CrowdStrike and Google take down botnet used by hackers to target software developers in supply chain attacks

CrowdStrike, moving with Google and Shadowserver, a nonprofit enactment that scans and monitors the net for cyberattacks, took down a botnet that cybercriminals utilized to propulsion malware and bargain passwords from open-source bundle developers.

The takedown operation had the extremity of disrupting the activities of the cybercriminals down the alleged Glassworm botnet, who person been targeting the broader unfastened root bundle proviso concatenation for 2 years, according to CrowdStrike. 

In caller months, respective hacking groups person targeted developers and unfastened root projects to propulsion malicious bundle to companies and organizations who successful crook usage that software. These attacks tin beryllium effectual due to the fact that they exploit the spot that companies enactment into codification that’s hosted connected platforms similar GitHub, and the workers down that code.

“Adversaries are nary longer conscionable targeting products, they’re targeting the developers who physique them,” CrowdStrike wrote successful its study astir the takedown operation. “Developers correspond uniquely high-value targets: compromising a azygous developer’s workstation tin cascade into a supply-chain compromise that impacts thousands of downstream organizations and users.”

The Glassworm hackers utilized respective strategies to propulsion retired their malicious code. This included publishing malicious extensions connected a marketplace utilized by developers; by malvertising — wherever hackers wage for sponsored hunt results that instrumentality victims into downloading malware; and utilizing credentials stolen successful erstwhile hacks, which allowed the hijacking of developer accounts and the planting of malware successful their code. 

In the end, the hackers were capable to poison — arsenic CrowdStrike enactment it — much than 300 GitHub codification repositories. 

CrowdStrike said it was capable to takedown 4 command-and-control channels utilized by the Glassworm hackers, which chopped the hackers’ entree to infected computers and stopped them from delivering much malware.

The command-and-control servers relied connected the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual backstage servers, according to CrowdStrike.

It’s not wide connected what ineligible oregon method authorization CrowdStrike and others operated nether to takedown the operation. A spokesperson for CrowdStrike did not instantly comment. 

Last week, hackers compromised respective unfastened root projects that pushed retired malicious updates successful a antithetic hacking run that was called “Mini Shai-Hulud.” An OpenAI developer was compromised by this radical of hackers. In different proviso concatenation onslaught successful March, a suspected North Korean hacker hijacked the fashionable unfastened root bundle improvement instrumentality Axios, which is utilized by millions of developers.