Compromised code repositories highlight supply chain risk

According to Black Hat USA 2022 attendee report, the IT professionals' top worries are of course phishing and targeted attacks (usually featuring destructive ransomware). However, a growing proportion of those surveyed now see an increased risk from attacks on suppliers, contractors, or other partners connected to an organization’s network.

Compromising an application provider or a trusted supplier is very valuable from the attacker's point of view. Consider an application provider that markets, say, an ERP application to thousands of customers. Injecting malware to a regular update of such ERP provides direct foothold into thousands of internal organization networks. These so called supply chain attacks are increasingly explored by threat actors.

An example of a successful supply chain attack is Sunburst, perpetrated against software vendor SolarWinds back in 2020. The culprits managed to to compromise the company's build servers and insert a backdoor into the company's popular monitoring tool Orion. This was later delivered as an update (digitally signed!) to roughly 18,000 SolarWinds customers (including Fortune 500 Companies).

Currently, the attacker's focus seems to be injecting malware into public code repositories which host libraries and code components used by thousands of developers.

Recently, Checkpoint has identified 10 malicious packages on PyPI, the leading Python package index used by PYthon developers.

The attackers will take over or even impersonate popular software packages, in order to prevent users from realizing they're using a fake malicious package. The malicious script embedded in the package will usually search and harvest passwords, keys and other sensitive data found on the developer's computer.

The PyPi maintainers have tried tackle repository takeover by introducing MFA. However, this will not help against impersonation: for ex. Sonatype found that some 300 developers had downloaded a malicious package for distributing Cobalt Strike called "Pymafka" from the PyPI registry, thinking it was "PyKafka," a legitimate and widely downloaded software component.

Addressing application supplier risk will require focus on both the supplier's and the customer's side.

Companies producing and selling software will need a more diligent vetting effort when including 3rd party libraries into its coding process, especially those sourced from public repositories. Customers will need more real time insights when running applications on both servers and endpoint devices. Endpoint detection and response solutions should address at least some of the risks.