Vulnerability

Trojan Source – A new method Let Hackers inject vulnerabilities into the source code

A new type of vulnerability has been identified by the security researchers of Cambridge University, Nicholas Boucher and Ross Anderson, and this vulnerability enables threat actors to insert visually deceptive malware into the source code in such a way that is semantically correct.

Not only this, but at the same time, this vulnerability also modifies the logic defined by the source code, making the code exposed to a wide variety of cyber threats, which also include threats that are related to supply chains.

Text-encoding Standards Abused

The whole Trojan Source attack has been demonstrated, and it’s been detected that this attack can negotiate the first-party software and supply chains.

While one of the experts noted that the threat actors are using a trick to use Unicode control characters so that they can easily reorder tokens in source code at the level of encoding. 

Apart from all this, several manipulative ways are being used by the threat actors for encoding the source code files so that human viewers and compilers see different reasoning.

Homoglyph & Duplex Attack

The double attack method is tracked as s CVE-2021-42574, and in this method, the hackers achieved their goal by using Unicode controls for bidirectional text as they want to prescribe the direction in which the content is being shown.

But, here, the bidirectional (Bidi) controls like LRI and RLI are invisible characters, and these two characters are not the only ones.

Moreover, the hackers have used another method that is a homoglyph attack, and it has been tracked as CVE-2021-42694. In this method, the threat has two different characters that have a related visual representation.

Techniques Enable Exploiting of the Source Code

The security experts have mentioned some of the techniques that generally allows exploiting of the source code; thus we have mentioned them below:-

  • Early Returns – It covers a certain ‘return’ statement in a comment so that it can produce a function to return earlier than it resembles
  • Commenting Out – It shuffles human review by putting important code, such as a conditional, in a comment so that it is overlooked by the compiler or the interpreter.
  • Stretched Strings – It reverse-order the code to execute it appears to be outside a string literal.

Meshed Revelation

On July 25, acquainted several maintainers of products that were being observed to be influenced by the Trojan Source attack method and set a 99-day embargoed disclosure time.

At the end of the review, they also underwent an average of $2,246 in bug bounties from five of the beneficiaries; however, 11 of them had a bug bounty application.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cisco Warns of Password Spraying Attacks Exploiting VPN Services

Password spraying is a technique hackers often take advantage of because it enables them to…

10 mins ago

GitLab Security Flaw Let Attackers Inject Malicious Scripts: Patch Now

GitLab has announced the release of updated versions for both its Community Edition (CE) and…

18 mins ago

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

5 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

18 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

19 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

22 hours ago