The initial vector is unknown. With a total of 26 repositories for unknown projects identified among millions of Java repositories, this looks to me like someone was tinkering with malware creation and happened to be using this older build system. With the small number maybe the author owned the repos. The entry point is not through NetBeans (unless someone clones those repos). If there were, it would prompt more prudent action to resolve the issue and improve defenses. Even if NetBeans removed that ant build mechanism, one would simply move the payload into a different part of the build system such as a maven plugin, gradle command, or anything else that executes such as a unit test.
These supply chain attacks are becoming more common; I've seen them over with Node, Roby, and an older one that went after Facebook devs. People check code out in IDEs to read it better and work with tools. If checking code out runs commands, that creates an opportunity (even if via the build system). A good mechanism here for defense would be enumerating what runs and where code comes from. There's a field here called "Software Composition Analysis" that does some of this but it is dependency-focused rather than build-focused. I would first map the attack surface, which in this case is what runs (scripts, code, etc) and what gets downloaded as a project is checked out, built, and tested/run. If you'd cloned one of those 26 repos, what would you like to have seen? Microsoft AppInspector is a moderately close example (https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/) for later in the dev cycle. Then I would use that map to isolate sensitive operations from the developer machine. Maybe new projects build in isolated containers. Maybe people enable a certain build config and run the rest: first-time with minimal prompts. ________________________________ From: Eric Bresie <ebre...@gmail.com> Sent: Thursday, June 4, 2020 12:02 AM To: Netbeans Developer List <dev@netbeans.apache.org> Subject: Re: Re: Proposed blog on malware report So a few comments: (1) So am I reading this that problem is 26 “repositories” are infected? So does that mean some forked/cloned/created a given repository, worked locally, using ant based project, may have had malware on the system, infected files in the local repository, then uploaded it? So then is this more a problem of a given machine not having malware scans on their systems to locate and remove before even before committing changes to a give repository? (2) Is it worth checking to see if there are any github actions or Travis to run a virus/malware scanner during github commit or build at some point? Maybe if change committed any infection it would fail a build? (3) For the repositories in question (still unclear which ones- unless they’ve been contacted separately) assume some form of PR or commit happened when the infection occurred. Is it possible to identify the initial source and (1) ensure they are notified of the need to possibly cleaning out any local malware infected files,(2) ensure this was not done maliciously, etc? (4) if the problem is due to a Netbean ant project structure, does this mean some form of change of structure could prevent this? If this is due to ant then has Apache ant team have anything to add or fix for this? (5) is some ticket needed to update Netbeans in any way to help mitigate this in someway? Or in each impacted repository? Sure there could be more but to further the discussion. Eric Bresie ebre...@gmail.com > On June 1, 2020 at 6:29:33 AM CDT, Geertjan Wielenga <geert...@apache.org> > wrote: > Also sent it to annou...@apache.org. > > I'll wait a few hours for any comments anyone has on the text, which is a > bit of a mosaic of the comments throughout this thread -- mostly by Eric > Costlow, many thanks! -- and will then tweet this, etc. > > Gj > > On Mon, Jun 1, 2020 at 1:27 PM Geertjan Wielenga <geert...@apache.org> > wrote: > > > > > https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign > > > > There it is! > > > > Gj > > > > On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <s...@apache.org> wrote: > > > > > Thank you, Geertjan; hello, everyone. > > > > > > Great work --I first noticed what had happened from Emilian's, followed > > > by your, tweets yesterday. I see that quite a few articles are out on this > > > Octopus Scanner campaign. > > > > > > Rapid response is essential to avoid further confusion/miscommunication, > > > so great work on getting on this straight away. > > > > > > I have two minor requests: if you could 1) please refer to "Apache Ant" > > > and "Apache NetBeans" upon the first mention of the projects in the post, > > > that would be great. Also, 2) send this to annou...