Cyberattackers are increasingly targeting the very tools developers trust—integrated development environments (IDEs), low-code platforms, and public code repositories. In this episode of Threat Vector, host David Moulton speaks with Daniel Frank and Tom Fakterman from Palo Alto Networks' threat research team. They uncover how nation-state actors and cybercriminals are using trusted development tools like Visual Studio Code to run malware, exfiltrate data, and stay undetected. Listeners will learn about real-world APT campaigns, why dev tools are high-value targets, and how organizations can secure their software supply chain without slowing down developers.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
[ Music ] >> Cyber-attacks can really come from anywhere. Now, even applications that we think are totally legitimate may be abused by an attacker to get what they want. And that is why it is so important that we keep learning about new advances in cybersecurity and new techniques that threat actors use in attempts to gain a hold of our networks. [ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for Unit 42. And today I'm joined by Tom Fakterman, senior threat researcher and Daniel Frank, threat research team lead at Palo Alto Networks. Tom has a strong background in cyber threat intelligence, malware analysis and network forensics, with experience spanning both private sector and Israeli military service. His work at Cyber Reason and now at Palo Alto Networks has uncovered some of the most advanced cyber espionage campaigns in recent years, ranging from attacks on telecommunication infrastructure to abusive cloud platforms in the Middle East. Daniel brings over a decade of experience in malware research and threat detection with a career that includes senior research roles at Cyber Reason, F5 Networks, RSA Security, and now Palo Alto Networks. He also holds a patent for detecting fraudulent activity from compromised devices, just one of the many ways he's contributed to building a stronger defense against sophisticated threat actors. Today, we're going to talk about a pressing and emerging risk: the abuse of software development platforms by both cybercriminals and nation state adversaries. As development tools like IEDs, low code platforms and public code repositories become more powerful and interconnected, attackers are finding creative ways to exploit them, often bypassing traditional detection mechanisms. This includes a recent case involving a Chinese APT group that used Visual Code Studio to deploy malware within a development environment, a campaign uncovered by our guest today. For organizations with CI/CD pipelines, development teams or third-party Codera [phonetic] integrations, this episode shines a light on a growing blind spot. If attackers can exploit the very tools your developers trust every day, it's time to rethink how we secure our development infrastructure. [ Music ] So, Tom, set us up. Why are low code, no code environments becoming so popular for developers?
Tom Fakterman: That's a good question. So, I would say that now what with the rise of AI and everything, you see that a lot and more and more people don't need to really -- don't need or want to know how to actually code to do all the stuff that they want to do in their day-to-day work. And that's exactly what low code platforms gives the user the ability to create sophisticated automations without needing to know how to program.
David Moulton: Yes, so it sounds like it speeds you along and it allows somebody with less skills to make something incredible quickly. But you don't have that foundational understanding which can be a risk if you don't know what you're doing.
Tom Fakterman: Exactly.
David Moulton: So, Daniel, let me take it over to you. What's behind this rise in the abuse of software development platforms like VS Code, low code environments and even code repositories?
Daniel Frank: Well, for a start, we -- we know that -- that threat actors are always looking for -- for new ways to infect users. Right? They keep adapting to the current landscape. So, what we've noticed over the last year or so, that the abuse of IDEs has increased, like [inaudible 00:03:56] -- like significantly -- significantly increased, right? So, as part of -- of our day-to-day job, like Tom, I and the rest of the team, so we, you know, we hunt for -- for these instances. You know, we're -- we try to find things that are kind of flying under -- under the radar, like new techniques for example. So, and about a year ago, we started noticing more and more incidents where threat actors abuse legitimate software development platforms like Visual Studio --
David Moulton: Right.
