How Cyber Attackers are Tricking Developers And Why Better Security Awareness Training is Required
When breaking into systems or networks, hackers are always exploiting an organization’s weakest link, and developers have recently become increasingly popular targets to pursue.
So why are hackers going after developers? In most organizations, developers commonly have special access privileges to tools containing valuable internal data; they are readily available on social media platforms and like most of us, either tend to set weak passwords, or have the same passwords for multiple sites.
The recent attacks by Lazarus Group, aka APT38, demonstrate how hackers target developers. Lazarus Group is the North Korean state-sponsored hackers linked to the massive $600 million heist from the Ronin blockchain network by the US Treasury Department.
After the attacks, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department issued a joint cybersecurity advisory warning all cryptocurrency businesses to keep an eye on attacks from Lazarus Group hackers.
So why do hackers successfully target developers and how do they do it? Read on.
Why and How Hackers Target Developers
From phishing emails to complex code injections, hackers use a variety of techniques to extract valuable data from organizations. But why target developers? This question in particular is simple to answer. Let’s tackle the “why” first.
Why do hackers target developers?
In one sentence – the answer is because developers have admin privileges. But that’s just a part of the reason – albeit a significant one. Other reasons can include the following:
- There is usually no sufficient organizational security for developers, as they are not considered a security threat.
- Developers tend to use the same accounts professionally and personally. It is especially seen in the case of GitHub – their GitHub repositories are often misconfigured.
- The accounts of developers are not considered critical to security and may not have permission to manipulate production code or deploy applications by default. Yet, they often bypass security controls and interact creatively with different systems because of the nature of the tools they use to build software.
- Their profiles are readily available on social media, so creating personalized emails with a lucrative job offer is easy. Developers are always looking for the next-best opportunity, and hackers take advantage of those situations.
- Tampering with software during the development cycle creates a backdoor that the attacker can use later.
- Software vendors are considered as software supply chain vendors to carry out a massive attack on numerous potential clients (Trend #3 in Gartner).
Developers are considered privileged users with access to an organization’s development environment and source code. The development environment has access to the customers’ data. This means your entire organization is at risk if a single developer is compromised.
Now that it is clear why hackers are targeting developers, let’s understand how they do it.
How do Hackers Target Developers?
There are numerous ways hackers target developers. But the most common method is called phishing.
Hackers Love Phishing and Developers Are Their New Target
Hackers love phishing and commonly deploy phishing attacks to steal information from the weakest link in an organization – in this case, developers. Developers are humans who tend to slip up occasionally like the rest of us, and hackers are first in line to take advantage of those opportunities.
Returning to the question of “how”, there are numerous ways hackers target and attack developers in your organization. Some common methods include:
- Spear phishing emails
- Social engineering
- Password dump
- Stolen passwords purchased from the Dark Web
Usually, developers use similar passwords for multiple accounts, so if any of their accounts are compromised, extracting their passwords and using them to enter a developer’s account becomes easier. Software tools that developers download can also open a backdoor for threat actors to enter the systems if they have modified the program with malicious code.
Some Examples of Developers’ Accounts Compromised
Below are a few of the top developers’ accounts that have been compromised.
1. Git Repository Misconfiguration
In 2021, Twitch was one of the companies with its source code leaked publicly. The source code was revealed in this case due to a misconfigured Git Repository. According to the company insiders, while not surprising, the breach was unique. Reason: the malicious actors published the company source publicly. The breach gave Twitch a reason to wear their black hats and search for loopholes in their security.
2. Git Credentials Leaked
In their research in 2021, GitGuardian revealed that developers frequently use connection tokens and SHH keys to authenticate Git. As a result, these keys often end up in public repositories related to personal projects. In their research, GitGuardian discovered more than 60,000 access tokens to private repositories, which were leaked within ‘Public’ Git repositories. Malicious actors are often in search of such public repositories to gain access.
3. Compromised User or Insider Threat
An insider threat, or a compromised user, is when a developer is paid by bad actors to let them in or is unknowingly compromised. Hackers from the Lazarus Group gained access to the private source code of numerous organizations at the beginning of 2022 through an insider threat or a compromised developer. Victims included huge names like Microsoft, Samsung, and Nvidia.
4. Inadequate Password Hygiene
Password hygiene is one of the best ways to stay safe online, yet humans tend to forgo this one simple practice. The now famous Uber data breach revealed that hackers gained access to private source code repositories because of poor password hygiene. Simply, internal developers were using the same passwords for multiple sites.
