-
Notifications
You must be signed in to change notification settings - Fork 507
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
root README that introduces the topic (taking some text from in-toto assessment that I re-wrote for this context) additional README for /compromises sub-directory, so that the (future) solutions can be separate from the catalog of past compromises.
- Loading branch information
1 parent
6a830ff
commit 20db6ee
Showing
29 changed files
with
528 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Software Supply Chain | ||
===================== | ||
|
||
Supply chain compromises are a powerful attack vector. In cloud native | ||
deployments everything is software-defined, so there is increased risk when | ||
there are vulnerabilities in this area. If an attacker controls the supply | ||
chain, they can potentially reconfigure anything in an insecure way. | ||
|
||
# What are supply chain vulnerabilities and their implications? | ||
|
||
The [Catalog of Supply Chain Compromises](./compromises) provides real-world | ||
examples that help raise awareness and provide detailed information that | ||
let's us understand attack vectors and consider how to mitigate potential | ||
risk. | ||
|
||
# On mitigating vulnerabilities | ||
|
||
There is on-going work to establish best practices in this area. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Gentoo Incident | ||
|
||
Attackers used a remote exploit to compromise an rsync.gentoo.org machine | ||
holding a copy of the emerge repository and implant a rootkit | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
The attackers were able to compromise filesystem of the source code repository | ||
and thus possibly (but highly unlikely) serve malicious packages to users. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Operation Aurora | ||
|
||
The hackers could have access to software configuration management systems | ||
(SCM) in many companies including Google and Adobe. This allowed them to steal | ||
the source code or make stealthy changes in the source of the many products. | ||
|
||
The SCM was developed by a company called Perforce. This system has had some | ||
known vulnerabilities (detected by McAfee). The attacker most likely exploited | ||
those security holes to gain unauthorized access to the system. | ||
|
||
## Impact | ||
|
||
More than 34 organizations affected, including Symanted, Northrop Grumman, | ||
Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google. | ||
|
||
## Type of compromise | ||
|
||
The attacker was able to compromise different tools used within the | ||
organizations to target their version control systems and exfiltrate source | ||
code and sensitive data. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# ProFTPD hack | ||
|
||
A source code repository server of an open-source project (ProFTPD) was hacked | ||
by unknown attackers who planted a backdoor in the source code. | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
The attackers seem to have been able to hack the source code repository but not | ||
developer keys. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Code Space Incident | ||
|
||
Code Spaces, a cloud base service offering project management and code repositories, | ||
was hacked and many repositories, backups, etc. were deleted by the attacker. | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
It appears attackers had access to the source code hosting infrastructure, | ||
but not to developer keys. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Monju Incident | ||
|
||
The attackers subverted the distribution server of GOM Player software | ||
and delivered a malicious version of the software to users. | ||
Upon connecting to the application website to update the installed software, | ||
users were redirected to a different website, controlled by the attackers. | ||
As a result, the users received a modified version of the software bundled with a Trojan. | ||
|
||
## Impact | ||
|
||
The attack affected machines at Monju fast breeder reactor facility in Japan. | ||
However, it it unclear whether other machines who tried | ||
to upate their GOM Player software were infected. | ||
|
||
## Type of compromise | ||
|
||
Attackers could have access to the publishing infrastructure, | ||
but did not sign the delivered product. |
14 changes: 14 additions & 0 deletions
14
supply-chain-security/compromises/2015/ceph-and-inktank.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Ceph and Inktank | ||
|
||
Malicious applications on RedHat servers were signed by a compromised key on | ||
the Ceph infrastructure and it's public-facing counterpart Inktank | ||
|
||
## Impact | ||
|
||
Unknown at the time of the writing, yet no signs of clear compromise are | ||
available. | ||
|
||
## Type of compromise | ||
|
||
The development platform ceph was compromised, as well as its signing gpg key. | ||
The public facing component Inktank was also compromised. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Juniper Incident | ||
|
||
The Juniper attack was done by inserting malicious code in the operating system | ||
of Juniper NetScreen VPN routers. This unauthorized code enabled remote | ||
