As recently exposed by cyber threat investigators, software supply chain attacks have gained popularity with cybercriminals. Once exclusively used by cyberespionage threat actors, these attacks have become attractive for average cyber criminals, who see this threat as a way to compromise hundreds or thousands of computers with one operation. This explains why the software supply chain attack threat more than tripled in 2021 when compared to 2020, researchers report.[1]
A software supply chain attack targets software repositories or download locations to spread malware instead of or in addition to legitimate software. Attackers might use several ways to compromise a software supply chain. One way would be to find vulnerabilities to compromise the storage of downloadable software, especially when stored on a third-party website. Another method of attack is attacking developers’ accounts and gaining access to them or accessing a software or website maintainer account. Once the access is compromised, the attacker might publish malicious updates to the software, affecting every user and company that would download and install the new update.
This can be particularly disastrous in the case of a compromised and modified library, which could be used by hundreds of different pieces of software all around the globe. It might happen on actual software and old packages, suddenly pushing new updates after years of inactivity. Most developers aim at gaining efficiency and therefore use a lot of third-party code, generally libraries, to avoid having to redevelop something that is already done and freely available. Yet, those third parties software is rarely reviewed by developers and is fully trusted.
Researchers have analyzed the most frequently used code repositories on how difficult it would be for an attacker to compromise a developer account successfully. The researchers have also worked with these repositories to resolve major issues when found.
NPM - NPM, or Node Package Manager, is a code repository specific to the JavaScript programming language that provides more than two million packages. Those packages contain metadata such as a description, a link to the package archive file, and a list of the package maintainers, including the developer’s username and email address.
The NPM repository has been independently audited recently, and it seems that it is not prone to attacks on developers’ email addresses. Expired developer accounts could not be retrieved, with specific security measures taken by NPM.
PyPI - Python Package Index stores almost 400,000 different projects written in Python. Developers’ email addresses are not exposed publicly by default on that repository. But many developers enable that feature since they need or want to interact with other people running their code for various reasons, such as functionality feedback, improvement suggestions, and bug reports.
Multi-factor authentication is not enabled by default for the biggest part of the repository. It is only mandatory to “critical projects,” which represent the top 1% of the PyPI projects based on the number of downloads. PyPI has distributed 4,000 hardware security keys for MFA for those critical projects. According to researchers, an account takeover at PyPI has already occurred, and changes made by admins to improve account security.
CPAN - More than 200,000 Perl programming language modules are stored on the Comprehensive Perl Archive Network. Module developers have their homepage listing their contributions and their email addresses.
NuGet - NuGet is a .NET software repository with more than 317,000 packages. Developers have their email addresses hidden by default on the platform. Instead, NuGet offers a form on the website to reach the developers without leaking their email addresses. An option for the developers to add their Twitter handle is provided but cannot be considered as a direct way to try to compromise a developer.
RubyGems - Ruby developers might use the RubyGems repository, composed of approximately 172,000 packages (also called gems). The developers’ email addresses are hidden by default. Yet, some gems contain a maintainer file, which indicates a contact email address for the developer. Although, it is not consistent across gems. RubyGems has recently announced the enforcement of MFA for top developers’ accounts to fight against account takeovers. Developers’ and maintainers’ accounts need to be protected from account takeover. This could be done by having all code repositories push MFA and make it mandatory to access the code. Several repositories have already enforced that policy but mainly for their top developers. In addition, code repositories should not reveal developers’ or maintainers’ email addresses. Providing a form to reach the developers is a safer method.
Code signing keys should also be deployed to ensure an attacker could not use a developer’s expired domain name since they would not own the code signing key. At a consumer level, organizations should carefully analyze what software they use and segment a group of systems running particular pieces of software from the rest of the internal network. New updates from any software should be reviewed before deployment by looking at code differences between the old and new code. While a great idea, this technique would use increasing resources within the company.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.oodaloop.com/briefs/2022/10/06/software-supply-chains-at-risk-the-account-takeover-threat/
Comments