https://kerkour.com/supply-chain-attacks-and-backdoored-dependencies

Sylvain Kerkour

Home About My Book Subscribe

(Ab)using technology for fun & profit. Creator of Bloom and author of
Black Hat Rust.

We're sorry but this website doesn't work properly without JavaScript
enabled. Please enable it to continue.

Let's talk about supply chain attacks and backdoored dependencies

Thu, Apr 21, 2022

ostrich
The software industry when we hear the word "security"

There is no one month without some popular dependencies found to be
compromised or backdoored.

I've already written about how easy it is to insert a stealth
backdoor in a software package, so today we are going to see how
attackers get write access to the packages in the first place.

Supply chain attacks in practice

What makes supply chain attacks particularly attractive is that they
are cheap and easy to execute as they (most of the time) don't
require exploits, the attack surface is huge, they can have a large
reach, with packages downloaded 1M+ times a week for example, and
because they allow remote code execution on developers' machines, the
exfiltrated data and credentials can be used to reach even more
targets which make them a good way to spread a worm.

Compromised CI/CD infrastructure

Most companies do not monitor and protect their CI/CD infrastructure
the same way that they defend their production systems. As a result,
a lot of CI/CD pipelines rely on outdated software with
vulnerabilities.

Once compromised, the CI/CD infrastructure can not only be used to
backdoor the projects that go through it, but also to steal
environment variables and perform lateral movements.

You can read more about compromised CI/CD pipelines in this excellent
post by nccgroup.

Dependency confusion

Dependency confusion attacks rely on the fact that some package
repositories silently serve a public package with the same name as a
private package. So when a private, internal package is requested, a
public package, controlled by an attacker, is served instead, which
leads to remote code execution.

You can read more about this family of sneaky attacks in this
excellent write-up.

Compromised credentials

Whether it be by phishing, database hacks, or malware, it's more and
more common to see sales of compromised credentials on hacking
forums, which then can then be used to get write access to software
packages.

How to prevent this kind of attack? MFA, MFA, MFA!

Compromised Publish Keys

More worrisome is the compromission of Publish Keys/Tokens. In
contrary to compromised usernames/passwords, there is no Multi-Factor
Authentication available for tokens. Furthermore, they are very
rarely rotated in the real world.

Compromised Cookies

In the same way that tokens can be stolen, authentication cookies can
also be stolen, sold on hacking forums, and then reused by attackers
to impersonate a developer who has access to a software repository.

One recent example of such a technique was EA Games' hack, where
hackers bought stolen cookies to impersonate an employee on a Slack
workspace, and then social engineer system administrators to get more
access to EA's systems.

Unfortunately, from a user's perspective, it's very hard to protect
against this kind of attack, and it's up to the service providers to
implement short-lived authentication tokens.

Compromised Git servers

Another possibility for attackers is to directly compromise the
servers hosting the source code of the packages. While rarer than
other attacks, due to the prevalence of Cloud-hosted Git services,
I've myself found many, many misconfigured or vulnerable GitLab
instances.

One notable example is the hack of PHP's Git server, where attackers
were able to push 2 malicious commits.

Some Closing Thoughts

Are supply chain attacks and backdoor unstoppable?

I don't think so, but I think that the current model of centralized
package managers needs to end. Centralized package repositories add
layers of obfuscation and complexity, which is only good for
attackers.

I think that today, Go has the best approach to supply chain security
: Git-based dependency distribution, which enables easier auditing, a
centralized database of modules' content so that everybody get the
same code for a given module@version, and no build-time scripts.

1 email / week to learn how to (ab)use technology for fun & profit:
Programming, Hacking & Entrepreneurship.
We're sorry but this website doesn't work properly without JavaScript
enabled. Please enable it to continue.
[                    ] Subscribe
I hate spam even more than you do. I'll never share your email, and
you can unsubscribe at any time.
---------------------------------------------------------------------
Tag: hacking
[black_hat_]

Want to learn Rust, Cryptography and Security? Get my book Black Hat
Rust!