SentinelOne has released threat research on an attack against the Rust development community. Dubbed ‘CrateDepression,’ the attack could result in large-scale supply-chain attacks using infected GitLab-based cloud continuous integration pipelines.
Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers, as they find ways to ‘fish with dynamite’ in an attempt to infect entire user populations at once. In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attack.
On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate ‘rustdecimal’ hosted on the Rust dependency community repository, which contained malware. The crate name was intentionally similar to the name of the popular ‘rust_decimal’ crate, hoping that potential victims would misspell its name (an attack called “typosquatting”).
The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines. Infected CI pipelines are served a second-stage payload. These payloads have been identified by SentinelOne as Go binaries built on the red-teaming framework, Mythic.
Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected. SentinelOne suspects that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.
The full research is here: https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/