News

VS Code Is Latest Microsoft Dev Tooling Weaponized by Threat Actors

Cybersecurity threat actors keep leveraging Microsoft development tooling as attack vectors.

The latest incident was reported this month by Cyble, with one of the key takeaways of its report being: "Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated attack that leverages legitimate tools such as Visual Studio (VS) Code and GitHub."

In the reported attack scheme, users are tricked into clicking on a link, potentially delivered in spam emails, which actually delivers an obfuscated Python script.

"Once executed, the Python script establishes persistence by creating a scheduled task with system privileges and high priority," Cyble said. "It checks if Visual Studio Code (VSCode) is installed on the victim's machine. If not, the script downloads the standalone VSCode CLI from a trusted source. Using VSCode, the script creates a remote tunnel, sharing an activation code with the TA, which facilitates unauthorized remote access to the victim's machine."

VS Code in the Injection Chain
[Click on image for larger view.] VS Code in the Injection Chain (source: Cyble).

As indicated, this is just the latest of a long string of such incidents in which Microsoft development tooling -- including its GitHub subsidiary -- is being used as attack vectors.

Just two months ago, for example, a Reddit post was published as a public service announcement: "PSA: LummaC2 Trojan Stealer spreading on GitHub issues."

After that, BleepingComputer investigated and found more examples of malicious malware being distributed as fixes. "Further review by BleepingComputer found thousands of similar comments posted to a wide range of projects on GitHub, all offering fake fixes to other people's questions," the company said.

"The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been 'changeme' in all the comments we have seen."

GitHub has long been a target, with the company SentinelOne reporting earlier this year on "Exploiting Repos | 6 Ways Threat Actors Abuse GitHub & Other DevOps Platforms."

Those include:

  1. Hosting Malware & Phishing Campaigns
  2. Hosting Command & Control (C2)
  3. Credential Theft & Supply Chain Attacks
  4. Cloning & Manipulating GitHub (& Other) Repos
  5. Abuse of GitHub Actions & CI/CD Pipelines
  6. Distributed Denial of Service (DDoS) Attacks

In May, the company Recorded Future reported on "GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure."

"In recent research, Recorded Future's Insikt Group uncovered a sophisticated cybercriminal campaign led by Russian-speaking threat actors from the Commonwealth of Independent States (CIS)," the company said. "These threat actors leveraged a GitHub profile to impersonate legitimate software applications like 1Password, Bartender 5, and Pixelmator Pro to distribute various malware types, such as Atomic macOS Stealer (AMOS) and Vidar. This malicious activity highlights the abuse of trusted internet services to orchestrate cyberattacks that steal personal information."

The month before, Security Week reported "Threat Actors Manipulate GitHub Search to Deliver Malware," reporting on a Checkmarx post about a new technique to trick developers that was detected in an open source supply chain attack.

A couple of key points from that post include:

  • GitHub search manipulation: Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users.
  • Malicious code is often hidden within Visual Studio project files (.csproj or .vcxproj) to evade detection, automatically executing when the project is built.

So it's a years-long ongoing story that continues today.

Just last week, for example, sister pub RedmondMag reported on a Microsoft security rollout that includes this:

CVE-2024-43488: Affects Visual Studio Code extension for Arduino. Microsoft has already mitigated this particular vulnerability, according to its advisory, so IT doesn't have to take further action to patch it.

As far as mitigation for the brand-new VS Code exploit, Cyble recommends:

  • Utilize advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VSCode.
  • Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors.
  • Conduct training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .LNK files and unknown sources.
  • Limit user permissions to install software, particularly for tools that can be exploited, like VSCode. Implement application whitelisting to control which applications can be installed and run on systems.
  • Deploy advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior within the system. Regularly audit and review system and application logs to catch early signs of intrusion.

Microsoft offers guidance about how users can avoid phishing and other attacks in resources such as Security Development Lifecycle (SDL) Practices and has created a Threat Modeling Tool, but the continuing attacks indicate the bad guys are enjoying some success, so users and coders alike need to stay abreast of the latest techniques.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

Subscribe on YouTube