Malicious code detected in rest-client and 10 other Ruby packages

In the popular gem package rest client, with a total of 113 million downloads, identified malicious code substitution (CVE-2019-15224) that downloads executable commands and sends information to an external host. The attack was made through compromise rest-client developer account in the rubygems.org repository, after which the attackers published releases 13-14 on August 1.6.10 and 1.6.13, including malicious changes. Before the blocking of malicious versions, about a thousand users managed to download them (the attackers, in order not to attract attention, released updates to older versions).

Malicious change overrides "#authenticate" method in class
Identity , after which each method call results in sending the email and password passed during the authentication attempt to the host of the attackers. Thus, the login parameters of service users using the Identity class and installing a vulnerable version of the rest-client library, which featured as a dependency in many popular Ruby packages, including ast (64M downloads), oauth (32M), fastlane (18M), and kubeclient (3.7M).

In addition, a backdoor has been added to the code, allowing you to execute arbitrary Ruby code through the eval function. The code is transmitted via a Cookie authenticated with the attacker's key. To inform attackers about the installation of a malicious package, the URL of the victim's system and a collection of information about the environment, such as saved passwords to the DBMS and cloud services, are sent to an external host. Using the above mentioned malicious code, attempts were made to download scripts for cryptocurrency mining.

After studying the malicious code, it was revealedthat similar changes are still present in 10 bags in Ruby Gems, which were not captured, but specially prepared by attackers based on other popular libraries with similar names, in which the dash was replaced by an underscore or vice versa (for example, based on cron parser a malicious cron_parser package has been created, and based on doge_coin malicious doge-coin package). Problem packages:

• coin_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• awesome bot: 1.18.0
• doge-coin: 1.0.2
• capistrano colors: 0.5.5
• bitcoin_vanity: 4.3.3
• lita_coin: 0.0.3
• coming-soon: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser: 1.0.12, 1.0.13, 0.1.4

The first malicious package from this list was posted on May 12, but most of it appeared in July. In total, these packages managed to download about 2500 times.

Source: opennet.ru