@apache.org so we can > > > help spread the word. > > > > > > I'll be standing by to help with any media queries that come through for > > > the PMC. > > > > > > Many kind thanks for your ongoing efforts. > > > > > > Best, > > > Sally > > > > > > - - - > > > Vice President Marketing & Publicity > > > Vice President Sponsor Relations > > > The Apache Software Foundation > > > > > > Tel +1 617 921 8656 | s...@apache.org > > > > > > > > > On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote: > > > > > > > > Hi Sally, > > > > > > > > We propose putting the below on the Apache NetBeans blog re the GitHub > > > malware report on the inactive malware campaign. > > > > > > > > To everyone else — Sally is VP Marketing and Publicity at Apache. > > > > > > > > Thanks, and thanks Eric for your rewrite of the text. > > > > > > > > Gj > > > > > > > > On Sun, 31 May 2020 at 22:39, Erik Costlow <erikcost...@outlook.com> > > > wrote: > > > > > If making any comment at all, I would rewrite. If there were a > > > vulnerability or the attack was large, I'm sure the GitHub team would have > > > gotten in touch. The key themes are: > > > > > > > > > > 1. The attack was small, isolated, and is over > > > > > 2. Most builds do not leverage anything netbeans-specific, such as > > > this ant build (I guessed at 2006) > > > > > 3. Software supply chain risk is legitimate and if action were needed > > > or is needed in the future, something would happen > > > > > > > > > > Researchers at GitHub have identified 26 projects on GitHub that have > > > been infected by malware. The initial point of infection is undetermined > > > and all activity with the malware has been shut down. The malware relied > > > on > > > projects created using an older customized ant-based build system that has > > > been in limited use since 2006. This does not impact users of other build > > > systems like Maven or Gradle, or even most ant users. The majority of > > > NetBeans projects leverage native build tool integrations that is shared > > > with continuous integration systems. > > > > > With over 44 million repositories hosted on GitHub[2], the scope of > > > these 26 projects looks isolated and does not significantly impact the > > > NetBeans community. > > > > > Software Supply Chain attacks are not unique to any IDE and the > > > NetBeans contributor team will monitor the threat landscape to keep > > > developers safe and aware. > > > > > > > > > > [1] > > > https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain > > > > > [2] > > > https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ > > > > > > > > > > > > > > > "Researchers at GitHub have identified 26 projects on GitHub that have > > > been > > > > > infected by malware. The malware infiltrates the project structure of > > > > > Ant-based applications in the format generated specifically by > > > NetBeans. > > > > > The owners of the 26 projects, which are mostly small Java > > > applications, > > > > > have been contacted and the infected projects have been set to private > > > on > > > > > GitHub. The malware campaign is no longer active, GitHub did not > > > consider > > > > > it relevant enough to be in touch with the NetBeans community about > > > it, and > > > > > there is no evidence that applications beyond the 26 in question have > > > been > > > > > impacted. Be aware that any project structure that you use when > > > developing > > > > > applications can be infiltrated by malware and make sure that the > > > files you > > > > > check into your versioning system are your own or that you know where > > > they > > > > > come from and what they do." > > > > > > > > > > > > > > > ________________________________ > > > > > From: Neil C Smith <neilcsm...@apache.org> > > > > > Sent: Sunday, May 31, 2020 1:51 PM > > > > > To: dev <dev@netbeans.apache.org> > > > > > Subject: Re: Proposed blog on malware report > > > > > > > > > > On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <geert...@apache.org> > > > wrote: > > > > > > > > > > > Be aware that any project structure that you use when developing > > > > > > applications can be infiltrated by malware and make sure that the > > > files you > > > > > > check into your versioning system are your own or that you know > > > where they > > > > > > come from and what they do." > > > > > > > > > > > > > > > > > > Feedback welcome and needed. > > > > > > > > > > > > > > > > Looks good to me, but I'd be tempted to emphasise "when developing > > > > > applications, with any IDE or build system, ..." And also that you > > > should > > > > > treat building untrusted code the same way you'd treat running > > > untrusted > > > > > binaries, ie. carefully. > > > > > > > > > > Interesting that the GitHub article doesn't mention that this applies > > > to > > > > > projects that were originally structured with Ant in NetBeans. You > > > wouldn't > > > > > have to still be building in the IDE to be exploited here? > > > > > > > > > > Best wishes, > > > > > > > > > > Neil > > > > > > > > > > > > > > >
