SBN

What Constitutes a Software Supply Chain Attack?

We are just halfway through 2021, and have already seen an exceptional increase in open source malware and novel supply chain attacks. And, they seem to just keep coming.  

I’m talking about a persistent pattern demonstrated by threat actors infiltrating upstream code repositories in one way or another.

Below are just a fraction of some of the recent, real-world software supply chain incidents that caused havoc:

  • The Kaseya ransomware incident, encrypting the files of over 1,500 businesses.
  • A researcher ethically hacking over 35 big tech firms via dependency hijacking.
  • The SolarWinds supply-chain attack affecting upwards of 18,000 customers
  • Microsoft admits signing rootkit malware drivers with their code signing certificate.
  • The compromised Codecov Bash Uploader in use by over 29,000 customers—Feds later suspected hundreds of customer networks were hacked.
  • Japanese government offices using Fujitsu’s ProjectWEB tool suffered breaches.
  • Enterprise password manager Passwordstate from Clickstudios delivered malicious updates.

And then there are examples of some foul play, in which attackers managed to successfully intervene with or pollute the upstream repositories to achieve their goal:

  • Over 140 GitHub repositories that used the software workflow automation tool “GitHub Actions” saw malicious cryptomining code introduced by threat actors to automatically mine cryptocurrency using GitHub’s servers.
  • Microsoft’s package manager WinGet was flooded with duplicate or corrupted packages overwriting existing ones.
  • PyPI and GitHub successfully flooded with spam links on multiple occasions this year [1, 2].

As if these prominent supply chain attacks weren’t enough, let’s not forget 2021 is the year when the novel open source software (OSS) attack concept dubbed, “dependency hijacking,” or namespace confusion rose to prominence.

By prominence, I mean, Sonatype has identified over 12,000 packages published to npm and PyPI alone—a vast majority of them being dependency hijacking candidates that received actual downloads.

And time and time (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/what-constitutes-a-software-supply-chain-attack