From 58e008b81817d9eeeeabe212f4f5a5e08968b2a7 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:30:33 -0400 Subject: [PATCH 01/38] README: add basic structure --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 000000000..8b369d0c7 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +Software Supply Chain Compromises +================================= + +This repository contains links to articles of software supply chain +compromises. In the future it also may contain ways to query and export these +as references, but that's ongoing work. + From 537b53736f98be07f11b536bc876e0f3786e34ed Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:33:10 -0400 Subject: [PATCH 02/38] compromises: add juniper backdoor --- README.md | 3 +++ compromises/2015/juniper.md | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 compromises/2015/juniper.md diff --git a/README.md b/README.md index 8b369d0c7..cc2bc6ee7 100644 --- a/README.md +++ b/README.md @@ -5,3 +5,6 @@ This repository contains links to articles of software supply chain compromises. In the future it also may contain ways to query and export these as references, but that's ongoing work. +| Name | Year | Type of compromise | Link | +| ----------------- | ------------------ | ------------------ | ----------- | +| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) diff --git a/compromises/2015/juniper.md b/compromises/2015/juniper.md new file mode 100644 index 000000000..87e0d66e9 --- /dev/null +++ b/compromises/2015/juniper.md @@ -0,0 +1,16 @@ +# Juniper SCM compromise + +The Juniper attack was done by inserting malicious code in the operating system +of Juniper NetScreen VPN routers. This unauthorized code enabled remote +administrative access, and allowed passive decryption of VPN traffic. The first +vulnerability was done by implanting back door in the SSH password checker and +the second one happened by compromising a pseudorandom number generator. + +## Effect + +N/A + +## Attacker type of access + +It appears attackers had access to a the source code hosting infrastructure, +but not to developer keys. From b94a5a82e36f82e77b19fd153b284b2f568100a5 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:41:44 -0400 Subject: [PATCH 03/38] compromises: add aurora --- README.md | 1 + compromises/2010/aurora.md | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 compromises/2010/aurora.md diff --git a/README.md b/README.md index cc2bc6ee7..6142a4f75 100644 --- a/README.md +++ b/README.md @@ -8,3 +8,4 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) +| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | diff --git a/compromises/2010/aurora.md b/compromises/2010/aurora.md new file mode 100644 index 000000000..59a3a7c29 --- /dev/null +++ b/compromises/2010/aurora.md @@ -0,0 +1,20 @@ +# Operation Aurora + +The hackers could have access to software configuration management systems +(SCM) in many companies including Google and Adobe. This allowed them to steal +the source code or make stealthy changes in the source of the many products. + +The SCM was developed by a company called Perforce. This system has had some +known vulnerabilities (detected by McAfee). The attacker most likely exploited +those security holes to gain unauthorized access to the system. + +## Effect + +More than 34 organizations affected, including Symanted, Northrop Grumman, +Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google. + +## Attacker type of Access + +The attacker was able to compromise different tools used within the +organizations to target their version control systems and exfiltrate source +code and sensitive data. From ac7cddca85322e1562428a6fa8fab0cb8f24dbc5 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:47:13 -0400 Subject: [PATCH 04/38] compromises: add CCleaner --- README.md | 1 + compromises/2017/ccleaner.md | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 compromises/2017/ccleaner.md diff --git a/README.md b/README.md index 6142a4f75..c04e96714 100644 --- a/README.md +++ b/README.md @@ -9,3 +9,4 @@ as references, but that's ongoing work. | ----------------- | ------------------ | ------------------ | ----------- | | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | +| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | diff --git a/compromises/2017/ccleaner.md b/compromises/2017/ccleaner.md new file mode 100644 index 000000000..e6eeb795a --- /dev/null +++ b/compromises/2017/ccleaner.md @@ -0,0 +1,22 @@ +# Foxif/CCleaner + +An affected version of CCleaner installs a malware before installing CCleaner. +This malicious version is signed using a valid certificate and has been +delivered to the users by the legitimate CCleaner download servers. + +As the affected version of CCleaner was signed by a valid signature, there are +some possibilities. The signing process of the development, build or packaging +step might have being compromised. Also it could be a malicious insertion in +any step right before the product of that step was signed. + +## Effect + +The impact could've been severe as CCleaner had 2 billion downloads as of +November 2016 with almost 5 million new users per week. + +## Attacker Type of Access + +It appears the attackers could've accomplished by either compromising the +version control system, the packaging or the publishing infrastructure. For the +last step, they would've have to been able to compromise the signing key that +signs for official CCLeaner releases. From 2bbe7dfcb5fbc045afb783e3143c2a6d2d2ddcbe Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:52:27 -0400 Subject: [PATCH 05/38] compromises: add handbrake --- README.md | 1 + compromises/2017/handbrake.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 compromises/2017/handbrake.md diff --git a/README.md b/README.md index c04e96714..cb92cf0f0 100644 --- a/README.md +++ b/README.md @@ -10,3 +10,4 @@ as references, but that's ongoing work. | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | +| [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | diff --git a/compromises/2017/handbrake.md b/compromises/2017/handbrake.md new file mode 100644 index 000000000..2b8e0ff49 --- /dev/null +++ b/compromises/2017/handbrake.md @@ -0,0 +1,15 @@ +# Handbrake + +A popular video converter, HandBrake, for Mac systems was hacked by replacing +the app on one of the download servers with a malicious copy. So the attackers +could gain admin privileges on victims’ systems. + +## Effect + +N/A + +## Type of Compromise + +It appears the attackers compromised the publishing infrastructure. Since no +code-signing was involved, the attacker didn't require to compromise any key, +but rather just the infrastructure. From 7aba492db2224ff28ab60422ab6145599bf2b5bd Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 14:58:03 -0400 Subject: [PATCH 06/38] compromises: add kingslayer --- README.md | 1 + compromises/2017/kingslayer.md | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 compromises/2017/kingslayer.md diff --git a/README.md b/README.md index cb92cf0f0..24d836f2f 100644 --- a/README.md +++ b/README.md @@ -11,3 +11,4 @@ as references, but that's ongoing work. | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | +| [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | diff --git a/compromises/2017/kingslayer.md b/compromises/2017/kingslayer.md new file mode 100644 index 000000000..d565669d8 --- /dev/null +++ b/compromises/2017/kingslayer.md @@ -0,0 +1,24 @@ +# Kingslayer + +Attackers could breach the download server of an application (used by system +administrators to analyze Windows logs) and replaced the legitimate application +and updates with a signed malicious version. + +## Effect + +Organizations who used Alpha's free license edition software (the compromised +version) include: + +- 4 major telecommunication providers +- 10+ western millitary organizations +- 24+ Fortune 500 companies +- 5 major defense contractors +- 36+ Major IT product manufacturers or solutions providers +- 24+ western government organizations +- 24+ banks and financial institutions +- 45+ higher educational institutions + +## Type of Compromise + +The attacker had access to the publishing infrastructure (i.e., the download +server) and to the signing key of the packager. From d0ac6784c9d827a6439572ad72205a9486f402ad Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 16:45:53 -0400 Subject: [PATCH 07/38] compromises: add hacktask --- README.md | 1 + compromises/2017/hacktask.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 compromises/2017/hacktask.md diff --git a/README.md b/README.md index 24d836f2f..2cea2c07d 100644 --- a/README.md +++ b/README.md @@ -12,3 +12,4 @@ as references, but that's ongoing work. | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | +| [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | diff --git a/compromises/2017/hacktask.md b/compromises/2017/hacktask.md new file mode 100644 index 000000000..2659bc46b --- /dev/null +++ b/compromises/2017/hacktask.md @@ -0,0 +1,15 @@ +# HackTask + +HackTask used typosquatting to register packages that had names similar to +popular libraries on the npm registry. As a result, the attacker could steal +developer credentials. + +## Impact + +38 typosquatted JS packages were found on the npm repositories. These packages +were downloaded at least 700 times during the two week period that the +compromise spanned. + +## Type of Attack + +A typosquat attack does not require compromising any type of infrastructure. From 0c624de7d12491636e33720b516700009ea121dc Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 16:49:38 -0400 Subject: [PATCH 08/38] compromises: add xcodeghost --- README.md | 1 + compromises/2015/xcodeghost.