Daniel Frank: -- and -- and others as well, you know, to -- to carry out all of these hacking operations. Now, that got us intrigued. I mean, and -- and one of -- one of the -- the first questions that came to our mind was like abusing legitimate software is -- is not -- it's not a new thing, eventually. But why focus specifically on software development? Well, there could be a number of reasons. So, A, you want to target developers in -- in -- in an organization, right? Right. And B, software development platforms usually enjoy these really high privileges within -- within a -- within -- within systems and they have access to like to source code and other sensitive information. And above all, they're -- they're legitimate. Right? And we are seeing more and more of these attacks against technology companies and -- and R and D of tech and also of cryptocurrency firms by nation state threat actors. And it's mostly for intellectual property and espionage. But also, some threat actors are conducting these modern money heists. And the case of North Korean cyber warfare program is -- is a perfect example for that. So, as we all know, North Korea, you know, they're -- they're under these crushing international embargoes and -- and sanctions and they have to work really hard to -- to bypass these limitations. Now, what we are seeing is more and more of these North Korean threat actors, targeting software developers in leading western technology and crypto organizations and with the intention of infiltrating these institutions.
David Moulton: So, Tom, let me take it over to you. What makes IDEs like VS code such a valuable entry point for adversaries?
Tom Fakterman: Well, it might not come as a shock to you, but the first thing that makes it so attractive is of course the human factor. One of the things we've noticed is that -- what works pretty well for those North Korean hackers is using social engineering, for example. They would convince people to open projects and run them in their IDEs under different orders, like a -- a fake job interview. And this -- this could be really effective. Also, some IDEs have built in capabilities to control the machine, so the attackers sometimes don't even need to deploy malware. And now, because IDEs are of course legitimate applications, a lot of people use them. And that makes the attack a lot harder to detect if an IDE is being abused. And another good reason is that if the attacker's goal is to get a hold of source code, what's a better target than the main tool developers use every day to write that source code? So, like, we see developers have access to sensitive source of code in their organizations and that makes them like a prime target for attackers.
David Moulton: Right, let me talk to you about malicious extensions. What makes those such a risk for developers?
Tom Fakterman: Well, think of it like this. It's kind of like installing a sketchy browser extension. There's always a risk involved. Now, VS code is little different from your typical IDE. It's basically a lightweight code editor. And what makes it so cool is that you can download thousands of different extensions that are available in the marketplace. But with that also comes a risk. Anyone can upload an extension to the VS code marketplace and that includes people who want to cause us harm. So, threat actors can hide malicious code inside these VS code extensions, and that could be the start of a full-fledged attack.
David Moulton: Tom, walk -- walk us through the Chinese APT case that you presented at RSAC where VS code was used as an attack vector.
Tom Fakterman: Oh yes, I love that story. So, like any good story, it started with a -- a really suspicious alert popping up in our telemetry. And that alert was particularly interesting to us because it came from an environment that belonged to a government entity located in Southeast Asia. So, we started investigating and when we dug into the details, we saw a lot of that weird-looking activities that just screamed to us, espionage. We saw reconnaissance activities that were after sensitive information. We saw exfiltration activity trying to steal data. We saw -- we saw them trying to gain access to valuable servers. And what was amazing to us is that when we looked at the origin of all of that malicious activity, we saw that all of those commands were executed by a process of visual studio code. It was a super legit, signed, verified process. Nothing unusual stuck out to us. So, we were wondering what is going on here? And that's how we found out about this really rare technique that was leveraged by the attackers.
David Moulton: That's wild. Like, that had to like shock you when you saw that in -- in the alert and you started to chase it down because it's legitimate and it's malicious altogether.
Tom Fakterman: Oh, yes. At first, I was like, "What's going on here?" It took me a couple of days to realize the -- what -- what it is. At first, I thought, "Okay, maybe it is injection or DLL side loading." But I couldn't find indications for either of those, and I was stunned at first.
David Moulton: Is this the first time you run across something like that?
Tom Fakterman: Oh yes, it was like, well actually a cool story about that is that technique. And when I tried to search about the technique, I only found some POC that were published about it like a half year prior. But there were zero reports about the technique being used in an actual operation. So, as an analyst, it was pretty cool to see it like, I guess like a first-time abuse of the technique in the wild.
David Moulton: Daniel, you mentioned abuse of low code environments. What kind of threats are you seeing in these platforms, specifically?
Daniel Frank: Okay, so, local platforms, what they do is that -- they offer a lot of these powerful features. I mean they can access things like users' files, they can access their clipboard and even their Internet connection. And this is just like to name a few. Right? And the best part, it's all the [inaudible 00:10:52] through and easy to use interface. So, you don't need to be a -- a coding expert or anything close to that. But here's the problem. So, if an attacker gets hold on one of these platforms, they can create these automated workflows for all kinds of malicious activities and without needing to deploy any extra malware. I mean it's like they got this built in toolkit to do a lot of damage without even trying too hard.
