Add supply chain catalog (#284)

root README that introduces the topic (taking some
text from in-toto assessment that I re-wrote for this context)

additional README for /compromises sub-directory, 
so that the (future) solutions can be separate
from the catalog of past compromises.

supply-chain-security/README.md

@@ -0,0 +1,20 @@
+Software Supply Chain 
+=====================
+
+Supply chain compromises are a powerful attack vector. In cloud native
+deployments everything is software-defined, so there is increased risk when
+there are vulnerabilities in this area. If an attacker controls the supply
+chain, they can potentially reconfigure anything in an insecure way.
+
+# What are supply chain vulnerabilities and their implications?
+
+The [Catalog of Supply Chain Compromises](./compromises) provides real-world 
+examples that help raise awareness and provide detailed information that 
+let's us understand attack vectors and consider how to mitigate potential
+risk.
+
+# On mitigating vulnerabilities
+
+There is on-going work to establish best practices in this area.  
+
+

supply-chain-security/compromises/2003/gentoo-rsync.md

@@ -0,0 +1,13 @@
+# Gentoo Incident
+
+Attackers used a remote exploit to compromise an rsync.gentoo.org machine
+holding a copy of the emerge repository and implant a rootkit 
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+The attackers were able to compromise filesystem of the source code repository
+and thus possibly (but highly unlikely) serve malicious packages to users.

supply-chain-security/compromises/2010/aurora.md

@@ -0,0 +1,20 @@
+# Operation Aurora
+
+The hackers could have access to software configuration management systems
+(SCM) in many companies including Google and Adobe. This allowed them to steal
+the source code or make stealthy changes in the source of the many products.
+
+The SCM was developed by a company called Perforce. This system has had some
+known vulnerabilities (detected by McAfee).  The attacker most likely exploited
+those security holes to gain unauthorized access to the system.
+
+## Impact
+
+More than 34 organizations affected, including Symanted, Northrop Grumman,
+Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google.
+
+## Type of compromise
+
+The attacker was able to compromise different tools used within the
+organizations to target their version control systems and exfiltrate source
+code and sensitive data.

supply-chain-security/compromises/2010/proftpd.md

@@ -0,0 +1,13 @@
+# ProFTPD hack
+
+A source code repository server of an open-source project (ProFTPD) was hacked
+by unknown attackers who planted a backdoor in the source code.
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+The attackers seem to have been able to hack the source code repository but not
+developer keys.

supply-chain-security/compromises/2014/code-spaces.md

@@ -0,0 +1,13 @@
+# Code Space Incident
+
+Code Spaces, a cloud base service offering project management and code repositories, 
+was hacked and many repositories, backups, etc. were deleted by the attacker.
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+It appears attackers had access to the source code hosting infrastructure,
+but not to developer keys.

supply-chain-security/compromises/2014/monju.md

@@ -0,0 +1,18 @@
+# Monju Incident
+
+The attackers subverted the distribution server of GOM Player software 
+and delivered a malicious version of the software to users. 
+Upon connecting to the application website to update the installed software, 
+users were redirected to a different website, controlled by the attackers.
+As a result, the users received a modified version of the software bundled with a Trojan.
+
+## Impact
+
+The attack affected machines at Monju fast breeder reactor facility in Japan.
+However, it it unclear whether other machines who tried 
+to upate their GOM Player software were infected. 
+
+## Type of compromise
+
+Attackers could have access to the publishing infrastructure, 
+but did not sign the delivered product.

supply-chain-security/compromises/2015/ceph-and-inktank.md

@@ -0,0 +1,14 @@
+# Ceph and Inktank
+
+Malicious applications on RedHat servers were signed by a compromised key on
+the Ceph infrastructure and it's public-facing counterpart Inktank
+
+## Impact
+
+Unknown at the time of the writing, yet no signs of clear compromise are
+available.
+
+## Type of compromise
+
+The development platform ceph was compromised, as well as its signing gpg key.
+The public facing component Inktank was also compromised.

supply-chain-security/compromises/2015/juniper.md

@@ -0,0 +1,16 @@
+# Juniper Incident
+
+The Juniper attack was done by inserting malicious code in the operating system
+of Juniper NetScreen VPN routers. This unauthorized code enabled remote
+administrative access, and allowed passive decryption of VPN traffic. The first
+vulnerability was done by implanting back door in the SSH password checker and
+the second one happened by compromising a pseudorandom number generator.
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+It appears attackers had access to a the source code hosting infrastructure,
+but not to developer keys.

