RL Blog
|

10 software supply chain attacks you can learn from

Supply chain attacks are surging — and no one is immune. That has CISOs and boards worried. Learn from these notable software supply chain attacks.

John P. Mello Jr.
Blog Author

John P. Mello Jr., Freelance technology writer. Read More...

software-supply-chain-attacks-2022

Since the SunBurst attack on SolarWinds in 2020, which included a compromise of the SolarWinds Orion product as well as attacks on Orion customers and other organizations not affiliated with SolarWinds, malicious actors have steadily stepped up their software supply chain attacks. One 2022 survey found that supply chain attacks are affecting 62% of organizations.

And many organizations say they are not prepared to deal with the challenges of protecting their software supply chain. A recent survey of 1,000 CIOs found that 82% of organizations are vulnerable to software supply chain attacks. 

The State of Software Supply Chain Security 2022-23 explores top trends, best practices and more. One thing is clear: Supply chain attacks are surging — and no one is immune. That has made them the center of conversations about cyber risk and cybersecurity with CISOs and boards. 

Here are 10 software supply chain attacks that your team can learn from.

[ Get report: The State of Software Supply Chain Security 2023 ]

npm

A typosquatting campaign aimed at a popular JavaScript node packager used by some 11 million developers worldwide was discovered in July by researchers at ReversingLabs. The campaign, known as IconBurst, used dozens of malicious NPM modules containing obfuscated JavaScript code to compromise hundreds of downstream desktop apps and websites ReversingLabs' Karlo Zanki wrote in his threat research blog post.

"Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of npm packages containing jQuery scripts designed to steal form data from deployed applications that include them."
Karlo Zanki

Zanki explained that the pernicious actor gave the malicious modules names similar to high-traffic modules or names containing common misspellings of those modules, hoping careless developers would use the doctored versions of modules like umbrellajs and packages produced by Iconic.io. Since the users of the software and not the developers were the ultimate target of the scheme, the attack is similar to the infamous SolarWinds compromise, he added.

Comparitech estimates that 35,754 customers were affected by the attack.

Python Package Index (PyPI)

The official repository for the Python language, the Python Package Index (PyPI), was compromised in August by phishers who used compromised credentials to publish malware masquerading as a legitimate project upgrade.

In a series of tweets on Twitter, the Python Package Index explained that developers received a message claiming that there is a mandatory "validation" process being implemented, and invited them to follow a link to validate a package, or otherwise risk the package being removed from PyPI.

The link takes the user to a phishing site mimicking PyPI’s login page, which steals any credentials entered, it continued. 

"We have additionally determined that some maintainers of legitimate projects have been compromised, and malware published as the latest release for those projects," PyPI added. "These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen."

Sentinel Threat Researcher Amitai Ben Shushan Ehrlich dubbed the threat actor behind the PyPI attack "JuiceLedger."

"The supply chain attack on PyPi package contributors appears to be an escalation of a campaign begun earlier in the year which initially targeted potential victims through fake cryptocurrency trading applications The attack on PyPI in August involves a far more complex attack chain, including phishing emails to PyPI developers, typosquatting, and malicious packages intended to infect downstream users with the JuiceStealer malware."
Amitai Ben Shushan Ehrlich

Comparitech estimates 700,000 customers were impacted in the PyPI attack.

Okta

Okta, a provider of authentication services with more than 15,000 clients worldwide, announced in March that it had been victimized in a physical supply chain attack. Hackers from the notorious Lapsus$ group, who claim to have stolen data from the likes of Samsung, Microsoft, and Nvidia, got access to Okta's network by compromising the laptop of a technician at one of the company's third-party vendors, Sykes, which is owned by Sitel, one of the largest call center operators in the world. Once inside Okta's network, the hackers were able to eyeball data on about 2.5% of the company's customers, including $30 billion cybersecurity provider Cloudflare and some 365 others.

Companies often don’t do enough due diligence to check on the security of a third-party provider, Cesar Cerrudo, founder and CEO of Argeniss Software, told Forbes.

“Sometimes you just get asked to sign a checkbox, that you’re [legally] compliant and that you do security and penetration tests or whatever,” he added. “But it’s just a checkbox on a form on a contract.”
Cesar Cerrudo

GitHub OAuth Tokens

In April, GitHub revealed that adversaries obtained OAuth tokens issued to third-party integrators Heroku and Travis CI. The pinched tokens were then used to download data from dozens of GitHub customers who were users of OAuth applications maintained by the integrators. The attacker was spotted on April 12, when they tried to use a compromised AWS API key to access GitHub’s npm production infrastructure. GitHub Chief Security Officer Mike Hanley told TechRadar that the attacker found the API key when downloading multiple private npm repositories.

"Our analysis of other behavior by the threat actor suggests that the actor may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure." 
Mike Hanley

GitHub noted that whoever was behind the attack managed to steal data from affected repositories, but most likely was not able to modify the packages, or obtain identity data, or account passwords. "npm uses completely separate infrastructure from GitHub.com," Hanely explained.