David Moulton: How are the tactics different from like a traditional supply chain attack or backdoors planted in build processes?
Daniel Frank: Well, I say that the -- the main difference is that in supply chain attacks, the attackers need to find a way to insert malware into an installation process of this legitimate software, or the other. But in -- in this type of attacks that we're talking about, all the attackers really need is good social engineering skills to gain access to a developer's IDE and some bad intentions. I mean it's that simple.
David Moulton: So, would you categorize this as like a new class of insider risk or is this actually something that's a little closer to like a -- a stealthy external compromise?
Daniel Frank: Well, I -- I would consider this more of a stealthy external compromise. So, the threat comes essentially from external threat actors who mislead employees rather than, let's say, from an insider with -- with this malicious intent. Because these employees, I mean, they do not run malicious code on purpose, right? They're tricked to -- to doing that. And -- and I would also like to emphasize another point, I mean. Since many developers in -- in an organization use the same IDs and usually such activity looks legitimate, so -- so spotting it can also be really tough. I mean, unless you're actively hunting for it.
David Moulton: Tom, what telemetry or visibility gaps are allowing attackers to operate inside development tools without detection?
Tom Fakterman: Yes, so this is where the things get kind of tricky. So, one of the biggest challenges with dealing with IDE abuse is that at the end of the day, these are legitimate applications and usually they are trusted in their environment. So, it is not out of the ordinary for them to perform a lot of activity. So, when they are doing stuff like accessing the file system, reaching out to external servers or spawning processes, that's not necessarily malicious. And that's exactly what attackers are banking on. They're hiding in plain sight. So, this can make it hard for defenders to differentiate between day-to-day use of an IDE and malicious abuse by a threat actor.
David Moulton: What's going to need to change the most environments to close these gaps?
Tom Fakterman: I would say the first step, like with a lot of these problems, is awareness. You've got to actually recognize that IDEs, while of course are essential, can also be attack surfaces. The next step will be to work on tailored detections and hunting queries. We need to understand what normal behavior looks like for tools like VS code and what sticks out. And that takes some environment specific tuning.
David Moulton: For defenders out there, what are some of the high-fidelity indicators of compromise or -- or maybe even the behavioral patterns that are tied to the developer platform abuse?
Tom Fakterman: So obviously, the exact indicators can shift depending on the technique and the attacker's playbook. But there are definitely some patterns that we see that are popping up over and over again. One of the biggest red flags we see is when an IDE spawns a shell process like a CMD or a PowerShell. And when those shells start running things like recon commands, trying to map the network, pull credentials or even move laterally, well at this point, you should have the alarm ringing.
David Moulton: Oh, for sure. Can you share any success stories where those techniques were detected really early?
Tom Fakterman: Oh yes, definitely. I love that question. So, I have one story that happened pretty recently, and it is related to a campaign we call Contagious Interview. And we actually explored that one in our RSI conference session. So, in this campaign, North Korean threat actors were posing as recruiters and they were trying to trick developers into running malicious code under the guise of a fake job interview, hence the name, a Contagious Interview. And we spent a lot of time dissecting that campaign and mapping out the different TTPs. And we've created a lot of different detections around our techniques. And not long after our investigation, we actually started seeing this threat actor attempting to target our customers using very simple -- similar TTPs. But because of all of the work that we did on them, Cortex XDR was ready, and it blocked all their malicious attempts. And this is an idea that we really focus on in our team. That research isn't just a theory. It directly powers our defenses.
David Moulton: Absolutely. Daniel, what are some of the proactive ways organizations can secure their development environments without slowing down their developers?
Daniel Frank: This is a really important question, David, and I'm glad you asked it. Well, there are a few ways organizations can secure their development environments, but I will highlight two main ones. Well, first off, before running any code, you know, from -- from outside sources, you know, like third-party code, and this is something that we talked about a lot in our -- during our RSA conference presentation. So, it's really important to scan that code, either manually or automatically. And this goes for code you're importing into existing projects or when you're starting a new project. And the same also applies for -- for extensions. Now, the second and probably even more important point is that regular security awareness training is key. Everyone in the company should be trained. But it's especially crucial for developers, in this case, to be aware of these kinds of threats and know how to recognize them.
