The RubyGems package repository maintenance team recently announced the removal of at least 18 malicious versions of 11 Ruby libraries due to the presence of a backdoor. Web application security experts claim that even cases were detected in which Ruby’s programming projects were infected with cryptocurrency mining malware. This malicious development was discovered just a couple of days ago in four versions of rest-client, a very popular Ruby library.
Reports indicate that this malicious code is capable of collecting and sending URLs and environment variables from the targeted system to a remote server, located somewhere in Ukraine. “The data most exposed to this leak is login credentials, used to access databases, payment systems, among other platforms,” says Jan Dintel, Ruby maintainer.
As for the backdoor detected in these libraries, web application security experts mention that it would allow a threat actor to send a cookie file to the compromised Ruby project, which would create the necessary conditions to execute malicious commands.
RubyGems maintainers also detected that hackers were abusing this mechanism to inject mining malware into some projects, such as:
- rest-client, downloaded 176 times
- bitcoin_vanity, downloaded 8 times
- lita_coin, downloaded 216 times
- coming-soon, downloaded 211 times
- omniauth_amazon, downloaded 193 times
All libraries, except rest-client, were created by taking another fully functional library, adding the malicious code and then reloading it into RubyGems under a different name. Those responsible for these actions remained active in RubyGems for more than a month without anyone detecting their presence or actions.
Finally, the operators of this campaign were detected after gaining access to the account of one of the rest-client developers, which was used to power four malicious versions of the distribution into RubyGems. For web application security specialists, threat actors made a serious mistake in attacking such a relevant project in RubyGems, which has more than 113 million downloads. “This drew too much attention, so this scheme was dismantled a few hours after this activity was detected,” they added.
Despite the intervention of rest-client managers, the 18 malicious versions of the library were downloaded about 3,600 times before being removed from the platform, so the problem is not yet over.
International Institute of Cyber Security (IICS) web application security experts recommend project administrators using these libraries to remove the malicious version or, if necessary, upgrade or downgrade to a secure to use version. Other experts have detected the presence of similar backdoors in RubyGems before; specifically in the Bootstrao-Sass and strong_password projects. Although they are somewhat similar, researchers still do not determine whether there is any link between these security risks on the platform.