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 compromises/2015/xcodeghost.md diff --git a/README.md b/README.md index 2cea2c07d..2619e5a1c 100644 --- a/README.md +++ b/README.md @@ -13,3 +13,4 @@ as references, but that's ongoing work. | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | | [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | +| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | diff --git a/compromises/2015/xcodeghost.md b/compromises/2015/xcodeghost.md new file mode 100644 index 000000000..8626b2801 --- /dev/null +++ b/compromises/2015/xcodeghost.md @@ -0,0 +1,15 @@ +# XCodeGhost + +The attacker could distribute a fake version of developer tools used by iOS +developers. The Xcode development tools used by iOS app makers was modified by +hackers to inject malicious code into apps on the App Store aiming to phish +passwords and URLs through the infected apps. + +## Impact + +At least 350 apps, including WeChat, which affected hundreds of millions of +users alone. + +## Type of Compromise + +This was a counterfeit artifact delivered to developers. From 234ceadef55f26b9fae9ee549992101e74289d77 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 16:54:29 -0400 Subject: [PATCH 09/38] compromises: add notpetya --- README.md | 1 + compromises/2017/notpetya.md | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 compromises/2017/notpetya.md diff --git a/README.md b/README.md index 2619e5a1c..4c4b39891 100644 --- a/README.md +++ b/README.md @@ -14,3 +14,4 @@ as references, but that's ongoing work. | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | | [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | +| [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | diff --git a/compromises/2017/notpetya.md b/compromises/2017/notpetya.md new file mode 100644 index 000000000..217605eca --- /dev/null +++ b/compromises/2017/notpetya.md @@ -0,0 +1,21 @@ +# NotPetya + +NotPetya compromised the software infrastructure to tamper the patch code. It +infected the update server of an Ukrainian accounting software called MeDoc. As +a result, the attackers could inject a backdoor into the MeDoc application +which allowed the delivery of a ransomware and stealing credentials. Having +control over the update server, the attackers were able to update the infected +machines with a new malicious version. + +Note that it seems unlikely that the attackers could plant such stealthy +backdoor without having access to MeDoc’s source code. + +## impact + +N/A + +## Type of Compromise + +The attackers seem to have been able to compromise software publishing +infrastructure, update servers and probably the version control system for +MeDoc, as well as signing keys for updates. From d893d687655e05875ae6383644382260d37ce480 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:00:06 -0400 Subject: [PATCH 10/38] compromises: add bitcoin gold --- README.md | 1 + compromises/2017/bitcoingold.md | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 compromises/2017/bitcoingold.md diff --git a/README.md b/README.md index 4c4b39891..ad40d48ae 100644 --- a/README.md +++ b/README.md @@ -15,3 +15,4 @@ as references, but that's ongoing work. | [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | +| [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | diff --git a/compromises/2017/bitcoingold.md b/compromises/2017/bitcoingold.md new file mode 100644 index 000000000..312a99513 --- /dev/null +++ b/compromises/2017/bitcoingold.md @@ -0,0 +1,16 @@ +# Bitcoin Gold + +A backdoored version of Bitcoin wallet was planted by the attackers who gained +access to the GitHub repository. As a result, those users who downloaded the +infected version instead of the official one might have lost their private keys +if they created new wallets using this malicious software. + +## Impact + +Users who downloaded the compromised wallet during a window of 4.5 days may +have their private keys compromises. + +## Type of Compromise + +The attackers seem to have been able to access the version control system but +not to sign on behalf of developers. From 265ef7d4278edfac0ea8deb1096aee8b6e8ea721 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:06:18 -0400 Subject: [PATCH 11/38] compromises: add expensivewall --- README.md | 1 + compromises/2017/expensivewall.md | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 compromises/2017/expensivewall.md diff --git a/README.md b/README.md index ad40d48ae..10c03737a 100644 --- a/README.md +++ b/README.md @@ -16,3 +16,4 @@ as references, but that's ongoing work. | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | +| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) diff --git a/compromises/2017/expensivewall.md b/compromises/2017/expensivewall.md new file mode 100644 index 000000000..22bc3ddbe --- /dev/null +++ b/compromises/2017/expensivewall.md @@ -0,0 +1,19 @@ +# ExpensiveWall + +A malware injected in a free Android app (wallpaper) would secretly register +victims for paid services. The malicious code in the app came from a +compromised software development kit (SDK) that Android developers used. +Notbaly, Expensive Wall used obfuscation methods to hide malicious code which +could bypass anti-virus protections. + +## Impact + +At least 5,904,511 devices were affected, and up to a maximum of 21,101,567, as +reported on [this technical +report](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) + +## Type of Compromise + +The attackers were able to compromise the toolchains of the developer machines +and introduce a backdoor in the resulting apps. As such, developer keys can be +assumed to be compromised. From b2d6bc20a6f9fa33d677bfa10c8a4bdf5fd59765 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:24:13 -0400 Subject: [PATCH 12/38] compromises: add keydnap --- README.md | 1 + compromises/2016/keydnap.md | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 compromises/2016/keydnap.md diff --git a/README.md b/README.md index 10c03737a..00648e7c0 100644 --- a/README.md +++ b/README.md @@ -17,3 +17,4 @@ as references, but that's ongoing work. | [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | | [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware)[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) diff --git a/compromises/2016/keydnap.md b/compromises/2016/keydnap.md new file mode 100644 index 000000000..ce0761a63 --- /dev/null +++ b/compromises/2016/keydnap.md @@ -0,0 +1,16 @@ +# Keydnap + +The download server of the torrent client Transmission was hacked and a +malicious version of the client was uploaded. The malicious copy of the +software was signed using a legitimate certificate (which appears to be stolen +from the Apple developer program). + +## Impact + +N/A + +## Type of Compromise + +The publishing infrastructure was affected, plus a developer certificate (by +someone not associated with Transmission) was used to sign and allow for a +legitimate-looking installation From c86bf8165f1591f36ff9e7e2efd1c3d2f2d1adbc Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:30:02 -0400 Subject: [PATCH 13/38] compromises: add ceph and inktank --- README.md | 1 + compromises/2015/ceph-and-inktank.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 compromises/2015/ceph-and-inktank.md diff --git a/README.md b/README.md index 00648e7c0..ca92d46cc 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,4 @@ as references, but that's ongoing work. | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | | [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware)[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) +| [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | diff --git a/compromises/2015/ceph-and-inktank.md b/compromises/2015/ceph-and-inktank.md new file mode 100644 index 000000000..dba98923e --- /dev/null +++ b/compromises/2015/ceph-and-inktank.md @@ -0,0 +1,14 @@ +# Ceph and Inktank + +Malicious applications on RedHat servers were signed by a compromised key on +the Ceph infrastructure and it's public-facing counterpart Inktank + +## Impact + +Unknown at the time of the writing, yet no signs of clear compromise are +available. + +## Type of Compromise + +The development platform ceph was compromised, as well as its signing gpg key. +The public facing component Inktank was also compromised. From 9d116c0f49efc39c2befe3ce437528c3956c6a26 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:38:52 -0400 Subject: [PATCH 14/38] compromises: add elmedia --- README.md | 1 + compromises/2017/elmedia.md | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 compromises/2017/elmedia.md diff --git a/README.md b/README.md index ca92d46cc..6c761544d 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,4 @@ as references, but that's ongoing work. | [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware)[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | +| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | diff --git a/compromises/2017/elmedia.md b/compromises/2017/elmedia.md new file mode 100644 index 000000000..ac3293067 --- /dev/null +++ b/compromises/2017/elmedia.md @@ -0,0 +1,13 @@ +# Elmedia player hack + +Attackers could hack the Eltima’s download servers and then distributed two +applications, Folx and Elmedia Player, with a malware. + +## Impact + +It appears that the impact of the attack ranges in the hundreds of users. + +## Type of compromise + +The attackers were able to compromise the publishing infrastructure for Eltima, +the software vendor for the Elmedia player and Folx. From 298e4e4a9ed80e091816a8e8d6ca0f7816fefc45 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:45:21 -0400 Subject: [PATCH 15/38] compromises: add proftpd --- README.md | 1 + compromises/2010/proftpd.md | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 compromises/2010/proftpd.md diff --git a/README.md b/README.md index 6c761544d..e0da19d6d 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,4 @@ as references, but that's ongoing work. | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware)[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | | [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | +| [ProFTPD](compromises/2010/proftpd) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | diff --git a/compromises/2010/proftpd.md b/compromises/2010/proftpd.md new file mode 100644 index 000000000..dc37ee684 --- /dev/null +++ b/compromises/2010/proftpd.md @@ -0,0 +1,13 @@ +# ProFTPD hack + +A source code repository server of an open-source project (ProFTPD) was hacked +by unknown attackers who planted a backdoor in the source code. + +## Impact + +N/A + +## Type of compromise + +The attackers seem to have been able to hack the source code repository but not +developer keys. From 3ca00dcd8378a1a4cc2e1e3b8c008ee9e0b288f8 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Mar 2019 17:46:16 -0400 Subject: [PATCH 16/38] README: add a comma bewtween link 1 and 2 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e0da19d6d..681d95f34 100644 --- a/README.md +++ b/README.md @@ -16,8 +16,8 @@ as references, but that's ongoing work. | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | -| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/)[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) -| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware)[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) +| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | | [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | | [ProFTPD](compromises/2010/proftpd) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | From 74872c2351f12a063083bfbc4055793f391e9d13 Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 12:21:50 -0400 Subject: [PATCH 17/38] Fix unvalid link for ProFTPD --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 681d95f34..3c21c06ca 100644 --- a/README.md +++ b/README.md @@ -20,4 +20,4 @@ as references, but that's ongoing work. | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | | [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | -| [ProFTPD](compromises/2010/proftpd) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | +| [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | From 7e7d27ad6af8a0cb1b4bff313d4e6bb177d23fdd Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 12:25:16 -0400 Subject: [PATCH 18/38] Reorder the attack history --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3c21c06ca..cda16d52b 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,17 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | -| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) -| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | | [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | -| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | | [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) +| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) +| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | -| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | +| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | From 052ad2c537efc37d5ff6c0a73a73c40557a2ffbe Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 12:34:51 -0400 Subject: [PATCH 19/38] compromises: add operation-red --- README.md | 1 + compromises/2018/operation-red.md | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 compromises/2018/operation-red.md diff --git a/README.md b/README.md index cda16d52b..25ef02912 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | diff --git a/compromises/2018/operation-red.md b/compromises/2018/operation-red.md new file mode 100644 index 000000000..40069ec7f --- /dev/null +++ b/compromises/2018/operation-red.md @@ -0,0 +1,25 @@ +# Operation Red + +Attackers compromised the update server of a remote support solutions provider +to deliver malicious updates to targeted organizations in South Korea. +The malicious update was signed using a valid certificate +stolen from the remote support solutions provider + +Attackers first compromised the update server, +then configured the server to only deliver malicious files if the client is +located in the range of IP addresses of their target organizations. + + +## Effect + +N/A + +## Attacker Type of Access + +It appears the attackers compromised the publishing infrastructure, +as well as signing keys for updates. + + + + + From f7316cf8c86a212afbf01e4b999c9a36957eec3b Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 14:03:16 -0400 Subject: [PATCH 20/38] compromises: add pear --- README.md | 1 + compromises/2019/pear.md | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 compromises/2019/pear.md diff --git a/README.md b/README.md index 25ef02912..657c5d445 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | diff --git a/compromises/2019/pear.md b/compromises/2019/pear.md new file mode 100644 index 000000000..4a248cbd4 --- /dev/null +++ b/compromises/2019/pear.md @@ -0,0 +1,25 @@ +# PEAR Breach + +The PHP Extension and Application Repository (PEAR) server, +a distribution system for PHP libraries, was hacked +and the original PHP PEAR package manager (go-pear.phar) +was replaced with a modified version. + + +## Effect + +Users who have installed PEAR installation files from pear.php.net +in a window of 6 months could have been infected. +Since many web hosting services allow their users to install and run PEAR, +this attack might also have impacted a large number of websites and their visitors. + +## Attacker Type of Access + +It appears the attackers compromised the publishing infrastructure. Since no +code-signing was involved, the attacker didn't require to compromise any key, +but rather just the infrastructure. + + + + + From 48ee34cad71b9d06df0afe19255dbb1ce698d238 Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 14:42:34 -0400 Subject: [PATCH 21/38] compromises: add unnamed-maker --- README.md | 1 + compromises/2018/unnamed-maker.md | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 compromises/2018/unnamed-maker.md diff --git a/README.md b/README.md index 657c5d445..511e431cc 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ as references, but that's ongoing work. | ----------------- | ------------------ | ------------------ | ----------- | | [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | +| [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | diff --git a/compromises/2018/unnamed-maker.md b/compromises/2018/unnamed-maker.md new file mode 100644 index 000000000..f8096e642 --- /dev/null +++ b/compromises/2018/unnamed-maker.md @@ -0,0 +1,21 @@ +# Unnamed Maker + +Attackers compromised a font package installed by a PDF editor application +and used it to deploy a cryptocurrency miner on users' computers. +Since the PDF editor was installed under SYSTEM privileges, +the malicious coinminer code hidden inside the font package +would receive full access to the victims' system. + + +## Effect + +Users who have installed this PDF editor between January and March 2018 have been affected. + +## Attacker Type of Access + +This was a counterfeit artifact delivered to developers. + + + + + From b040519492075b3d63cfd2dbdbf4c8dc6acd132c Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 14:52:02 -0400 Subject: [PATCH 22/38] compromises: add fosshub --- README.md | 3 ++- compromises/2016/fosshub.md | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 compromises/2016/fosshub.md diff --git a/README.md b/README.md index 511e431cc..6399d0982 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ as references, but that's ongoing work. | [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | | [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) | [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | -| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) +| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | +| [Fosshub Breach](compromises/2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | diff --git a/compromises/2016/fosshub.md b/compromises/2016/fosshub.md new file mode 100644 index 000000000..9b687eadb --- /dev/null +++ b/compromises/2016/fosshub.md @@ -0,0 +1,17 @@ +# Fosshub Breah + +Hackers compromised FOSSHub, a popular file hosting service, +and replaced the legitimate installer of several applications with malicious copies. + +Note that some software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others +use as their primary file download service. + + +## Impact + +Users who downloaded Classic Shell and Audacity software packages from FOSSHub +in the first week of August 2016, were affected by Fosshub breach. + +## Type of Compromise + +Attackers compromised the publishing infrastructure. From 4b9ca4dba7fbfd1c7a705d1c2ae1e53acce93f0d Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 15:14:05 -0400 Subject: [PATCH 23/38] compromises: add gentoo --- README.md | 1 + compromises/2018/gentoo.md | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 compromises/2018/gentoo.md diff --git a/README.md b/README.md index 6399d0982..9e12b47db 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ as references, but that's ongoing work. | ----------------- | ------------------ | ------------------ | ----------- | | [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | +| [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) | [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | diff --git a/compromises/2018/gentoo.md b/compromises/2018/gentoo.md new file mode 100644 index 000000000..ea0936963 --- /dev/null +++ b/compromises/2018/gentoo.md @@ -0,0 +1,20 @@ +# Gentoo Incident + +Attackers gained control of the Github Gentoo organization, +removed access to Gentoo repositories from developers, +and modified the content of repositories as well as pages. + + +## Effect + +N/A + +## Attacker Type of Access + +It seems that the attackers have been able to hack +the source code repository but not developer keys. + + + + + From b63efacb9a5e87eafa4526ef280fe5600cad46de Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 15:27:55 -0400 Subject: [PATCH 24/38] compromises: add mint --- README.md | 1 + compromises/2016/mint.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 compromises/2016/mint.md diff --git a/README.md b/README.md index 9e12b47db..c9b210586 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ as references, but that's ongoing work. | [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | | [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | | [Fosshub Breach](compromises/2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | +| [Linux Mint](compromises/2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | diff --git a/compromises/2016/mint.md b/compromises/2016/mint.md new file mode 100644 index 000000000..afa53b019 --- /dev/null +++ b/compromises/2016/mint.md @@ -0,0 +1,14 @@ +# Hacked Linux Mint + +Attackers breached the website of Linux Mint, +the third most-popular Linux operating system, +and pointed users to malicious download links that contained a backdoored version of Linux Mint. + + +## Impact + +The backdoored version of Linux Mint was downloaded by hundreds of users on February 20th, 2016. + +## Type of Compromise + +Attackers compromised the publishing infrastructure, but not developer keys. From 319edacf4742eae198c44ac80914b9e22c87a1aa Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 15:34:15 -0400 Subject: [PATCH 25/38] Use consistent patterns for attack descriptions Fix minor issue for Juniper Incident --- compromises/2010/aurora.md | 4 ++-- compromises/2015/juniper.md | 6 +++--- compromises/2017/ccleaner.md | 2 +- compromises/2017/hacktask.md | 2 +- compromises/2017/handbrake.md | 2 +- compromises/2017/kingslayer.md | 2 +- compromises/2017/notpetya.md | 2 +- compromises/2018/gentoo.md | 4 ++-- compromises/2018/operation-red.md | 4 ++-- compromises/2018/unnamed-maker.md | 4 ++-- compromises/2019/pear.md | 4 ++-- 11 files changed, 18 insertions(+), 18 deletions(-) diff --git a/compromises/2010/aurora.md b/compromises/2010/aurora.md index 59a3a7c29..da3098e9b 100644 --- a/compromises/2010/aurora.md +++ b/compromises/2010/aurora.md @@ -8,12 +8,12 @@ The SCM was developed by a company called Perforce. This system has had some known vulnerabilities (detected by McAfee). The attacker most likely exploited those security holes to gain unauthorized access to the system. -## Effect +## Impact More than 34 organizations affected, including Symanted, Northrop Grumman, Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google. -## Attacker type of Access +## Type of Compromise The attacker was able to compromise different tools used within the organizations to target their version control systems and exfiltrate source diff --git a/compromises/2015/juniper.md b/compromises/2015/juniper.md index 87e0d66e9..339728fb6 100644 --- a/compromises/2015/juniper.md +++ b/compromises/2015/juniper.md @@ -1,4 +1,4 @@ -# Juniper SCM compromise +# Juniper Incident The Juniper attack was done by inserting malicious code in the operating system of Juniper NetScreen VPN routers. This unauthorized code enabled remote @@ -6,11 +6,11 @@ administrative access, and allowed passive decryption of VPN traffic. The first vulnerability was done by implanting back door in the SSH password checker and the second one happened by compromising a pseudorandom number generator. -## Effect +## Impact N/A -## Attacker type of access +## Type of Compromise It appears attackers had access to a the source code hosting infrastructure, but not to developer keys. diff --git a/compromises/2017/ccleaner.md b/compromises/2017/ccleaner.md index e6eeb795a..f048fc391 100644 --- a/compromises/2017/ccleaner.md +++ b/compromises/2017/ccleaner.md @@ -14,7 +14,7 @@ any step right before the product of that step was signed. The impact could've been severe as CCleaner had 2 billion downloads as of November 2016 with almost 5 million new users per week. -## Attacker Type of Access +## Type of Compromise It appears the attackers could've accomplished by either compromising the version control system, the packaging or the publishing infrastructure. For the diff --git a/compromises/2017/hacktask.md b/compromises/2017/hacktask.md index 2659bc46b..52b89af8d 100644 --- a/compromises/2017/hacktask.md +++ b/compromises/2017/hacktask.md @@ -10,6 +10,6 @@ developer credentials. were downloaded at least 700 times during the two week period that the compromise spanned. -## Type of Attack +## Type of Compromise A typosquat attack does not require compromising any type of infrastructure. diff --git a/compromises/2017/handbrake.md b/compromises/2017/handbrake.md index 2b8e0ff49..514c163df 100644 --- a/compromises/2017/handbrake.md +++ b/compromises/2017/handbrake.md @@ -4,7 +4,7 @@ A popular video converter, HandBrake, for Mac systems was hacked by replacing the app on one of the download servers with a malicious copy. So the attackers could gain admin privileges on victims’ systems. -## Effect +## Impact N/A diff --git a/compromises/2017/kingslayer.md b/compromises/2017/kingslayer.md index d565669d8..f282bd635 100644 --- a/compromises/2017/kingslayer.md +++ b/compromises/2017/kingslayer.md @@ -4,7 +4,7 @@ Attackers could breach the download server of an application (used by system administrators to analyze Windows logs) and replaced the legitimate application and updates with a signed malicious version. -## Effect +## Impact Organizations who used Alpha's free license edition software (the compromised version) include: diff --git a/compromises/2017/notpetya.md b/compromises/2017/notpetya.md index 217605eca..10c162093 100644 --- a/compromises/2017/notpetya.md +++ b/compromises/2017/notpetya.md @@ -10,7 +10,7 @@ machines with a new malicious version. Note that it seems unlikely that the attackers could plant such stealthy backdoor without having access to MeDoc’s source code. -## impact +## Impact N/A diff --git a/compromises/2018/gentoo.md b/compromises/2018/gentoo.md index ea0936963..c21c6eca6 100644 --- a/compromises/2018/gentoo.md +++ b/compromises/2018/gentoo.md @@ -5,11 +5,11 @@ removed access to Gentoo repositories from developers, and modified the content of repositories as well as pages. -## Effect +## Impact N/A -## Attacker Type of Access +## Type of Compromise It seems that the attackers have been able to hack the source code repository but not developer keys. diff --git a/compromises/2018/operation-red.md b/compromises/2018/operation-red.md index 40069ec7f..4a01711a0 100644 --- a/compromises/2018/operation-red.md +++ b/compromises/2018/operation-red.md @@ -10,11 +10,11 @@ then configured the server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations. -## Effect +## Imapct N/A -## Attacker Type of Access +## Type of Compromise It appears the attackers compromised the publishing infrastructure, as well as signing keys for updates. diff --git a/compromises/2018/unnamed-maker.md b/compromises/2018/unnamed-maker.md index f8096e642..dbcb42aca 100644 --- a/compromises/2018/unnamed-maker.md +++ b/compromises/2018/unnamed-maker.md @@ -7,11 +7,11 @@ the malicious coinminer code hidden inside the font package would receive full access to the victims' system. -## Effect +## Impact Users who have installed this PDF editor between January and March 2018 have been affected. -## Attacker Type of Access +## Type of Compromise This was a counterfeit artifact delivered to developers. diff --git a/compromises/2019/pear.md b/compromises/2019/pear.md index 4a248cbd4..bae56da6d 100644 --- a/compromises/2019/pear.md +++ b/compromises/2019/pear.md @@ -6,14 +6,14 @@ and the original PHP PEAR package manager (go-pear.phar) was replaced with a modified version. -## Effect +## Impact Users who have installed PEAR installation files from pear.php.net in a window of 6 months could have been infected. Since many web hosting services allow their users to install and run PEAR, this attack might also have impacted a large number of websites and their visitors. -## Attacker Type of Access +## Type of Compromise It appears the attackers compromised the publishing infrastructure. Since no code-signing was involved, the attacker didn't require to compromise any key, From 870e2af18b3b49e1a8379249098174db28a3bb2d Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 15:45:44 -0400 Subject: [PATCH 26/38] compromises: add code-spaces --- README.md | 1 + compromises/2014/code-spaces.md | 13 +++++++++++++ compromises/2014/monju.md | 16 ++++++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 compromises/2014/code-spaces.md create mode 100644 compromises/2014/monju.md diff --git a/README.md b/README.md index c9b210586..c0b5d6657 100644 --- a/README.md +++ b/README.md @@ -25,5 +25,6 @@ as references, but that's ongoing work. | [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | +| [Code Spaces](compromises/2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | diff --git a/compromises/2014/code-spaces.md b/compromises/2014/code-spaces.md new file mode 100644 index 000000000..a3f597d84 --- /dev/null +++ b/compromises/2014/code-spaces.md @@ -0,0 +1,13 @@ +# Code Space Incident + +Code Spaces, a cloud base service offering project management and code repositories, +was hacked and many repositories, backups, etc. were deleted by the attacker. + +## Impact + +N/A + +## Type of Compromise + +It appears attackers had access to the source code hosting infrastructure, +but not to developer keys. diff --git a/compromises/2014/monju.md b/compromises/2014/monju.md new file mode 100644 index 000000000..67a39a81b --- /dev/null +++ b/compromises/2014/monju.md @@ -0,0 +1,16 @@ +# Monju Incident + +The attackers subverted a legitimate software server (GOM Player website) +and delivered a malicious version of the application to users. +Upon connecting to the application website to update the installed software, +users were redirected to a different website, controlled by the attackers. +Thus, the users received a modified version of the software bundled with a Trojan. + +## Impact + +N/A + +## Type of Compromise + +Attackers could have access to infrastructure, +but not to developer keys. From c09613bc83bbcfc567e9b70baaedcab8bb9711c5 Mon Sep 17 00:00:00 2001 From: Hammad Date: Wed, 3 Apr 2019 16:02:38 -0400 Subject: [PATCH 27/38] compromises: add monju --- README.md | 1 + compromises/2014/monju.md | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c0b5d6657..182233dd6 100644 --- a/README.md +++ b/README.md @@ -26,5 +26,6 @@ as references, but that's ongoing work. | [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | | [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | | [Code Spaces](compromises/2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) +| [Monju Incident](compromises/2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | diff --git a/compromises/2014/monju.md b/compromises/2014/monju.md index 67a39a81b..3db675da9 100644 --- a/compromises/2014/monju.md +++ b/compromises/2014/monju.md @@ -1,16 +1,18 @@ # Monju Incident -The attackers subverted a legitimate software server (GOM Player website) -and delivered a malicious version of the application to users. +The attackers subverted the distribution server of GOM Player software +and delivered a malicious version of the software to users. Upon connecting to the application website to update the installed software, users were redirected to a different website, controlled by the attackers. -Thus, the users received a modified version of the software bundled with a Trojan. +As a result, the users received a modified version of the software bundled with a Trojan. ## Impact -N/A +The attack affected machines at Monju fast breeder reactor facility in Japan. +However, it it unclear whether other machines who tried +to upate their GOM Player software were infected. ## Type of Compromise -Attackers could have access to infrastructure, -but not to developer keys. +Attackers could have access to the publishing infrastructure, +but did not sign the delivered product. From f6a17d65ab8087fe25f7309a1b3897c96e0b8d47 Mon Sep 17 00:00:00 2001 From: Hammad Afzali Date: Fri, 19 Jul 2019 12:05:16 -0400 Subject: [PATCH 28/38] Add new attacks: - 2019: ShadowHammer - 2019: Dofoil --- README.md | 2 ++ compromises/2019/dofoil.md | 16 ++++++++++++++++ compromises/2019/shadowhammer.md | 21 +++++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 