OSCS (Open Source Software Supply Chain Security Community) has launched a free vulnerability and poisoning intelligence subscription service. Community users can subscribe to intelligence information through robots: https://www.oscs1024.com/?src=wx
Background overview
Hackers often launch attacks using infected machines rather than directly from personally-owned devices, which allows them to hide their origins.
In a recent incident response, Profero's Incident Response team investigated a possible scenario where a threat actor used Datacamp's online IDE to launch an attack on cloud infrastructure.
However, because of the intricate relationship between Datacamp, ISPs and online IDEs, Profero's incident response team was intrigued by the idea of using cloud IDEs to hide the origin of attacks and started a research project to explore this strategy.
What is an online IDE
Online IDE, also known as Cloud IDE, is mainly based on HTML5 related technologies, and most of the development work of traditional IDE can be completed in the browser. Unfortunately, many users and organizations do not properly configure their resources and cloud environments, leading malicious attackers to discover and exploit this misconfiguration to launch attacks.
DataCamp is a foreign online learning platform. DataCamp projects use Jupyter Notebook. Jupyter is an open source web application with a star of 13.6k on Github, a document that allows users to create and share text.
According to Profero's Omri Segev Moyal, online programming learning platforms can be abused by malicious attackers to launch remote cyber attacks, steal data and scan vulnerable devices. DataCamp allows attackers to compile malicious tools, host or distribute malware, and connect to external services.
In the personal workspace of the DataCamp platform, there is an IDE for practicing and executing custom code, uploading files, and connecting to databases.
This IDE allows users to import Python libraries, download and compile repositories, and then execute compiled programs. In other words, any threat actor could launch a remote attack directly from within the DataCamp platform.
(Port Scanner in DataCamp Python Compiler)
How to launch an attack through an online IDE
1. Code
One of the usage examples on the Datacamp website is to demonstrate how to connect to a PostgreSQL server.
Then think about it from another angle, since it is possible to connect to an external PostgreSQL server, is it feasible for other servers? What about cloud services or Amazon S3 buckets?
After responding to an incident where an attacker could use DataCamp's resources to hide the source of the attack, researchers at Profero decided to investigate the situation.
They found that DataCamp's advanced online Python IDE provides users with the ability to install third-party modules that allow connections to Amazon S3 buckets. Omri Segev Moyal said they tried the above scenario on the DataCamp platform and were able to access the S3 bucket and leak all files into a workspace environment on the platform's website.
To access AWS resources, first install the boto3 module:
The next step is to connect to the S3 bucket, list and download all the files in it:
From the perspective of the defender in the attack and defense, the CloudTrail log of the file download is as follows:
The file upload log is as follows:
It can be seen from the two logs that the useragent is:
This allows quick identification of responses from python scripts using the boto framework,
Also, when looking at the ip addresses in the logs, the traffic appears to be coming from Amazon
Since DataCamp uses AWS' servers, it is likely that activity from DataCamp will execute successfully and the blue team will not be able to detect such activity. Even those who check the connection further will run into a dead end because there is no known definitive source.
The above are basic examples of attacks that can be performed, other scenarios such as Github API, Azure API, and any online resources can be affected by this method.
2. Tools
To take the attack scenario a step further, the researchers attempted to import or install tools commonly used in network attacks, such as the Nmap network mapping tool. The DataCamp platform cannot install Nmap directly, but DataCamp allows to compile it and execute the binary from the compilation directory, as shown in the figure:
Profero's incident response team also tested whether they could use the terminal to upload files and get links to shared files. They were able to upload EICAR, a standard file used to test the detection of antivirus solutions, and could share a link to it.
(EICAR file uploaded to DataCamp)
Download links can be used to download additional malware to an infected system via a simple web request.
Additionally, these download links can be abused in other types of attacks, such as hosting malware for phishing attacks, or downloading other payloads through malware.
Although Profero did not extend their research to other learning platforms, the researchers believe that DataCamp is not the only platform that hackers can abuse.