GitHub was not affected in this original attack, and its investigators found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens, he said.

Tatsu builder

A massive assault was launched in May against Tatsu, a proprietary no-code page builder for WordPress. The attackers sought to exploit a known Remote Code Execution vulnerability found in both the free and premium versions of the plugin. At its height, the campaign launched 5.9 million attacks against 1.4 million websites and, according to Comparitech, affected 50,000 customers. Tatsu notified all its customers about the situation and advised them to update the software, but it's believed that a quarter of the plugin's installations remain vulnerable.

The threat intelligence team at Wordfence, a WordPress security firm, reported that most of the attacks were probes looking for a vulnerable version of Tasu. It added that the most common payload for the adversaries was a dropper used to place additional malware in a randomly named subfolder.

The Tatsu attack is another example of third-party software being exploited to compromise a larger target: websites running WordPress.

AccessPress

Researchers at WordPress security firm Jetpack discovered in January 2022 that  suspicious code in a theme by AccessPress Themes, a popular WordPress plugin and theme developer of add-ons used by more 360,000 active websites. After further investigation, the researchers discovered the suspicious code in themes and plugins downloaded from the AccessPress website but not from WordPress's directory site, security researcher Harald Eilertsen noted in a blog post.

"Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites."
—Harald Eilertsen

Eventually, the researchers found that the AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on its site were injected with a backdoor, which gave threat actors full access to websites that used the poisoned software.

In total, the attackers compromised 40 themes and 53 plugins available at the AccessPress website. The extensions were removed from the site, but the number of websites infected prior to that action remains undetermined.

MailChimp

A social engineering campaign aimed at MailChimp, an email marketing firm, pried credentials from some of the company's employees in March, allowing the online raiders to access internal customer support and management tools, including the API keys of an undisclosed number of clients. An estimated 106,856 customers were affected by the attack, said Comparitech, which tracks supply chain breaches.

API keys and OAuth tokens are highly prized by threat actors because they allow the bandits to launch phishing attacks and expand their malicious activity, as well as allow them to conduct supply chain attacks that can lead to massive data theft. The compromised MailChimp APIs could be used to create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal. MailChimp acknowledged that unauthorized API access was used to conduct phishing campaigns against stolen contacts, noted Scott Gerlach co-founder and CSO of StackHawk, an API security testing provider.

"API security is still an afterthought for many organizations. It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered."
Scott Gerlach

FishPig

A provider of Magento-WordPress integration software had its infrastructure invaded by hackers in August. The raiders injected malicious code into two Fishpig products—Magento Security Suite and WordPress Multisite—in order to get access to websites using the products. The attacks appear to have affected paid Fishpig extensions but not the free extensions hosted on Github. 

Researchers at the e-commerce security company Sansec explained in a blog post that the attackers added code to a file normally used to validate a Fishpig license. When a Magento staff user visits the Fishpig control panel in the Magento backend, the malware downloads a Linux binary from a site in the UK.  The name of the binary, lic.bin, may make it look like a license asset, but it is actually the Rekoobe remote access trojan.

After launching a configuration file, the researchers explained that Rekoobe removes all malware files and remains in memory. It hides as a system process and mimics one of several system services.

The number of Magento e-commerce stores affected by the attack still remains unknown, although the Fishpig software has over 200,000 downloads.

Comm100

Comm100, a Canadian commercial chat provider with 15,000 customers in 51 countries, had the installer to its flagship software hijacked in September by what's believed to be a threat actor linked to China. The installer was modified to backdoor the machines of victims and then import additional malware. Because the tampered installers have a valid digital signature, they were not detected by antivirus software.

In a statement, Comm100 said the root cause of the incident was a compromised Windows packaging server. It noted that 2% of the company's installed user base was affected by the incident, a base that includes companies in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe. 

It added that the PCI and HIPAA compliance status of the processing environment had not been affected by the incident, and all material data processing was in compliance with applicable laws, regulations, and standards.

FakeUpdates

A media company that serves hundreds of newspapers across the United States began infecting those outlets with malware in November. Although it did not name the media company, cybersecurity firm Proofpoint noted that a JavaScript file that's being downloaded by the firm's clients is being used to distribute the SocGholish JavaScript malware framework, also known as FakeUpdates. "More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company," Proofpoint tweeted.

The company explained that a threat actor it has tagged as TA569 injects SocGholish into the JavaScript file that's downloaded by the news website. Visitors to the site are then prompted to download a fake update. In this case it's a browser update, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told TechCrunch.

“If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload. This attack chain requires interaction from the end user at two points: accepting the download and executing the payload."
Sherrod DeGrippo

Although it's unclear how the media company's JavaScript was compromised, DeGrippo noted that TA569 has a demonstrated history of compromising content management systems and hosting accounts.

Keep learning


Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More