousands of websites, including user login information and credit-card details.

On May 12, Willem de Groot, a security analyst with Sanguine Security, announced that digital-marketing tool Picreel, open-source Web form plugin Alpaca, and Best Of The Web's security logomark program had all been compromised and implanted with obfuscated JavaScript code to collect information on the visitors to any site that used the three online tools. The attack likely allowed the criminals behind the code to record keystrokes from thousands of websites, de Groot says.

"The economics of this is that, if you hack one project or supplier, you get a huge multiplier for your effort, so it is all about return on investment for the attacker," he says. "So if he has to spend a couple weeks digging through code on a single project, but then be able to compromise thousands of stores, then that is a good investment from his perspective."

The attack underscores that companies need to better track the risk they assume when using third-party code — especially popular open source components. Anywhere between 40% and 90% of Web application code is typically from open source components, and when companies rely on third-party services, they have to take into account that code as well, says Mike Bittner, associate director of digital security and operations at The Media Trust, a software security firm.

"Most companies have not done an audit of how much third-party code their websites and applications use, the full inventory of what is being used, and then buckling down and staying up to date," he says. "When an app is rolled out, most companies will do their due diligence and do security testing. But after that, many will not keep up to date on the security and don't realize their risk."

Supply chain attacks have become a much bigger problems for companies. Often, online criminals and nation-state actors will compromise the network of a less-secure supplier as a side door into a more-secure target company. However, attackers are also targeting open source software projects and commercial software as a way to insert vulnerabilities or malicious code that can later be activated. 

In 2018, for example, security researchers notified system-management utilities maker Piriform — recently acquired by Avast — that the latest version of its Windows utility CCleaner had been infected with malware during development. And late last year, software supply-chain management firm Sonotype revealed that hackers had attempted to inject malicious code into open source software 11 times in the past 30 months.

On Sunday, de Groot announced that hackers had compromised marketing firm Picreel's website plugin, collecting information from users of the more than 1,200 sites using the tool. Picreel removed the code, according to de Groot, but did not return a request for comment from Dark Reading.

The same day, de Groot reported that content management system provider Cloud CMS had also been impacted by a similar hack, but only a small numbers of Cloud CMS customers that used the Alpaca forms plugin and the default content distribution network (CDN) were actually impacted, according to the company. 

"This file is not part of Cloud CMS, cloudcms.com, or any of our products, customer websites, data, or applications," said Michael Uzquiano, chief technology officer at Cloud CMS, in a statement emailed to Dark Reading. "The security of Cloud CMS, its customers, and its products has not been compromised."

After being notified by de Groot, the company quickly disabled the free Alpaca CDN, determined the hacker had injected code at the end of the minified Alpaca file, and then reinstantiated the CDN using Amazon S3 and a clean set of files.

"Typically, folks download this from GitHub and build it on their own," Uzquiano said. "They then integrate it into their products. The free CDN version runs on Amazon Cloud Front, using an origin-backed distribution. It is offered as a convenience to help people try out Alpaca quickly."

In perhaps the most ironic breach, attackers compromised the JavaScript behind the Best Of The Web security logo program that checks sites before displaying the logomark. The company is investigating the issues, said Brian Prince, CEO of Best of the Web.

"Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised," he told Dark Reading in an emailed statement. "We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

The common denominator between the different compromises appears to be that the JavaScript was stored in Amazon Simple Storage Service (S3) buckets. So either the developers left the storage servers open to public access or they may have published the digital keys to the S3 buckets to the cloud, de Groot says.

"These companies have not disclosed the original entry vector," he says. "However, what you often see is developers mistakenly store the secret access codes into their Github repositories and then they leak. And if you have these access codes, you have control of the content."

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16669
PUBLISHED: 2019-09-21
The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.
CVE-2019-16656
PUBLISHED: 2019-09-21
joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database.
CVE-2019-16657
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.
CVE-2019-16658
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.
CVE-2019-16659
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.