Developers increasingly in hackers’ crosshairs

This weekend Apple acknowledged that its App Store endured a significant breach involving hundreds of apps, mostly those popular within Chinese markets, that were infected with malware known as XcodeGhost. XcodeGhost reportedly modifies the Xcode integrated developer environment so that it can infect the iOS apps created within those compromised developer environments.

Security vendor Palo Alto Networks has an in-depth analysis of XcodeGhost. In this two stage attack (Stage One, infecting the developer environment, and Stage Two, infecting the created apps), it wasn’t the App Store that was targeted directly. Rather, developers who would be expected to upload their apps to the App Store were targeted with a bogus version of Apple Xcode development software. Several reports indicate the fraudulent version of Xcode was available on a file-sharing service based in China. Developers who compiled their apps using the infected version of Xcode unwittingly uploaded malware embedded within their apps.

Once those apps are downloaded, the malware has the ability to not only read data about the state of the iOS device on which it resides (relatively innocuous stuff), but can also access commands from an attacker that will, according to this Wired story, enable an attacker to read and write data to the victim’s clipboard, open specific URLs, or prompt a fake alert on the victim’s screen. Some of these could be used to steal passwords.

Apple said yesterday that the XcodeGhost apps were removed from the App Store. While the vast majority of the roughly 300 (detected so far) apps are targeted toward users in China, some apps such as Angry Birds 2 were also affected.

This targeting of developers, by attackers, to reach end users through Apple developers is not new. In July 2013, Apple’s Dev Center was down for an extended period of time due to a breach, as covered at the time by TechCrunch in its story, Apple Confirms that its Dev Center has been Breached by Hackers. In that incident, because data were encrypted, attackers couldn’t access most of the information on Apple’s systems. They did, however, reportedly access email addresses, developer names and street addresses. There were many reports of developers getting unexpected password reset requests as well.

It’s not just Apple developers that are targeted. Toward the end of 2013, GitHub, the widely popular code repository, was hit with a brute force attack on its logon system. The attack was conducted by attackers who flooded GitHub’s logon screen with various username and password combinations. Those developers with easily guessed combinations, or those that shared the same credentials they used at other sites, were easily compromised.

The attackers in that incident were careful not to trigger GitHub’s security monitoring, according to a post by GitHib Engineer Shawn Daveport:

While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses. These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to with commonly-used weak passwords.

Why this increased attention on developers by attackers? Scale, I think. Why target only individual enterprises and organizations if development tools and developer collaboration platforms can be compromised, which can then be used to comprise all of the users and enterprises that install the tainted software.

While attackers may not directly breach organizations on their target list this way, they will breach potentially hundreds, if not thousands, of organizations. And as the OPM hack taught us, that data gathered can then be used as part of intelligence operations and as part of attacks against other organizations on their target lists.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: