Author: Matthew Miller

Quick Overview

• A widely-used JavaScript library, Axios, with more than 100 million downloads weekly, was breached in a supply chain attack.
• The assault targeted npm’s Axios library to spread a remote access trojan across various systems.
• The harmful version, plain-crypto-js@4.2.1, was released following the establishment of a deceptive sense of security with a legitimate version.
• Developers are recommended to revert to axios@1.14.0 or axios@0.30.3.
• Indicators of compromise consist of network connections to sfrclak.com and certain file paths on macOS, Windows, and Linux.
• The incident is connected to an advanced persistent threat (APT) entity concentrating on data collection and credential theft.

Investigating the Axios Supply Chain Incident

The popular JavaScript library Axios has faced a supply chain breach impacting over 100 million downloads each week. The attack aimed at Windows, Linux, and macOS platforms, introducing a remote access trojan (RAT) via harmful dependencies.

Analyzing the Axios Attack

The breach involved the compromise of the npm account held by Axios’ main maintainer, Jason Saayman. By switching the registered email to a ProtonMail address, the attacker manually uploaded harmful packages, circumventing the GitHub Actions continuous integration system.

Phases of the Breach

The intruder initially launched a non-malicious version, plain-crypto-js@4.2.0, to create a credible npm publishing record. The malicious iteration, plain-crypto-js@4.2.1, was then released, designed to evade security scans.

Steps for Developers to Take Immediately

Those utilizing Axios should promptly revert to either axios@1.14.0 or axios@0.30.3. Analyzing network logs for connections to sfrclak.com and specific file paths may assist in detecting possible compromises.

Takeaways from the Open Source Malware Community

The Open Source Malware community characterized Axios as one of the most utilized JavaScript libraries worldwide. They emphasized the attack’s complexity, utilizing obfuscation and anti-analysis tactics to implement RAT features across platforms.

Conclusion

This prominent supply chain attack on the Axios npm package highlights the weaknesses in prevalent software dependencies. The attack’s complexity and emphasis on data collection imply participation from an advanced persistent threat actor, rather than financially-driven cybercriminals.

Q: What is Axios?

A: Axios is a widely-used HTTP client library for JavaScript, heavily employed in web development to perform HTTP requests.

Q: How was the Axios package compromised?

A: The breach involved a malicious entity taking control of the npm account of the package’s maintainer, releasing a harmful dependency that introduced a remote access trojan.

Q: What actions should developers take to safeguard their projects?

A: Developers should revert to secure versions of Axios (axios@1.14.0 or axios@0.30.3) and scrutinize network logs for unusual activity.

Q: What are the signs of a compromised system?

A: Signs include network connections to sfrclak.com and particular file paths on macOS, Windows, and Linux platforms.

Q: Who is believed to be responsible for the attack?

A: The attack is thought to be orchestrated by an advanced persistent threat actor, prioritizing intelligence gathering over financial incentives.

Brief Overview

• A council in Western Australia lost $350,000 due to a phishing scam.
• This event is featured in a report emphasizing the IT vulnerabilities in local jurisdictions.
• Social engineering attacks are a frequent risk for organizations.
• Education and awareness are crucial in thwarting cyber threats.
• Only one organization met the access management standards during the audit.

Phishing Incident Reveals IT Weaknesses in WA Local Councils

A Western Australian council incurred a loss of around $350,000 due to a phishing scam, illuminating the ongoing weaknesses in local government IT infrastructures. This incident, presented in the report from the Western Australian Office of the Auditor General (OAG), brings attention to the continuous hurdles local authorities encounter in protecting their digital frameworks.

Exploiting Vulnerabilities

The audit characterizes this event as a successful social engineering tactic, wherein criminals exploited the council’s financial system to change a supplier’s account information. The report does not disclose if the misappropriated funds were recovered or which specific council was involved.

Prevalent IT and Security Issues

In addition to the significant phishing incident, the report uncovers further security deficiencies. In a concerning example, a council’s internal networks were reachable from a public library due to insufficient network controls. Another organization failed to update default administrator passwords, creating vulnerabilities in its building management system. Additionally, a server room in another council lacked fire suppression measures, raising alarms about physical security.

Access Management Deficiencies

Weak access management practices were identified as the most widespread vulnerability, with 78 issues detected across 36 organizations. Only one entity complied with the access management criteria, while merely two entities adhered to the endpoint security protocols. Such shortcomings heighten the likelihood of data breaches, financial setbacks, and damage to reputation.

Decline in Capability Maturity

The audit evaluated 15 organizations, revealing a decrease in capability maturity across all 10 control categories compared to the preceding year. This decline is partly due to the inclusion of four new entities, but previously examined organizations also exhibited drops in various categories.

Emphasis on Training Instead of Technology

Auditor General Caroline Spencer stressed the significance of training and awareness over expensive technological solutions. She advised the adoption of phishing-resistant multi-factor authentication, regular security awareness programs, pre-employment background checks for sensitive positions, and efficient offboarding protocols.

Upcoming Cyber Security Projects

The WA Department of Local Government, Industry Regulation and Safety is partnering with the Office of Digital Government on a cyber security pilot initiative aimed at bolstering the local government sector’s defences against cyber threats. This report signifies the seventh iteration of the OAG’s audit on general computer controls pertaining to local government entities.

Conclusion

The phishing incident that resulted in a $350,000 loss for a WA council underscores the urgent necessity for enhanced cyber security practices within local governments. The OAG’s findings shed light on persistent vulnerabilities and highlight the critical role of training and awareness in countering cyber threats. These insights are intended to assist local authorities in strengthening their digital safeguards and protecting taxpayer information from malicious threats.

Q: What primarily caused the phishing incident?

A: The phishing incident was brought about by a social engineering attack that interfered with the council’s finance system to change a supplier’s account information.

Q: Were the misappropriated funds recovered?

A: The report does not clarify whether the $350,000 was recovered.

Q: How many organizations were included in the audit?

A: The audit reviewed 15 selected organizations.

Q: Which IT weakness was found to be most common?

A: The most prevalent weakness was inadequate access management controls, with 78 issues identified across 36 organizations.

Q: What recommendations are provided to avert similar occurrences?

A: The report advises the implementation of phishing-resistant multi-factor authentication, regular security awareness training, pre-employment vetting for trusted roles, and effective offboarding practices.

Q: Is investment in technology essential to resolve these issues?

A: No, the Auditor General indicates that training and awareness are of greater importance than hefty technology expenditures.

Q: What future initiatives are planned to enhance cyber security?

A: The WA Department of Local Government, Industry Regulation and Safety is undertaking a cyber security pilot project alongside the Office of Digital Government to boost resilience within the local government sector.