supply-chain-security/compromises/2015/xcodeghost.md

@@ -0,0 +1,15 @@
+# XCodeGhost
+
+The attacker could distribute a fake version of developer tools used by iOS
+developers. The Xcode development tools used by iOS app makers was modified by
+hackers to inject malicious code into apps on the App Store aiming to phish
+passwords and URLs through the infected apps.
+
+## Impact
+
+At least 350 apps, including WeChat, which affected hundreds of millions of
+users alone.
+
+## Type of compromise
+
+This was a counterfeit artifact delivered to developers.

supply-chain-security/compromises/2016/fosshub.md

@@ -0,0 +1,17 @@
+# Fosshub Breah
+
+Hackers compromised FOSSHub, a popular file hosting service, 
+and replaced the legitimate installer of several applications with malicious copies.
+
+Note that some software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others 
+use as their primary file download service.
+
+
+## Impact
+
+Users who downloaded Classic Shell and Audacity software packages from FOSSHub 
+in the first week of August 2016, were affected by Fosshub breach.
+
+## Type of compromise
+
+Attackers compromised the publishing infrastructure.

supply-chain-security/compromises/2016/keydnap.md

@@ -0,0 +1,16 @@
+# Keydnap
+
+The download server of the torrent client Transmission was hacked and a
+malicious version of the client was uploaded. The malicious copy of the
+software was signed using a legitimate certificate (which appears to be stolen
+from the Apple developer program).
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+The publishing infrastructure was affected, plus a developer certificate (by
+someone not associated with Transmission) was used to sign and allow for a
+legitimate-looking installation

supply-chain-security/compromises/2016/mint.md

@@ -0,0 +1,14 @@
+# Hacked Linux Mint
+
+Attackers breached the website of Linux Mint, 
+the third most-popular Linux operating system,
+and pointed users to malicious download links that contained a backdoored version of Linux Mint.
+
+
+## Impact
+
+The backdoored version of Linux Mint was downloaded by hundreds of users on February 20th, 2016. 
+
+## Type of compromise
+
+Attackers compromised the publishing infrastructure, but not developer keys.

supply-chain-security/compromises/2017/bitcoingold.md

@@ -0,0 +1,16 @@
+# Bitcoin Gold
+
+A backdoored version of Bitcoin wallet was planted by the attackers who gained
+access to the GitHub repository. As a result, those users who downloaded the
+infected version instead of the official one might have lost their private keys
+if they created new wallets using this malicious software.
+
+## Impact
+
+Users who downloaded the compromised wallet during a window of 4.5 days may
+have their private keys compromises.
+
+## Type of compromise
+
+The attackers seem to have been able to access the version control system but
+not to sign on behalf of developers.

supply-chain-security/compromises/2017/ccleaner.md

@@ -0,0 +1,22 @@
+# Foxif/CCleaner
+
+An affected version of CCleaner installs a malware before installing CCleaner.
+This malicious version is signed using a valid certificate and has been
+delivered to the users by the legitimate CCleaner download servers.
+
+As the affected version of CCleaner was signed by a valid signature, there are
+some possibilities. The signing process of the development, build or packaging
+step might have being compromised. Also it could be a malicious insertion in
+any step right before the product of that step was signed.
+
+## Effect
+
+The impact could've been severe as CCleaner had 2 billion downloads as of
+November 2016 with almost 5 million new users per week.
+
+## Type of compromise
+
+It appears the attackers could've accomplished by either compromising the
+version control system, the packaging or the publishing infrastructure. For the
+last step, they would've have to been able to compromise the signing key that
+signs for official CCLeaner releases.

supply-chain-security/compromises/2017/elmedia.md

@@ -0,0 +1,13 @@
+# Elmedia player hack
+
+Attackers could hack the Eltima’s download servers and then distributed two
+applications, Folx and Elmedia Player, with a malware.
+
+## Impact
+
+It appears that the impact of the attack ranges in the hundreds of users.
+
+## Type of compromise
+
+The attackers were able to compromise the publishing infrastructure for Eltima,
+the software vendor for the Elmedia player and Folx.