compromises/2019/dofoil.md create mode 100644 compromises/2019/shadowhammer.md diff --git a/README.md b/README.md index 182233dd6..58199d0b5 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | +| [Dofoil](compromises/2019/dofoil.md) | 2019 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | | [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | | [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) diff --git a/compromises/2019/dofoil.md b/compromises/2019/dofoil.md new file mode 100644 index 000000000..a39b415cc --- /dev/null +++ b/compromises/2019/dofoil.md @@ -0,0 +1,16 @@ +# Dofoil + +Attackers compromised an update server and replaced a popular +BitTorrent client called MediaGet with a signed backdoored binary +to spread a malicious cryptocurrency miner. + + +## Impact + +The attack could successfully taget over 400,000 PCs mostly in +Russia, Turkey, and Ukraine. + +## Type of Compromise + +The attackers seem to have been able to compromise the +publishing infrastructure, as well as the signing key of the package. diff --git a/compromises/2019/shadowhammer.md b/compromises/2019/shadowhammer.md new file mode 100644 index 000000000..b3e566a98 --- /dev/null +++ b/compromises/2019/shadowhammer.md @@ -0,0 +1,21 @@ +# ShadowHammer + +The update servers of ASUS company were compromised and +a signed backdoored version of an application called +ASUS Live Update Utility was distributed to the ASUS users. +The application comes preinstalled on many Windows computers +made by ASUS and is used to deliver updates for BIOS/UEFI firmware, +hardware drivers and other ASUS tools. + + +## Impact + +Over a million users might have downloaded and installed a +backdoored version of the application. For example, a report by +Kaspersky shows over 57,000 Kaspersky users have installed +the backdoored version of ASUS Live Update Utility. + +## Type of Compromise + +It appears at the very least, the attackers had access to +the update infrastructure and the code signing key. From 7f006435d2693ada76719ff9cb8f9f4c7511497c Mon Sep 17 00:00:00 2001 From: Hammad Afzali Date: Mon, 5 Aug 2019 18:07:26 -0400 Subject: [PATCH 29/38] Minor updates: - Impact section, shadowhammer2019 - Fix typo, dofoil2018 --- README.md | 2 +- compromises/{2019 => 2018}/dofoil.md | 0 compromises/2019/shadowhammer.md | 6 +++++- 3 files changed, 6 insertions(+), 2 deletions(-) rename compromises/{2019 => 2018}/dofoil.md (100%) diff --git a/README.md b/README.md index 58199d0b5..2d144152d 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,8 @@ as references, but that's ongoing work. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | | [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | -| [Dofoil](compromises/2019/dofoil.md) | 2019 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | | [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | +| [Dofoil](compromises/2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | | [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) | [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | diff --git a/compromises/2019/dofoil.md b/compromises/2018/dofoil.md similarity index 100% rename from compromises/2019/dofoil.md rename to compromises/2018/dofoil.md diff --git a/compromises/2019/shadowhammer.md b/compromises/2019/shadowhammer.md index b3e566a98..4d9c86c76 100644 --- a/compromises/2019/shadowhammer.md +++ b/compromises/2019/shadowhammer.md @@ -13,7 +13,11 @@ hardware drivers and other ASUS tools. Over a million users might have downloaded and installed a backdoored version of the application. For example, a report by Kaspersky shows over 57,000 Kaspersky users have installed -the backdoored version of ASUS Live Update Utility. +the backdoored version of ASUS Live Update Utility. +Interestingly, a second stage of the attack was deployed +on at least 600 specific systems whose mac addresses were +hardcoded to receive a secondary payload. + ## Type of Compromise From 85e04c17b69a318b7fcb38c8919cfe46890a7980 Mon Sep 17 00:00:00 2001 From: Hammad Afzali Date: Tue, 6 Aug 2019 10:56:23 -0400 Subject: [PATCH 30/38] compromises: add colourama --- README.md | 1 + compromises/2018/colourama.md | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 compromises/2018/colourama.md diff --git a/README.md b/README.md index 2d144152d..866842fcf 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ as references, but that's ongoing work. | [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | | [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) | [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | +| [Colourama](compromises/2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | | [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | diff --git a/compromises/2018/colourama.md b/compromises/2018/colourama.md new file mode 100644 index 000000000..e44525644 --- /dev/null +++ b/compromises/2018/colourama.md @@ -0,0 +1,18 @@ +# Colourama + +Colourama used typosquatting to register a package that had similar name to +Colorama, one of is one of the top 20 most downloaded legitimate modules +in the PyPI registry with 1 million downloads on a daily basis. The colourama +package contains a malware which targets Windows machines to implement a +cryptocurrency clipboard hijacker. As a result, was able to divert any +Bitcoin payment from victim machines to the attacker's bitcoin address. + +## Impact + +Colourama was registered early in December 2017. It is not clear how many times +the malicious package have been downlaoded since then. According to a report by +Medium, it was downloaded 55 times in October 2018. + +## Type of Compromise + +A typosquat attack does not require compromising any type of infrastructure. From 821483c78535cc4c13a3fbc4086d292325d09f54 Mon Sep 17 00:00:00 2001 From: Sarah Allen Date: Sat, 19 Oct 2019 14:55:34 -0700 Subject: [PATCH 31/38] proposed refactor of supply chain README I made a root README that introduces the topic (taking some text from in-toto assessment that I re-wrote for this context) Then moved most of prior README content into /compromises sub-directory, so that the (future) solutions can be separate from the catalog of past compromises. --- supply-chain-security/README.md | 50 ++++++++------------- supply-chain-security/compromises/README.md | 40 +++++++++++++++++ 2 files changed, 58 insertions(+), 32 deletions(-) create mode 100644 supply-chain-security/compromises/README.md diff --git a/supply-chain-security/README.md b/supply-chain-security/README.md index 866842fcf..e5d2f8308 100644 --- a/supply-chain-security/README.md +++ b/supply-chain-security/README.md @@ -1,34 +1,20 @@ -Software Supply Chain Compromises -================================= +Software Supply Chain +===================== + +Supply chain compromises are a powerful attack vector. In cloud native +deployments everything is software-defined, so there is increased risk when +there are vulnerabilities in this area. If an attacker controls the supply +chain, they can potentially reconfigure anything in an insecure way. + +# What are supply chain vulnerabilities and their implications? + +The [Catalog of Supply Chain Compromises](./compromises) provides real-world +examples that help raise awareness and provide detailed information that +let's us understand attack vectors and consider how to mitigate potential +risk. + +# On mitigating vulnerabilities + +There is on-going work to establish best practices in this area. -This repository contains links to articles of software supply chain -compromises. In the future it also may contain ways to query and export these -as references, but that's ongoing work. -| Name | Year | Type of compromise | Link | -| ----------------- | ------------------ | ------------------ | ----------- | -| [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | -| [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | -| [Dofoil](compromises/2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | -| [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | -| [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) -| [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | -| [Colourama](compromises/2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | -| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | -| [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | -| [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | -| [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | -| [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | -| [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | -| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) -| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | -| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | -| [Fosshub Breach](compromises/2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | -| [Linux Mint](compromises/2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | -| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) -| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | -| [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | -| [Code Spaces](compromises/2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) -| [Monju Incident](compromises/2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) -| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | -| [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md new file mode 100644 index 000000000..192db19fb --- /dev/null +++ b/supply-chain-security/compromises/README.md @@ -0,0 +1,40 @@ +Catalog of Supply Chain Compromises +==================================== + +This repository contains links to articles of software supply chain +compromises. The goal is not to catalog every known supply chain attack, but +rather to capture many examples of different kinds of attack, so that we +can better understand the patterns and develop best practices and tools. + +We welcome additions to this catalog by +[filing an issue](https://github.com/cncf/sig-security/issues/new/choose) or +[github pull request](https://github.com/cncf/sig-security) + + +| Name | Year | Type of compromise | Link | +| ----------------- | ------------------ | ------------------ | ----------- | +| [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | +| [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | +| [Dofoil](compromises/2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | +| [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | +| [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) +| [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | +| [Colourama](compromises/2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | +| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | +| [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | +| [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | +| [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | +| [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | +| [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | +| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | +| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | +| [Fosshub Breach](compromises/2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | +| [Linux Mint](compromises/2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | +| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) +| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | +| [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | +| [Code Spaces](compromises/2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) +| [Monju Incident](compromises/2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) +| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | +| [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | From b21588ad052292795852caca8b88ecd44362dadd Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 5 Nov 2019 16:35:14 -0500 Subject: [PATCH 32/38] supply-chain-security: address comments by @lumjjb --- supply-chain-security/compromises/2010/aurora.md | 2 +- supply-chain-security/compromises/2014/code-spaces.md | 2 +- supply-chain-security/compromises/2014/monju.md | 2 +- supply-chain-security/compromises/2015/ceph-and-inktank.md | 2 +- supply-chain-security/compromises/2015/juniper.md | 2 +- supply-chain-security/compromises/2015/xcodeghost.md | 2 +- supply-chain-security/compromises/2016/fosshub.md | 2 +- supply-chain-security/compromises/2016/keydnap.md | 2 +- supply-chain-security/compromises/2016/mint.md | 2 +- supply-chain-security/compromises/2017/bitcoingold.md | 2 +- supply-chain-security/compromises/2017/ccleaner.md | 2 +- supply-chain-security/compromises/2017/expensivewall.md | 2 +- supply-chain-security/compromises/2017/hacktask.md | 2 +- supply-chain-security/compromises/2017/handbrake.md | 2 +- supply-chain-security/compromises/2017/kingslayer.md | 2 +- supply-chain-security/compromises/2017/notpetya.md | 2 +- supply-chain-security/compromises/2018/colourama.md | 2 +- supply-chain-security/compromises/2018/dofoil.md | 2 +- supply-chain-security/compromises/2018/gentoo.md | 7 +------ supply-chain-security/compromises/2018/operation-red.md | 7 +------ supply-chain-security/compromises/2018/unnamed-maker.md | 7 +------ supply-chain-security/compromises/2019/pear.md | 7 +------ supply-chain-security/compromises/2019/shadowhammer.md | 2 +- supply-chain-security/compromises/README.md | 6 +++--- 24 files changed, 26 insertions(+), 46 deletions(-) diff --git a/supply-chain-security/compromises/2010/aurora.md b/supply-chain-security/compromises/2010/aurora.md index da3098e9b..32eea591f 100644 --- a/supply-chain-security/compromises/2010/aurora.md +++ b/supply-chain-security/compromises/2010/aurora.md @@ -13,7 +13,7 @@ those security holes to gain unauthorized access to the system. More than 34 organizations affected, including Symanted, Northrop Grumman, Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google. -## Type of Compromise +## Type of compromise The attacker was able to compromise different tools used within the organizations to target their version control systems and exfiltrate source diff --git a/supply-chain-security/compromises/2014/code-spaces.md b/supply-chain-security/compromises/2014/code-spaces.md index a3f597d84..eca748312 100644 --- a/supply-chain-security/compromises/2014/code-spaces.md +++ b/supply-chain-security/compromises/2014/code-spaces.md @@ -7,7 +7,7 @@ was hacked and many repositories, backups, etc. were deleted by the attacker. N/A -## Type of Compromise +## Type of compromise It appears attackers had access to the source code hosting infrastructure, but not to developer keys. diff --git a/supply-chain-security/compromises/2014/monju.md b/supply-chain-security/compromises/2014/monju.md index 3db675da9..c33c447d7 100644 --- a/supply-chain-security/compromises/2014/monju.md +++ b/supply-chain-security/compromises/2014/monju.md @@ -12,7 +12,7 @@ The attack affected machines at Monju fast breeder reactor facility in Japan. However, it it unclear whether other machines who tried to upate their GOM Player software were infected. -## Type of Compromise +## Type of compromise Attackers could have access to the publishing infrastructure, but did not sign the delivered product. diff --git a/supply-chain-security/compromises/2015/ceph-and-inktank.md b/supply-chain-security/compromises/2015/ceph-and-inktank.md index dba98923e..7740e0128 100644 --- a/supply-chain-security/compromises/2015/ceph-and-inktank.md +++ b/supply-chain-security/compromises/2015/ceph-and-inktank.md @@ -8,7 +8,7 @@ the Ceph infrastructure and it's public-facing counterpart Inktank Unknown at the time of the writing, yet no signs of clear compromise are available. -## Type of Compromise +## Type of compromise The development platform ceph was compromised, as well as its signing gpg key. The public facing component Inktank was also compromised. diff --git a/supply-chain-security/compromises/2015/juniper.md b/supply-chain-security/compromises/2015/juniper.md index 339728fb6..bfcce239c 100644 --- a/supply-chain-security/compromises/2015/juniper.md +++ b/supply-chain-security/compromises/2015/juniper.md @@ -10,7 +10,7 @@ the second one happened by compromising a pseudorandom number generator. N/A -## Type of Compromise +## Type of compromise It appears attackers had access to a the source code hosting infrastructure, but not to developer keys. diff --git a/supply-chain-security/compromises/2015/xcodeghost.md b/supply-chain-security/compromises/2015/xcodeghost.md index 8626b2801..999e843a0 100644 --- a/supply-chain-security/compromises/2015/xcodeghost.md +++ b/supply-chain-security/compromises/2015/xcodeghost.md @@ -10,6 +10,6 @@ passwords and URLs through the infected apps. At least 350 apps, including WeChat, which affected hundreds of millions of users alone. -## Type of Compromise +## Type of compromise This was a counterfeit artifact delivered to developers. diff --git a/supply-chain-security/compromises/2016/fosshub.md b/supply-chain-security/compromises/2016/fosshub.md index 9b687eadb..be0b964a4 100644 --- a/supply-chain-security/compromises/2016/fosshub.md +++ b/supply-chain-security/compromises/2016/fosshub.md @@ -12,6 +12,6 @@ use as their primary file download service. Users who downloaded Classic Shell and Audacity software packages from FOSSHub in the first week of August 2016, were affected by Fosshub breach. -## Type of Compromise +## Type of compromise Attackers compromised the publishing infrastructure. diff --git a/supply-chain-security/compromises/2016/keydnap.md b/supply-chain-security/compromises/2016/keydnap.md index ce0761a63..99962616e 100644 --- a/supply-chain-security/compromises/2016/keydnap.md +++ b/supply-chain-security/compromises/2016/keydnap.md @@ -9,7 +9,7 @@ from the Apple developer program). N/A -## Type of Compromise +## Type of compromise The publishing infrastructure was affected, plus a developer certificate (by someone not associated with Transmission) was used to sign and allow for a diff --git a/supply-chain-security/compromises/2016/mint.md b/supply-chain-security/compromises/2016/mint.md index afa53b019..f4cbdcbc7 100644 --- a/supply-chain-security/compromises/2016/mint.md +++ b/supply-chain-security/compromises/2016/mint.md @@ -9,6 +9,6 @@ and pointed users to malicious download links that contained a backdoored versio The backdoored version of Linux Mint was downloaded by hundreds of users on February 20th, 2016. -## Type of Compromise +## Type of compromise Attackers compromised the publishing infrastructure, but not developer keys. diff --git a/supply-chain-security/compromises/2017/bitcoingold.md b/supply-chain-security/compromises/2017/bitcoingold.md index 312a99513..35c4639a9 100644 --- a/supply-chain-security/compromises/2017/bitcoingold.md +++ b/supply-chain-security/compromises/2017/bitcoingold.md @@ -10,7 +10,7 @@ if they created new wallets using this malicious software. Users who downloaded the compromised wallet during a window of 4.5 days may have their private keys compromises. -## Type of Compromise +## Type of compromise The attackers seem to have been able to access the version control system but not to sign on behalf of developers. diff --git a/supply-chain-security/compromises/2017/ccleaner.md b/supply-chain-security/compromises/2017/ccleaner.md index f048fc391..343751221 100644 --- a/supply-chain-security/compromises/2017/ccleaner.md +++ b/supply-chain-security/compromises/2017/ccleaner.md @@ -14,7 +14,7 @@ any step right before the product of that step was signed. The impact could've been severe as CCleaner had 2 billion downloads as of November 2016 with almost 5 million new users per week. -## Type of Compromise +## Type of compromise It appears the attackers could've accomplished by either compromising the version control system, the packaging or the publishing infrastructure. For the diff --git a/supply-chain-security/compromises/2017/expensivewall.md b/supply-chain-security/compromises/2017/expensivewall.md index 22bc3ddbe..255c11ca4 100644 --- a/supply-chain-security/compromises/2017/expensivewall.md +++ b/supply-chain-security/compromises/2017/expensivewall.md @@ -12,7 +12,7 @@ At least 5,904,511 devices were affected, and up to a maximum of 21,101,567, as reported on [this technical report](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) -## Type of Compromise +## Type of compromise The attackers were able to compromise the toolchains of the developer machines and introduce a backdoor in the resulting apps. As such, developer keys can be diff --git a/supply-chain-security/compromises/2017/hacktask.md b/supply-chain-security/compromises/2017/hacktask.md index 52b89af8d..473dcbf25 100644 --- a/supply-chain-security/compromises/2017/hacktask.md +++ b/supply-chain-security/compromises/2017/hacktask.md @@ -10,6 +10,6 @@ developer credentials. were downloaded at least 700 times during the two week period that the compromise spanned. -## Type of Compromise +## Type