David Moulton: Are there best practices for extension vetting that you recommend?
Daniel Frank: One way to manage things, and this is relevant especially for managing Python packages, and we talked about malicious Python packages during our RSI conference presentation, is by using a -- a local cached repository within organizations. So, this way developers can install packages and specific versions of these packages from these local company servers where the code has already been pre-audited. And when it comes to vetting extensions, like the VS code extensions that we mentioned, it's best to, for the very least, to stick with signed extensions from trusted developers. Now, of course nothing's ever 100% foolproof, right? But taking these precautions can really at least lower the risk of picking up malicious third-party code or extensions.
David Moulton: Guys, your team analyzes nation state tactics. How would you differentiate between cybercriminal versus APT use of these dev tools? Maybe Daniel, you go first?
Daniel Frank: Yes, it really depends on the approach, I would say. So, for something like malicious extensions, it's actually pretty simple I guess. A cybercriminal doesn't need much. Just take a malicious extension, upload it to a store, maybe trick users in a way or two into installing it, and voila, they're in. Right? Anyone with basic technical skills can manage that. But for more targeted attacks like setting up these fake job interviews, that's where APTs really come into play. And they've got this -- the resources and motivation and time, I guess, to pull off these more complex social engineering tricks like that.
David Moulton: Tom, is it a technique we expect to see more broadly adopted across different threat actor categories?
Tom Fakterman: Oh, absolutely, and we've already seen it happen. I'll use the VS Code CLI abuse as an example again. So, as I said, when I first started digging in how -- how Chinese APTS were abusing the VS Code CLI to mask the activity, I couldn't find any report about the technique actually being abused in the wild. But today is a very different story. If you search for the abuse of VS code right now, we'll find many reports from several different threat actors who abuse that very same technique. So, we have seen it live how this technique has been adopted by more and more threat actors in more and more attacks.
David Moulton: Daniel, where do you see the threat landscape heading over the next year? Are -- are we like moving into a new phase of developer focused cyber-attacks?
Daniel Frank: I think we'll definitely see more of these attacks and we're already seeing that in -- in recent months. And especially as different threat actors continue using AI to make their interactions with targets even more convincing than -- than they are now. And trust me, they can get pretty convincing. And also, as long as malicious code can still, you know, can still slip into these marketplaces and -- and different development projects, we're going to see this attack vector probably grow and become a bigger threat in the near future.
David Moulton: So, guys, one of the questions I like to ask at the end is what's the number one thing that a listener should take away from our conversation today? Tom, we'll start with you.
Tom Fakterman: Well, one thing that I really want people to take from that is that cyber-attacks can really come from anywhere. Now, even applications that we think are totally legitimate may be abused by an attacker to get what they want. And that is why it is so important that we keep learning about new advances in cybersecurity and new techniques that threat actors use in attempts to gain a hold of our networks.
David Moulton: Daniel, over to you. What's the most important thing that a listener should take away from today's conversation?
Daniel Frank: Well, first of all, there are so many ways that threat actors can get in. And I mean both cybercriminals and -- and AP -- and nation state APTs, they can get super creative when they need to infiltrate organizations. And it's also crucial to remember that legitimate applications are prime targets for attackers because they can sneak in a notice, they can run malicious code on commands within this app or another, and it makes it so much harder to spot and differentiate from legitimate activity. And let's face it, we're all human, right? And we all make mistakes. So, as Tom said, this is why it's so important to stay proactive and look for these kinds of threats and keep up with the latest trends in cybersecurity.
David Moulton: So, Tom, Daniel, thank you so much for an awesome conversation today. I -- I really appreciate you bringing your insights and kind of a snapshot of the talk that you gave at RSAC this year.
Daniel Frank: Thanks, David. Great to be here.
Tom Fakterman: Yes, thank you so much, David. Had a great time. [ Music ]
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us that review on Apple Podcasts or Spotify. Your feedback and your reviews really do help me understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes our audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
