How to secure DevOps

[harlan4096]

Supply-chain attacks through public repositories have become more frequent of late. Here’s how to deal with them.

Last month, IT news websites reported that RubyGems, the official channel for distributing libraries for the Ruby programming language, had been poisoned. An attacker uploaded fake packages containing a malicious script, so all programmers who used the code in their projects unwittingly infected users’ computers with malware that changed cryptocurrency wallet addresses.

Of course, it was not the first supply-chain attack to exploit a public repository. But this type of scenario seems to be gaining popularity, which is no surprise; one successful attack can compromise tens or hundreds of thousands of users. It all depends on the popularity of the software developed using code from the poisoned repository.

How do malicious packages get into repositories?In the case of RubyGems, the cybercriminal created lots of projects in the repository with names similar to popular legitimate packages. Known as typosquatting, the technique relies on developers incorrectly entering the name of a package and downloading a malicious one by mistake, or, after getting a list of names of packages from a search query, not knowing which of them is genuine. The tactic, generally considered the most common for cyberpoisoning, has been deployed in attacks through the Python Package Index and in uploading fake images to Docker Hub.

In the Copay cryptocurrency wallet incident, the attackers used a library whose repository was hosted on GitHub. Its creator lost interest and gave away the administrator rights, compromising the popular library, which many developers used in their products.

Sometimes, cybercriminals are able to use the account of a legitimate developer without the latter’s knowledge and substitute real packages for fake ones. That happened in the case of ESLint, whose libraries were hosted in the npm (Node Package Manager) online database.

Compromise of the compilation environmentCompanies developing software products are also potentially interesting targets for APT actors. Instances of their targeting the clients of such companies periodically attract the attention of security experts:

• In August 2017, some APT actors outfitted software created by NetSarang with malicious modules. According to investigators, the attackers may have compromised the software build servers.
  
• In 2018, cybercriminals infected the Piriform application build server, after which CCleaner program builds with clean source code were weaponized during compilation.
  
• In 2019, our experts discovered the ShadowHammer APT campaign, during which malefactors embedded a backdoor into software products from several companies. According to the results of the investigation, the attackers either had access to the source code or introduced malicious code at the compilation stage.
  

Compromise of the compilation environment not only allows the “infection” of the final product, but it also leads to the distribution of weaponized malware carrying a legitimate digital signature from a trustworthy developer. That is why the development process needs enhanced protection against outside interference.
...

Continue Reading