of compromise A typosquat attack does not require compromising any type of infrastructure. diff --git a/supply-chain-security/compromises/2017/handbrake.md b/supply-chain-security/compromises/2017/handbrake.md index 514c163df..826a97557 100644 --- a/supply-chain-security/compromises/2017/handbrake.md +++ b/supply-chain-security/compromises/2017/handbrake.md @@ -8,7 +8,7 @@ could gain admin privileges on victims’ systems. N/A -## Type of Compromise +## Type of compromise It appears the attackers compromised the publishing infrastructure. Since no code-signing was involved, the attacker didn't require to compromise any key, diff --git a/supply-chain-security/compromises/2017/kingslayer.md b/supply-chain-security/compromises/2017/kingslayer.md index f282bd635..f85eef14c 100644 --- a/supply-chain-security/compromises/2017/kingslayer.md +++ b/supply-chain-security/compromises/2017/kingslayer.md @@ -18,7 +18,7 @@ version) include: - 24+ banks and financial institutions - 45+ higher educational institutions -## Type of Compromise +## Type of compromise The attacker had access to the publishing infrastructure (i.e., the download server) and to the signing key of the packager. diff --git a/supply-chain-security/compromises/2017/notpetya.md b/supply-chain-security/compromises/2017/notpetya.md index 10c162093..949f6042b 100644 --- a/supply-chain-security/compromises/2017/notpetya.md +++ b/supply-chain-security/compromises/2017/notpetya.md @@ -14,7 +14,7 @@ backdoor without having access to MeDoc’s source code. N/A -## Type of Compromise +## Type of compromise The attackers seem to have been able to compromise software publishing infrastructure, update servers and probably the version control system for diff --git a/supply-chain-security/compromises/2018/colourama.md b/supply-chain-security/compromises/2018/colourama.md index e44525644..7a9ac2fc6 100644 --- a/supply-chain-security/compromises/2018/colourama.md +++ b/supply-chain-security/compromises/2018/colourama.md @@ -13,6 +13,6 @@ Colourama was registered early in December 2017. It is not clear how many times the malicious package have been downlaoded since then. According to a report by Medium, it was downloaded 55 times in October 2018. -## Type of Compromise +## Type of compromise A typosquat attack does not require compromising any type of infrastructure. diff --git a/supply-chain-security/compromises/2018/dofoil.md b/supply-chain-security/compromises/2018/dofoil.md index a39b415cc..bc50621df 100644 --- a/supply-chain-security/compromises/2018/dofoil.md +++ b/supply-chain-security/compromises/2018/dofoil.md @@ -10,7 +10,7 @@ to spread a malicious cryptocurrency miner. The attack could successfully taget over 400,000 PCs mostly in Russia, Turkey, and Ukraine. -## Type of Compromise +## Type of compromise The attackers seem to have been able to compromise the publishing infrastructure, as well as the signing key of the package. diff --git a/supply-chain-security/compromises/2018/gentoo.md b/supply-chain-security/compromises/2018/gentoo.md index c21c6eca6..0c4d45431 100644 --- a/supply-chain-security/compromises/2018/gentoo.md +++ b/supply-chain-security/compromises/2018/gentoo.md @@ -9,12 +9,7 @@ and modified the content of repositories as well as pages. N/A -## Type of Compromise +## Type of compromise It seems that the attackers have been able to hack the source code repository but not developer keys. - - - - - diff --git a/supply-chain-security/compromises/2018/operation-red.md b/supply-chain-security/compromises/2018/operation-red.md index 4a01711a0..19d1018cd 100644 --- a/supply-chain-security/compromises/2018/operation-red.md +++ b/supply-chain-security/compromises/2018/operation-red.md @@ -14,12 +14,7 @@ located in the range of IP addresses of their target organizations. N/A -## Type of Compromise +## Type of compromise It appears the attackers compromised the publishing infrastructure, as well as signing keys for updates. - - - - - diff --git a/supply-chain-security/compromises/2018/unnamed-maker.md b/supply-chain-security/compromises/2018/unnamed-maker.md index dbcb42aca..f8e62779c 100644 --- a/supply-chain-security/compromises/2018/unnamed-maker.md +++ b/supply-chain-security/compromises/2018/unnamed-maker.md @@ -11,11 +11,6 @@ would receive full access to the victims' system. Users who have installed this PDF editor between January and March 2018 have been affected. -## Type of Compromise +## Type of compromise This was a counterfeit artifact delivered to developers. - - - - - diff --git a/supply-chain-security/compromises/2019/pear.md b/supply-chain-security/compromises/2019/pear.md index bae56da6d..c666fd785 100644 --- a/supply-chain-security/compromises/2019/pear.md +++ b/supply-chain-security/compromises/2019/pear.md @@ -13,13 +13,8 @@ in a window of 6 months could have been infected. Since many web hosting services allow their users to install and run PEAR, this attack might also have impacted a large number of websites and their visitors. -## Type of Compromise +## Type of compromise It appears the attackers compromised the publishing infrastructure. Since no code-signing was involved, the attacker didn't require to compromise any key, but rather just the infrastructure. - - - - - diff --git a/supply-chain-security/compromises/2019/shadowhammer.md b/supply-chain-security/compromises/2019/shadowhammer.md index 4d9c86c76..08538dc77 100644 --- a/supply-chain-security/compromises/2019/shadowhammer.md +++ b/supply-chain-security/compromises/2019/shadowhammer.md @@ -19,7 +19,7 @@ on at least 600 specific systems whose mac addresses were hardcoded to receive a secondary payload. -## Type of Compromise +## Type of compromise It appears at the very least, the attackers had access to the update infrastructure and the code signing key. diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 192db19fb..3efd0bba7 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -1,5 +1,5 @@ -Catalog of Supply Chain Compromises -==================================== +# Catalog of Supply Chain Compromises + This repository contains links to articles of software supply chain compromises. The goal is not to catalog every known supply chain attack, but @@ -20,7 +20,7 @@ We welcome additions to this catalog by | [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) | [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | | [Colourama](compromises/2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | -| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | +| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | | [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | | [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | | [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | From 74729fabc971a7e6ddfcafc9fc2a5193b09e0aee Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 5 Nov 2019 16:38:21 -0500 Subject: [PATCH 33/38] sc-security:compromises add electron-native-notify --- .../2019/electron-native-notify.md | 22 +++++++++++++++++++ supply-chain-security/compromises/README.md | 1 + 2 files changed, 23 insertions(+) create mode 100644 supply-chain-security/compromises/2019/electron-native-notify.md diff --git a/supply-chain-security/compromises/2019/electron-native-notify.md b/supply-chain-security/compromises/2019/electron-native-notify.md new file mode 100644 index 000000000..ad5aaedbd --- /dev/null +++ b/supply-chain-security/compromises/2019/electron-native-notify.md @@ -0,0 +1,22 @@ +# Electron native notify + +the npm, Inc. security team, in collaboration with Komodo, helped protect over +$13 million USD in cryptocurrency assets as we found and responded to a malware +threat targeting the users of a cryptocurrency wallet called Agama. + +This attack focused on getting a malicious package into the build chain for +Agama and stealing the wallet seeds and other login passphrases used within the +application. + +## Impact + +Users of the cryptocurrency wallet called Agama lost their funds. The total +losses are not known yet, although they could have reached $13 million USD had +npm/Comodo not identified the compromise earlier. + +## Type of compromise + +It appears the attackers compromised the credentials of a developer publishing +a popular package. It is also possible that the developer of the package went +rogue (or intended to make this package a "useful package" to then slip the +payload). Read more about the "useful package attack" [here](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 3efd0bba7..6b92f90a4 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -13,6 +13,7 @@ We welcome additions to this catalog by | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [electron-native-notify] | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| | [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | | [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Dofoil](compromises/2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | From 9b83a28350c92c5fcb187c4ccfd84bd305646e2c Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 5 Nov 2019 16:50:02 -0500 Subject: [PATCH 34/38] ssc:compromises: add gento-rsync --- .../compromises/2003/gento-rsync.md | 13 +++++++++++++ supply-chain-security/compromises/README.md | 1 + 2 files changed, 14 insertions(+) create mode 100644 supply-chain-security/compromises/2003/gento-rsync.md diff --git a/supply-chain-security/compromises/2003/gento-rsync.md b/supply-chain-security/compromises/2003/gento-rsync.md new file mode 100644 index 000000000..e4d35e327 --- /dev/null +++ b/supply-chain-security/compromises/2003/gento-rsync.md @@ -0,0 +1,13 @@ +# Gentoo Incident + +Attackers used a remote exploit to compromise an rsync.gentoo.org machine +holding a copy of the emerge repository and implant a rootkit + +## Impact + +N/A + +## Type of compromise + +The attackers were able to compromise filesystem of the source code repository +and thus possibly (but highly unlikely) serve malicious packages to users. diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 6b92f90a4..22b337830 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -39,3 +39,4 @@ We welcome additions to this catalog by | [Monju Incident](compromises/2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) | [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | +| [gentoo rsync compromise](compromises/2003/gentoo-rsync.md) | 2003 | Source Code Repository[1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) | From