Change your password now, Microsoft urges as Shai-Hulud worm attacks continue.
NurPhoto via Getty Images
Updated December 12 with further technical details regarding the Shai-Hulud 2.0 Dune Worm attacks, alongside original reporting of the Microsoft mitigation recommendations for rapid credentials rotation and replacement.
In response to what the Microsoft Defender Security Research Team has called “one of the most significant cloud-native ecosystem compromises observed recently,” it has urged organizations to act rapidly and replace passwords. Here’s what you need to know about the so-called Shai-Hulud 2.0 Dune Worm attacks.
ForbesMicrosoft And CISA Issue Critical New Alert, Windows Attacks ConfirmedBy Davey WinderMicrosoft Issues Critical Warning Following Shai-Hulud 2.0 Dune Worm Attacks
On September 23, the Cybersecurity Infrastructure and Security Agency, which refers to itself as America’s Cyber Defense Agency, issued an urgent alert regarding a self-replicating worm, known as Shai-Hulud, targeting Application Programming Interface keys for cloud services such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Fast-forward to now, and the Microsoft Defender Security Research Team has published new guidance for “detecting, investigating, and defending against the supply chain attack,” as Shai-Hulud 2.0 enters the cyber equation.
“The Shai‑Hulud 2.0 campaign builds on earlier supply chain compromises,” Microsoft said, “but introduces more automation, faster propagation, and a broader target set.” This includes executing malicious code during the pre-install phase of the infected npm managed packages, which means that it happens before any security checks can be made. “Stolen credentials are exfiltrated to public attacker-controlled repositories,” the warning continued, “which could lead to further compromise.”
This supply chain attack is, Adi Bleih, a security researcher for external risk management at Check Point, told me, unusually aggressive as a result. “By activating before installation completes and exfiltrating secrets into attacker-controlled GitHub repositories,” Bleih said, “the operators gained rapid access to significant volumes of cloud and developer credentials.”
ForbesLastPass Data Breach — Insufficient Security Exposed 1.6 Million UsersBy Davey WinderReversingLabs Dissects Dune Worm
Tomislav Peričin, chief software architect at ReversingLabs, has published an in-depth technical analysis of Sha1-Hulud: The Second Coming. “The same worm capabilities used in the first wave are also present in the malware of this second wave,” Peričin explained, “in that, once a package is infected, it spawns attacks of its own by allowing the worm to propagate through other open source packages the author maintains.” Peričin confirmed that the ReversingLabs analysis has identified in excess of 27,000 new GitHub repositories created by the Dune Worm during these latest attacks, intended for storing exfiltrated data from compromised users.
According to the RL analysis, Shai-Hulud 2.0 has four main stages:
After compromising an account, the worm looks for other packages maintained by the same account and creates new package versions with a “postinstall script, adding a malicious bundle.js” that is executed when users install the package itself.The worm’s script looks for environment tokens using the popular open-source TruffleHog tool capable of detecting “more than 800 different types of secrets, to identify the victims’ secrets.”These are then exfiltrated to the aforementioned GutHub repositories and double Base64-encoded.Finally, the Shai-Hulud 2.0 worm will try to create public copies of the repositories, described as Shai-hulud Migration. “The intent appears to be both exposure of source code and secrets embedded in private repos,” Peričin said, “possibly for the purpose of harvesting and re-use by malicious actors.”
Ken Johnson, chief technology officer of DryRun Security, meanwhile, confirmed that Shai-Hulud 2.0 is the third attack to have been attributed to a threat group identified as S1ngularity. “This second version of the Shai-Hulud worm tells us the attackers are refining their techniques and improving upon their previous mistakes,” Johnson advised. As such, it’s a “massively dangerous and disruptive campaign.”
ForbesBeware Of Spiderman-As-A-Service Web Of AttacksBy Davey WinderMicrosoft Defender Security Research Team Recommendations
The Microsoft Defender Security Research Team mitigation recommendations are unequivocal:
Rapidly rotate and revoke exposed credentials.Review the Key Vault assets on the critical asset management page and investigate any relevant logs for unauthorized access.Isolate affected CI/CD agents or workspaces.Prioritize high-risk attack paths to reduce further exposure.Remove unnecessary roles and permissions granted to identities assigned to CI/CD pipelines; specifically review access to key vaults.
Don’t delay, absorb all the Microsoft advice and act rapidly as has been recommended. You know it makes sense.
ForbesRemove AI From Microsoft Windows Tool Has Gone ViralBy Davey Winder