supply-chain-security/compromises/2017/expensivewall.md

@@ -0,0 +1,19 @@
+# ExpensiveWall
+
+A malware injected in a free Android app (wallpaper) would secretly register
+victims for paid services. The malicious code in the app  came from a
+compromised software development kit (SDK) that Android developers used.
+Notbaly, Expensive Wall used obfuscation methods to hide malicious code which
+could bypass anti-virus protections.
+
+## Impact
+
+At least 5,904,511 devices were affected, and up to a maximum of 21,101,567, as
+reported on [this technical
+report](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)
+
+## Type of compromise
+
+The attackers were able to compromise the toolchains of the developer machines
+and introduce a backdoor in the resulting apps. As such, developer keys can be
+assumed to be compromised.

supply-chain-security/compromises/2017/hacktask.md

@@ -0,0 +1,15 @@
+# HackTask
+
+HackTask  used typosquatting to register packages that had names similar to
+popular libraries on the npm registry. As a result, the attacker could steal
+developer credentials.
+
+## Impact
+
+38 typosquatted JS packages were found on the npm repositories. These packages
+were downloaded at least 700 times during the two week period that the
+compromise spanned.
+
+## Type of compromise
+
+A typosquat attack does not require compromising any type of infrastructure.

supply-chain-security/compromises/2017/handbrake.md

@@ -0,0 +1,15 @@
+# Handbrake
+
+A popular video converter, HandBrake, for Mac systems was hacked by replacing
+the app on one of the download servers with a malicious copy. So the attackers
+could gain admin privileges on victims’ systems.
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+It appears the attackers compromised the publishing infrastructure. Since no
+code-signing was involved, the attacker didn't require to compromise any key,
+but rather just the infrastructure.

supply-chain-security/compromises/2017/kingslayer.md

@@ -0,0 +1,24 @@
+# Kingslayer 
+
+Attackers could breach the download server of an application (used by system
+administrators to analyze Windows logs) and replaced the legitimate application
+and updates with a signed malicious version. 
+
+## Impact
+
+Organizations who used Alpha's free license edition software (the compromised
+version) include:
+
+- 4 major telecommunication providers
+- 10+ western millitary organizations
+- 24+ Fortune 500 companies
+- 5 major defense contractors
+- 36+ Major IT product manufacturers or solutions providers
+- 24+ western government organizations
+- 24+ banks and financial institutions
+- 45+ higher educational institutions
+
+## Type of compromise
+
+The attacker had access to the publishing infrastructure (i.e., the download
+server) and to the signing key of the packager.

supply-chain-security/compromises/2017/notpetya.md

@@ -0,0 +1,21 @@
+# NotPetya 
+
+NotPetya compromised the software infrastructure to tamper the patch code. It
+infected the update server of an Ukrainian accounting software called MeDoc. As
+a result, the attackers could inject a backdoor into the MeDoc application
+which allowed the delivery of a ransomware and stealing credentials. Having
+control over the update server, the attackers were able to update the infected
+machines with a new malicious version. 
+
+Note that it seems unlikely that the attackers could plant such stealthy
+backdoor without having access to MeDoc’s source code. 
+
+## Impact
+
+N/A
+
+## Type of compromise
+
+The attackers seem to have been able to compromise software publishing
+infrastructure, update servers and probably the version control system for
+MeDoc, as well as signing keys for updates.

supply-chain-security/compromises/2018/colourama.md

@@ -0,0 +1,18 @@
+# Colourama
+
+Colourama used typosquatting to register a package that had similar name to
+Colorama, one of is one of the top 20 most downloaded legitimate modules
+in the PyPI registry with 1 million downloads on a daily basis. The colourama
+package contains a malware which targets Windows machines to implement a
+cryptocurrency clipboard hijacker. As a result, was able to divert any
+Bitcoin payment from victim machines to the attacker's bitcoin address.
+
+## Impact
+
+Colourama was registered early in December 2017. It is not clear how many times
+the malicious package have been downlaoded since then. According to a report by
+Medium, it was downloaded 55 times in October 2018.
+
+## Type of compromise
+
+A typosquat attack does not require compromising any type of infrastructure.

supply-chain-security/compromises/2018/dofoil.md

@@ -0,0 +1,16 @@
+# Dofoil
+
+Attackers compromised an update server and replaced a popular
+BitTorrent client called MediaGet with a signed backdoored binary
+to spread a malicious cryptocurrency miner.
+
+
+## Impact
+
+The attack could successfully taget over 400,000 PCs mostly in
+Russia, Turkey, and Ukraine.
+
+## Type of compromise
+
+The attackers seem to have been able to compromise the 
+publishing infrastructure, as well as the signing key of the package.