GitLab CI pipelines compromised by a supply chain attack

May 24, 2022
GitLab CI Pipelines Compromised Supply Chain Attack Continuous Integration Rust

Cybersecurity researchers advise Rust developers that malware directly infects the GitLab Continuous Integration pipelines (GitLab CI). The researchers are calling the attention of these developers so they can react and counteract quickly against the current threat.

The supply chain attack is called CrateDepression. This attack is a combination of typosquatting and the spoofing of a Rust developer to attach a malicious crate loaded on the Rust dependency community repository. Moreover, the crate can also be a compilation unit in the Rust model.

Fortunately, the compromised crate was quickly noticed by security solutions, resulting in its flagging and removal. However, some researchers discovered a second-stage payload exclusively designed to infect the GitLab CI pipelines. This detail signals the risk of further larger-scale supply-chain campaigns.

A technical report that documents its findings revealed that these current campaigns would provide follow-up supply-chain attacks at a more widespread pipeline infection. Moreover, the attack can be distributed quickly across different networks since the targeted system has many users.

 

This GitLab campaign also includes a second-stage payload.

 

A compromised machine is inspected for the GITLAB_CI environment variable to spot the Continuous Integration (CI) pipelines for software development. On these systems, the malicious threat actors employ a next-stage payload developed on the ‘red-teaming’ post-exploitation framework called Mythic.

This second-stage payload includes a switch with an extensive array of tasking options, including the ability to screenshot, keyboard stroking, and upload and download data/files. For the macOS, the operator can deploy either or both a LoginItem and a LaunchAgent.

According to the primary research group, an investigation by a separate security team and a Rust Security Response group identified roughly 15 versions of the malicious “rustdecimal” as they examined the threat actors during different refinements and approaches.

Today, the objective of the threat actors is still a mystery. However, the intended target group could lead to subsequent larger-scale supply-chain attacks depending on the infected GitLab Continuous Integration pipelines.

The supply-chain attacks have evolved from a minimally used campaign to a widely used approach since they can instantly infect a large group of users. GitHub users should be on their toes these next few days.

About the author