e395f7c315452fbfdffe241d85611c889849116d Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Thu, 14 Nov 2019 12:14:55 -0500 Subject: [PATCH 35/38] supply-chain-security: fix wrong urls The README.md of supply-chain-security/compromises was adding a compromises prefix to its relative links. This would make the links direct to a 404 rather then the correct location. --- supply-chain-security/compromises/README.md | 54 ++++++++++----------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 22b337830..5da19b335 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -13,30 +13,30 @@ We welcome additions to this catalog by | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | -| [electron-native-notify] | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| -| [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | -| [PEAR Breach](compromises/2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | -| [Dofoil](compromises/2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | -| [Operation Red](compromises/2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | -| [Gentoo Incident](compromises/2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) -| [Unnamed Maker](compromises/2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | -| [Colourama](compromises/2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | -| [Foxif/CCleaner](compromises/2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | -| [HandBrake](compromises/2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | -| [Kingslayer](compromises/2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | -| [HackTask](compromises/2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | -| [NotPetya](compromises/2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | -| [Bitcoin Gold](compromises/2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | -| [ExpensiveWall](compromises/2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) -| [OSX Elmedia player](compromises/2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | -| [keydnap](compromises/2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | -| [Fosshub Breach](compromises/2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | -| [Linux Mint](compromises/2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | -| [Juniper Incident](compromises/2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) -| [XCodeGhost](compromises/2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | -| [Ceph and Inktank](compromises/2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | -| [Code Spaces](compromises/2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) -| [Monju Incident](compromises/2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) -| [Operation Aurora](compromises/2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | -| [ProFTPD](compromises/2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | -| [gentoo rsync compromise](compromises/2003/gentoo-rsync.md) | 2003 | Source Code Repository[1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) | +| [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| +| [ShadowHammer](2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | +| [PEAR Breach](2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | +| [Dofoil](2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | +| [Operation Red](2018/operation-red.md) | 2018 | Publishing Infrastructure | [1](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/) | +| [Gentoo Incident](2018/gentoo.md) | 2018 | Source Code Compromise| [1](https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github) +| [Unnamed Maker](2018/unnamed-maker.md) | 2018 | Publishing Infrastructure | [1](https://www.bleepingcomputer.com/news/security/microsoft-discovers-supply-chain-attack-at-unnamed-maker-of-pdf-software/) | +| [Colourama](2018/colourama.md) | 2018 | TypoSquat | [1](https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8), [2](https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/) | +| [Foxif/CCleaner](2017/ccleaner.md) | 2017 | Publishing Infrastructure | [1](https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | +| [HandBrake](2017/handbrake.md) | 2017 | Publishing Infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/) | +| [Kingslayer](2017/kingslayer.md) | 2017 | Publishing Infrastructure | [1](https://www.rsa.com/content/dam/premium/en/white-paper/kingslayer-a-supply-chain-attack.pdf) | +| [HackTask](2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | +| [NotPetya](2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | +| [Bitcoin Gold](2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | +| [ExpensiveWall](2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [OSX Elmedia player](2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | +| [keydnap](2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | +| [Fosshub Breach](2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | +| [Linux Mint](2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | +| [Juniper Incident](2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) +| [XCodeGhost](2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | +| [Ceph and Inktank](2015/ceph-and-inktank.md) | 2015 | Build, source and publishing infrastructure | [1](https://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/) | +| [Code Spaces](2014/code-spaces.md) | 2014 | Source Code Compromise| [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) +| [Monju Incident](2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) +| [Operation Aurora](2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | +| [ProFTPD](2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | +| [gentoo rsync compromise](2003/gentoo-rsync.md) | 2003 | Source Code Repository[1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) | From b2e5ec383ab94c587bd4a4748103e81e9d0a6dba Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Thu, 14 Nov 2019 12:54:49 -0500 Subject: [PATCH 36/38] rename gento-rsync to gentoo-rsync --- .../compromises/2003/{gento-rsync.md => gentoo-rsync.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename supply-chain-security/compromises/2003/{gento-rsync.md => gentoo-rsync.md} (100%) diff --git a/supply-chain-security/compromises/2003/gento-rsync.md b/supply-chain-security/compromises/2003/gentoo-rsync.md similarity index 100% rename from supply-chain-security/compromises/2003/gento-rsync.md rename to supply-chain-security/compromises/2003/gentoo-rsync.md From 1e1a41860e036dbb043b9c7a043e95a9de3ddbc3 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Thu, 14 Nov 2019 12:58:24 -0500 Subject: [PATCH 37/38] ssc: compromises: consistent spacing of references --- supply-chain-security/compromises/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 5da19b335..d1b520176 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -13,7 +13,7 @@ We welcome additions to this catalog by | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | -| [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| +| [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm), [2](https://komodoplatform.com/update-agama-vulnerability/)| | [ShadowHammer](2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | | [PEAR Breach](2019/pear.md) | 2019 | Publishing Infrastructure | [1](https://blog.dcso.de/php-pear-software-supply-chain-attack/), [2](https://thehackernews.com/2019/01/php-pear-hacked.html) | | [Dofoil](2018/dofoil.md) | 2018 | Publishing Infrastructure | [1](https://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/) | @@ -27,10 +27,10 @@ We welcome additions to this catalog by | [HackTask](2017/hacktask.md) | 2017 | TypoSquat | [1](https://securityintelligence.com/news/typosquatting-attack-puts-developers-at-risk-from-infected-javascript-packages/) | | [NotPetya](2017/notpetya.md) | 2017 | Multiple steps | [1](https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) | | [Bitcoin Gold](2017/bitcoingold.md) | 2017 | Source Code Compromise | [1](https://bitcoingold.org/critical-warning-nov-26/) | -| [ExpensiveWall](2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/),[2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) +| [ExpensiveWall](2017/expensivewall.md) | 2017 | Backdooring SDK | [1](https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/), [2](https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/) | [OSX Elmedia player](2017/elmedia.md) | 2017 | Publishing infrastructure | [1](https://www.hackread.com/hackers-infect-mac-users-proton-malware-using-elmedia-player/) | -| [keydnap](2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware),[2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | -| [Fosshub Breach](2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/),[2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | +| [keydnap](2016/keydnap.md) | 2016 | Publishing infrastructure | [1](https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware), [2](https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/) | +| [Fosshub Breach](2016/fosshub.md) | 2016 | Publishing infrastructure | [1](https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/), [2](https://www.theregister.co.uk/2016/08/04/classicshell_audicity_infection/) | | [Linux Mint](2016/mint.md) | 2016 | Publishing infrastructure | [1](https://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/) | | [Juniper Incident](2015/juniper.md) | 2015 | Source Code Compromise| [1](https://eprint.iacr.org/2016/376.pdf) | [XCodeGhost](2015/xcodeghost.md) | 2015 | Fake toolchain | [1](https://www.theregister.co.uk/2015/09/21/xcodeghost_apple_ios_store_malware_zapped/) | From 3ea2146d95f29af78d9904796338342e8948a2f5 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Thu, 14 Nov 2019 13:03:02 -0500 Subject: [PATCH 38/38] compromises: fix missing column separator --- supply-chain-security/compromises/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index d1b520176..39d4fff05 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -39,4 +39,4 @@ We welcome additions to this catalog by | [Monju Incident](2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) | [Operation Aurora](2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | [ProFTPD](2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | -| [gentoo rsync compromise](2003/gentoo-rsync.md) | 2003 | Source Code Repository[1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) | +| [gentoo rsync compromise](2003/gentoo-rsync.md) | 2003 | Source Code Repository | [1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) |