Hackers Love This VSCode Extension: What You Can Do to Stay Safe

Published: 2023-03-07
Last Updated: 2023-03-07 15:04:31 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

[David Boyd, a SANS.edu undergraduate intern, submitted this post]

Have you ever considered that a VSCode extension you rely on could also be the very tool that puts your sensitive data in the hands of attackers? As fellow developers, we often can be seen when using the popular open-source platform Visual Studio Code (VSCode)--and even if you do not, you will know someone who does.

On February 19, 2023, an attempted exploit was identified in my DShield's honeypot weblogs. The attack targeted a security vulnerability in the VSCode-SFTP extension, which allows users to synchronize a local directory with a remote server via the web request: /.vscode/sftp.json.

Captured GET request from the DShield honeypot’s webserver.log

OWASP identifies this vulnerability under the A07:2021 – Identification and Authentication Failures category (previously known as Broken Authentication), and if exploited, it could allow attackers to access sensitive data such as usernames, passwords, and remote hosts.

The VSCode-SFTP extension setup is simple, requiring only a few lines of code in its sftp.json configuration file. These few lines can apply a wide range of settings. One such line is the password parameter. While optional, many users leave it unprotected, making it susceptible to attacks. Thus, the vulnerability results from the default permissions in this configuration file being left open to the public, saved in plain text, or containing hard-coded authentication credentials.

Hard-coded credentials in the stfp.json config file

It is crucial to protect our SFTP credentials, as having them publicly accessible could pose significant dangers to our security. One of the major risks is unauthorized access, where anyone can use the credentials to gain access to our data, resulting in data breaches or theft of sensitive information. Another risk is malware attacks, where hackers can upload malicious code onto our server, causing potential data loss, downtime, or other disruptions. This can damage our reputation and erode customer trust. In addition, it can also result in compliance violations depending on the industry.
If you are a developer using this extension, we must ensure that our SFTP credentials are kept confidential and accessible only to authorized personnel, using strong passwords, two-factor authentication, encryption, and regularly auditing and monitoring access to SFTP servers. This will prevent sensitive information from being publicly accessible. If these mitigations are not plausible, you may need to consider removing the VSCode-SFTP extension entirely from production.

But who was behind this attack? Interestingly, the IP address 138.68.154.197 associated with the attempted exploit traces back to LeakIX, a public scanner that combines a search engine indexing public information and open reporting platform. LeakIX helps identify vulnerabilities in internet-facing technologies by following a 30-day disclosure policy to hosting companies before publishing the leak to the public. While the HTTP requests' user agent string of Go-http-client/1.1 does not contain any information identifying the client or device used to make the request explicitly, it can be confirmed that the requester was from the LeakIX’s Client scanner. According to their GitHub page, the scanner uses the Go programming language's net/http library to create their custom HTTP client.

Despite the relief that this was not a malicious attacker, but an ethical scanner, this attack serves as a warning to take the necessary precautions to secure your sensitive data. It illustrates that even with secure protocols like SFTP, if communication credentials become publicly available, then the security of the protocol could be rendered useless. It also highlights the risks associated with leaving default file permissions open to the public and the importance of securing sensitive configuration files.

Sources
LeakIX: https://leakix.net/
LeakIXClient: https://github.com/LeakIX/LeakIXClient

0 comment(s)
ISC Stormcast For Tuesday, March 7th, 2023 https://isc.sans.edu/podcastdetail.html?id=8398

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives