Just recently I wrote about how a software developer, who is security-aware, was spear-phished and almost fell victim to a Firefox 0-day exploit. Fortunately for him, he was using Google Chrome and not Firefox. Follow that link for more details about that story, but what both that story and this story share in common is a security checklist that both parties upheld.
With new software releases and developments, often times you’ll also see a changelog of some sort. Changelogs describe alterations new releases contain compared to prior versions. Reviewing these changelogs is important for many reasons, one of which is being aware of what’s changed and if there is a possibility of these changes affecting you and your product or company. So far so good, it makes sense: documenting changes is good and allows for fair disclosure of changes.
Now, this simple task that many can do, despite not fully understanding said changes and verbiage, allows for context to further research and collaborate with others in assessing potential impacts. However, this feat can also lead to the focal point of this blog: following breadcrumbs led to the discovery of a hijacked Ruby gem component named strong_password. Ruby is a programming language and a gem is a module or library of Ruby. strong_password is a Ruby gem that checks password strengths.
In brief, this maliciously released Ruby gem “update” first tests if the strong_password gem is used in production. If so, and after a random amount of time, the code reaches out to a pastebin.com listing and retrieves a second payload. This second payload essentially silently opens a backdoor, allowing an attacker to remotely execute code. In addition, it also sends a list of infected URLs to a different domain.
This author’s due diligence led Ruby’s security team to further investigate, ending with the nefarious gem’s release being pulled. That said, if you use Ruby and are a user of the strong_password gem, update this right away. Consider internally investigating any possible infiltrations and intrusion detection logs. The gem was downloaded less than 600 times; I can only assume that those impacted are still conducting their investigations.
As for others not directly impacted by this, and to broaden this message to other readers, consider taking the same steps with future releases as well, for all software-based products. This includes Ruby and other programming languages, even the OS release note updates of varying hardware products.