administrative access, and allowed passive decryption of VPN traffic. The first | ||
vulnerability was done by implanting back door in the SSH password checker and | ||
the second one happened by compromising a pseudorandom number generator. | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
It appears attackers had access to a the source code hosting infrastructure, | ||
but not to developer keys. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# XCodeGhost | ||
|
||
The attacker could distribute a fake version of developer tools used by iOS | ||
developers. The Xcode development tools used by iOS app makers was modified by | ||
hackers to inject malicious code into apps on the App Store aiming to phish | ||
passwords and URLs through the infected apps. | ||
|
||
## Impact | ||
|
||
At least 350 apps, including WeChat, which affected hundreds of millions of | ||
users alone. | ||
|
||
## Type of compromise | ||
|
||
This was a counterfeit artifact delivered to developers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Fosshub Breah | ||
|
||
Hackers compromised FOSSHub, a popular file hosting service, | ||
and replaced the legitimate installer of several applications with malicious copies. | ||
|
||
Note that some software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others | ||
use as their primary file download service. | ||
|
||
|
||
## Impact | ||
|
||
Users who downloaded Classic Shell and Audacity software packages from FOSSHub | ||
in the first week of August 2016, were affected by Fosshub breach. | ||
|
||
## Type of compromise | ||
|
||
Attackers compromised the publishing infrastructure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Keydnap | ||
|
||
The download server of the torrent client Transmission was hacked and a | ||
malicious version of the client was uploaded. The malicious copy of the | ||
software was signed using a legitimate certificate (which appears to be stolen | ||
from the Apple developer program). | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
The publishing infrastructure was affected, plus a developer certificate (by | ||
someone not associated with Transmission) was used to sign and allow for a | ||
legitimate-looking installation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Hacked Linux Mint | ||
|
||
Attackers breached the website of Linux Mint, | ||
the third most-popular Linux operating system, | ||
and pointed users to malicious download links that contained a backdoored version of Linux Mint. | ||
|
||
|
||
## Impact | ||
|
||
The backdoored version of Linux Mint was downloaded by hundreds of users on February 20th, 2016. | ||
|
||
## Type of compromise | ||
|
||
Attackers compromised the publishing infrastructure, but not developer keys. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Bitcoin Gold | ||
|
||
A backdoored version of Bitcoin wallet was planted by the attackers who gained | ||
access to the GitHub repository. As a result, those users who downloaded the | ||
infected version instead of the official one might have lost their private keys | ||
if they created new wallets using this malicious software. | ||
|
||
## Impact | ||
|
||
Users who downloaded the compromised wallet during a window of 4.5 days may | ||
have their private keys compromises. | ||
|
||
## Type of compromise | ||
|
||
The attackers seem to have been able to access the version control system but | ||
not to sign on behalf of developers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Foxif/CCleaner | ||
|
||
An affected version of CCleaner installs a malware before installing CCleaner. | ||
This malicious version is signed using a valid certificate and has been | ||
delivered to the users by the legitimate CCleaner download servers. | ||
|
||
As the affected version of CCleaner was signed by a valid signature, there are | ||
some possibilities. The signing process of the development, build or packaging | ||
step might have being compromised. Also it could be a malicious insertion in | ||
any step right before the product of that step was signed. | ||
|
||
## Effect | ||
|
||
The impact could've been severe as CCleaner had 2 billion downloads as of | ||
November 2016 with almost 5 million new users per week. | ||
|
||
## Type of compromise | ||
|
||
It appears the attackers could've accomplished by either compromising the | ||
version control system, the packaging or the publishing infrastructure. For the | ||
last step, they would've have to been able to compromise the signing key that | ||
signs for official CCLeaner releases. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Elmedia player hack | ||
|
||
Attackers could hack the Eltima’s download servers and then distributed two | ||
applications, Folx and Elmedia Player, with a malware. | ||
|
||
## Impact | ||
|
||
It appears that the impact of the attack ranges in the hundreds of users. | ||
|
||
## Type of compromise | ||
|
||
The attackers were able to compromise the publishing infrastructure for Eltima, | ||
the software vendor for the Elmedia player and Folx. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# ExpensiveWall | ||
|
||
A malware injected in a free Android app (wallpaper) would secretly register | ||