Vulnerabilities in DevOps Pipelines
DevOps pipelines are vulnerable for numerous reasons, but the most significant is the privileged access and high permission levels given to developers. According to industry experts, DevOps pipelines should possess and practice the utmost security measures, but in reality, tend to have the weakest security practices in addition to exposed credentials and infrastructure.
Development tools are readily available and accessible on the internet. And that is just a part of the problem. It is quite rare for CI/CD infrastructure to get the desired attention compared to the rest of the enterprise. The situation worsens with contemporary development practices – a perfect opportunity for hackers to play.
Mounting Attacks on DevOps Pipelines – A Concerning Matter
While it could have been easier to say DevOps pipeline attacks are far and few, however, that is not the case. And unfortunately, DevOps pipelines have become a hot target for bad actors and criminal gangs alike.
In a study released in January 2022 by Argon – an Aqua Security Company, there was more than a 300% increase in the attacks on the software supply chain, as compared to 2020.
Another study released by Sonatype in September 2021 revealed a significant increase of about 650% in the attacks on the open-source software supply chain.
Types of DevOps Pipeline Attacks
Industry experts and veterans alike have shortlisted three significant, and most common attacks on DevOps pipelines:
1. Dependency Confusion
This is known as a namespace confusion attack. It is a kind of attack where bad actors have discovered the names of proprietary enterprise software packages and created open-source packages with similar names and later release dates. Some pipeline tools try to download the latest version of a software package by default.
Result: The user unknowingly ends up downloading the software with malicious code.
In this attack, the attacker plays on your tendency to make a typo while searching for the open-source software package. The attacker creates a package with a similar name and then sits back, hoping that a user commits a typo error and is directed to the infected library.
3. Code Injection
As the name suggests, Code injection is the practice of injecting malicious code into a legitimate open-source project. There are numerous ways to achieve this – either by stealing the credentials of a project maintainer or volunteering to work on the project themselves. Hackers also tamper with open-source developer tools to get access.
While the threats mentioned above exist, the vulnerabilities in open-sourced components are just as scary. According to reports done by Synopsys that reviewed over 1,500 released enterprise software projects, it was found that about 98% of them contained open-source code. About 75% of the codebase for an average application was open source. The worrisome part is that about 84% of the codebases had at least one vulnerability.
Another study by Flashpoint’s Risk Based Security revealed that in 2021, more than 28,000 new vulnerabilities were disclosed, and about 4,000 were remotely exploitable.
About 91% of the open-source components have yet to be maintained in the last two years. Malicious actors are on the lookout for such loopholes to gain unlawful entry. And it just takes one compromised developer for the entire organization to face a data breach.
Developers Need Protection – How Organizations Can Help
Your developers are the weakest link in your organization, and it is your responsibility to protect them and keep them secure. Developers’ credentials are lucrative, and hackers are seeking such credentials to gain entry.
Why enter unlawfully when they (hackers) can enter the network through legitimate credentials available on the internet? As mentioned earlier, developers are not considered a security threat by their organization, yet they are the most vulnerable. Reason: they are the privileged users with specific access rights provided to them.
So, how can you ensure the security and safety of your developers?
The answer is simple – through training with Kontra.
What is Kontra Application Security Training by ThriveDX?
Kontra Application Security Training by ThriveDX is an AppSec training solution that aims to provide the most advanced, cutting-edge interactive, and web-based developer security simulations and education.
With real-world interactive scenarios, secure code training transforms into a powerful tool that helps developers understand hackers’ motivations, identify vulnerabilities in their code, and protect their software from future attacks. The training equips organizations to educate critical developer roles such as front-end, back-end, and database development on secure code best practices.
ThriveDX powers the training program, and their scalable technology reinvents and reimagines enterprise application security education for the modern developer.
There has been a sudden and significant surge in data breaches in recent years with developers having become the new favorite victim of hackers. Due to the nature of a developer’s role having access to highly valuable data while being relatively low-effort to breach on account of poor security training, cyber threat actors are actively targeting developers worldwide at companies of every scale.
However, these data breaches can be prevented with the right training from platforms and tools like Kontra Application Security Training by ThriveDX. Kontra helps your organization stay aware and secure. So, what are you waiting for? Book a call to learn more and make your organization and developers aware, safe, and secure.
Swati N. Gupta has been a journalist, a lifestyle blogger, and an eager student of life. With absolutely no background in technology, she got fascinated with disruptive technologies like AI, ML, Deepfakes, and so on and so forth. She started writing about the certifications required to become a successful AI Engineer or a Data Scientist. Her love for reading and deep researching got her interested in the security angle of all these technologies. Today, Swati is a deep tech writer writing about cybersecurity and its various aspect.
Protect Your Organization from Phishing
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.