Based on NorthSec 2023 presentations:
Cyber breach where the threat actor is able to target insecure trusted 3rd party software
In 2022, supply chain cyber attacks in the United States impacted 1743 entities (Statista)
Financial losses attributed to software supply chain cyberattacks will jump 76% and cost the global economy almost $81 billion in lost revenue and damages by 2026 (Juniper research)
Threat model that aims to identify the weakest links in the developer supply chain
Broken links - Behind the scenes of Supply Chain breaches, by François Proulx
🔥 Dropbox email phishing pretending to be from CircleCI - November 2022
- stole Github credentials, gained access to private repos and exfiltrated source code
🔥 Linux kernel experiment - August 2020
- researchers simulated an attack by submitting malicious code to linux kernel
- code review caught most but not all
🔥 SolarWinds - December 2020
- attacker compromised build server
- malware modified source files to add backdoor during build step
- reverted modification after build to stay hidden
Abusing GitHub for fun and profit: Actions and Codespaces Security by Magno Logan
🔥 Log4j December - 2021
- popular Java logging library used everywhere
- had a special documented feature that allowed RCE by logging user controlled data
- Some package managers first resolve public repositories instead of private ones with the same name
- Used to trick build system in dowloading malicious public package instead of private legitimate one
PyPI:
- 🔥 Python `request` package instead of `requests` - August 2020
Npm:
- 🔥Typosquatting campaign targetting node developers - October 2022
- 🔥 Cyber firm Phylum discovered 15 npm packages using typosquatting totalling 1.2 billion downloads per week
- tslbi, tsilb, tlsib -> tslib or crossenv -> cross-env
Docker hub:
- 🔥 In its 2022 report, Sysdig Threat Research Team found thousands of typosquatted docker images hiding cryptominers
- npm provides an install lifecycle hook as part of a dependency install process
- 🔥 node-ipc
package modified to execute commands that will create files or even wipe hard drives
- 🔥 October 2021 UA-Parser.js npm package was hijacked and infected with stealing passwords and cookies code and crypto-miner.
- 🔥 Theme Darcula dark was stealing basic system information
- 🔥 python-vscode allowed for remote code execution
- 🔥 prettiest java stole credentials or authentication tokens from Discord, Chrome, Opera, Brave Browser and later exfiltrated them using a Discord webhook.
all 3 were downloaded 46,600 times 💀
- MFA for developers/everyone
- Code source branch protection rules
- Git commit signatures
- SAST, DAST, SAC, security linters
- Scan for leaked secrets, docker images
- Run package managers audits regularly
- Enforce lock files
- Update dependencies at the right cadence with a sane process
- Keep up to date on the latest 0day bombs
- use --ignore-scripts to avoid postinstall scripts
- use lockfile-lint to prevent lockfile injection attack
- use tools like npq which analyzes new packages before installing them and minimizes risk of installing malware
- be more careful about IDE plugins (check reviews, src code)
- only use GH actions from trusted creators, don't run actions from forked repos without reviewing them