victims for paid services. The malicious code in the app came from a | ||
compromised software development kit (SDK) that Android developers used. | ||
Notbaly, Expensive Wall used obfuscation methods to hide malicious code which | ||
could bypass anti-virus protections. | ||
|
||
## Impact | ||
|
||
At least 5,904,511 devices were affected, and up to a maximum of 21,101,567, as | ||
reported on [this technical | ||
report](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) | ||
|
||
## Type of compromise | ||
|
||
The attackers were able to compromise the toolchains of the developer machines | ||
and introduce a backdoor in the resulting apps. As such, developer keys can be | ||
assumed to be compromised. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# HackTask | ||
|
||
HackTask used typosquatting to register packages that had names similar to | ||
popular libraries on the npm registry. As a result, the attacker could steal | ||
developer credentials. | ||
|
||
## Impact | ||
|
||
38 typosquatted JS packages were found on the npm repositories. These packages | ||
were downloaded at least 700 times during the two week period that the | ||
compromise spanned. | ||
|
||
## Type of compromise | ||
|
||
A typosquat attack does not require compromising any type of infrastructure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Handbrake | ||
|
||
A popular video converter, HandBrake, for Mac systems was hacked by replacing | ||
the app on one of the download servers with a malicious copy. So the attackers | ||
could gain admin privileges on victims’ systems. | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
It appears the attackers compromised the publishing infrastructure. Since no | ||
code-signing was involved, the attacker didn't require to compromise any key, | ||
but rather just the infrastructure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Kingslayer | ||
|
||
Attackers could breach the download server of an application (used by system | ||
administrators to analyze Windows logs) and replaced the legitimate application | ||
and updates with a signed malicious version. | ||
|
||
## Impact | ||
|
||
Organizations who used Alpha's free license edition software (the compromised | ||
version) include: | ||
|
||
- 4 major telecommunication providers | ||
- 10+ western millitary organizations | ||
- 24+ Fortune 500 companies | ||
- 5 major defense contractors | ||
- 36+ Major IT product manufacturers or solutions providers | ||
- 24+ western government organizations | ||
- 24+ banks and financial institutions | ||
- 45+ higher educational institutions | ||
|
||
## Type of compromise | ||
|
||
The attacker had access to the publishing infrastructure (i.e., the download | ||
server) and to the signing key of the packager. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# NotPetya | ||
|
||
NotPetya compromised the software infrastructure to tamper the patch code. It | ||
infected the update server of an Ukrainian accounting software called MeDoc. As | ||
a result, the attackers could inject a backdoor into the MeDoc application | ||
which allowed the delivery of a ransomware and stealing credentials. Having | ||
control over the update server, the attackers were able to update the infected | ||
machines with a new malicious version. | ||
|
||
Note that it seems unlikely that the attackers could plant such stealthy | ||
backdoor without having access to MeDoc’s source code. | ||
|
||
## Impact | ||
|
||
N/A | ||
|
||
## Type of compromise | ||
|
||
The attackers seem to have been able to compromise software publishing | ||
infrastructure, update servers and probably the version control system for | ||
MeDoc, as well as signing keys for updates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Colourama | ||
|
||
Colourama used typosquatting to register a package that had similar name to | ||
Colorama, one of is one of the top 20 most downloaded legitimate modules | ||
in the PyPI registry with 1 million downloads on a daily basis. The colourama | ||
package contains a malware which targets Windows machines to implement a | ||
cryptocurrency clipboard hijacker. As a result, was able to divert any | ||
Bitcoin payment from victim machines to the attacker's bitcoin address. | ||
|
||
## Impact | ||
|
||
Colourama was registered early in December 2017. It is not clear how many times | ||
the malicious package have been downlaoded since then. According to a report by | ||
Medium, it was downloaded 55 times in October 2018. | ||
|
||
## Type of compromise | ||
|
||
A typosquat attack does not require compromising any type of infrastructure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Dofoil | ||
|
||
Attackers compromised an update server and replaced a popular | ||
BitTorrent client called MediaGet with a signed backdoored binary | ||
to spread a malicious cryptocurrency miner. | ||
|
||
|
||
## Impact | ||
|
||
The attack could successfully taget over 400,000 PCs mostly in | ||
Russia, Turkey, and Ukraine. | ||
|
||
## Type of compromise | ||
|
||
The attackers seem to have been able to compromise the | ||
publishing infrastructure, as well as the signing key of the package. |
Oops, something went wrong.