Security Advisory: IconBurst Attack

Tony Loehr
Developer Advocate

The IconBurst attack is a software supply chain attack designed to grab data from apps and websites. This attack campaign seeks to install malicious NPM modules that harvest sensitive data from forms embedded in mobile applications and websites. Though the exact scope of the attack is not yet certain, ReversingLabs researchers report that thousands of mobile applications, desktop applications, and websites potentially use these packages. One malicious package had been downloaded over 17,000 times, making its impact comparable to the Solarwinds attack.

How Did IconBurst Proliferate?

Cybersquatting attacks, such as typosquatting or chainjacking attacks, may be considered a specialized form of social engineering attacks. Often, these attacks target developers intending to affect resources downstream from this malicious dependency, including applications and libraries. 

The IconBurst attack relies on typo-squatting, an approach in which hackers impersonate high-traffic packages by using names resembling the spellings of legitimate packages. One such example is the ionicons package, used frequently to provide icons in applications built using the ionic framework.

So what makes the IconBurst attack unique? It’s not the first time someone has created a dependency typosquat, but what’s notable is the connection between the malicious dependencies. For starters, the similarity between the domains used to steal the data indicates that the same attacker controls the packets involved in the attack–the IconBurst attack utilized many dependencies from different authors for months, making the connection unclear otherwise.

In addition, the attacks utilized a javascript obfuscator to hide malicious functionalities. This tool typically functions by adding syntactical complexity to javascript code and, often, simplifying operational complexity. The IconBurst attack shows how these obfuscators can aid social engineering attacks.

Known Malicious Packages

More than two dozen NPM modules have been identified as malicious and are currently being used by thousands of downstream applications. The currently known packages classified as part of the IconBurst attack include:

Package Name Author
ionic-icon fontsawesome
ionicio fontsawesome
icon-package ionic-io
ajax-libs ionic-io
umbrellaks ionic-io
ajax-library ionic-io
iconion-package arpanrizki
package-sidr arpanrizki
kbrstore arpanrizki
icons-package arpanrizki
subek arpanrizki
package-show arpanrizki
package-icon arpanrizki
icons-packages kbrstore
ionicon-package kbrstore
icons-pack kbrstore
pack-icons kbrstore
ionicons-pack kbrstore
package-ionicons aselole
package-ionicon ​​aselole
base64-javascript aselole
ionicons-js aselole
ionicons-json aselole
footericon footericon
roar-01 ajax-libz
roar-02 ajax-libz
wkwk100 ajax-libz
swiper-bundie ajax-libz
ajax-libz ajax-libz
swiper-bundle ajax-libz
atez ajax-libz
ajax-googleapis ajax-libz
tezdoank ajax-libz
ajaxapis ryucha
tescodek ryucha
atezzz ryucha
libz.jquery ryucha
ajax-libary ryucha

IconBurst Results

The IconBurst attack not only reinforces the notion that dependencies are increasing as a vector of attack, but also shows how supply chain attacks can be used to affect end customers through developers. Developers have downloaded dependencies harboring the IconBurst attack over 30,000 times. Obfuscators help defend intellectual property, but nefarious actors can also use this technology to hide malicious functionality.

How Cycode Can Help

Cycode can help identify instances of malicious packages by enabling a comprehensive asset inventory. This visibility enables the security and DevOps team to spot nefarious dependencies that may exist in an organization’s various repositories:

This information is good to have, but what’s better is proactively defending against malicious dependencies. The Cycode platform provides tools to help accomplish this. One such tool is the dashboards which show each place that malicious dependencies exist (along with any other violations of security policies).

As we’ve previously discussed, workflows provide a means of automating the security measures needed to protect against certain attacks. 

The above screenshot illustrates the use of Cycode workflows to create Jira tickets when vulnerable packages are found. These workflows may be used to automatically create tickets and notify the correct people, making for accurate alerts that can reduce resolution time.

The knowledge graph powers much of this functionality.  With Cycode’s knowledge graph, you can quickly identify instances where this threat exists in your organization:

Cycode’s advanced detection capabilities correlate event data and user activity across the SDLC to create contextual insights and automate remediation. Cycode delivers security, governance, and pipeline integrity without disrupting developers’ velocity. 

Want to Learn More?

Schedule a demo or visit our website to learn how Cycode can help improve your software supply chain security.