Inside Security: Could you explain what a software supply chain attack is and how widespread it is?
Robert Perica: A software supply chain attack is an attack in which a malicious actor will use the software dependencies of an organization or perhaps target third-party vendors that provide such organizations with software or services. These vendors are typically considered as trusted publishers, and therefore organizations spend much less time verifying the packages that these vendors send them.
Software supply chain attacks are becoming increasingly common, especially for open-source repositories because they are used by millions of developers around the world, some of whom work for organizations that use open-source technologies.
Some of the attacks go unnoticed, but it all depends on the security level of the company that's hit by such an attack or perhaps the security solutions that are in place that protect such companies.
IS: Could you explain more about how open-source repositories are exploited for this kind of attack?
Perica: Open-source repositories are known for their large package and code bases. Due to their popularity and usage, there is usually no time to thoroughly inspect or check the behavior of all packages. Open-source repositories are typically exploited either through credential abuse or more easily through typosquatting.
Credential abuse usually refers to stealing the credentials of a particular open-source contributor and then trojanizing their code. Such a thing occurred a few years back with one of the popular torrent clients.
The second thing is typosquatting, which refers to creating packages with names that are intentionally similar to other legitimate packages.
IS: Could you explain more about what typosquatting is and how it's used to deploy malware?
Perica: Typosquatting refers to the practice of creating names that are intentionally similar to other names with the hope that an unsuspecting user will mistype the name when using it. Typosquatting is not only related to supply chain attacks. It is commonly used for creating misleading URLs. This leads to phishing sites. But when it's used for package names, the usual culprits are delimiters such as dashes and underscores. For example, you use the dash in the legitimate name and an underscore in a typosquat. It's easy to mistype. Other things that pop up are version numbers. For example, you leave out a specific number, you mess up the ordering of the letters, or you miss a particular letter and so on.
Typosquats are usually just the first step. You typically mistype a package name, and many packages run code during the installation procedure. So that code can be anything from a simple downloader that will download the second stage that can be a backdoor for later entry, or it can be a full-blown malicious component. From what we observed, malicious code is just an initial vector. It's rare to find a full-blown malicious component in an open-source repository of that type.
IS: What happens when the victim visits one of these bogus sites?
Perica: There's a difference between using typosquats for delivering phishing links and for using it to change the package name. Once a person mistypes a particular package name, the other package with the different package name is uploaded to the repository. It will download the other package. It's typically used, for example, in repositories such as RubyGems, PyPI, and NPM. Many of these repositories execute code during the installation procedure, so that code can be anything. For example, you can include code that will download a totally different component during the installation process and register it to run at startup. It can be essentially anything. So the sky is the limit.
IS: What would be some of the things that would be of concern to companies?
Perica: It all depends. For example, you can download a ransomware component once you mistype a package name. If you install a malicious package from an open-source repository, you really don't know what will be downloaded. Ransomware is a simple thing that is visible instantly. You will usually pay a high price to get your data back, if you get it back at all right. The other thing you need to be on the lookout for is trojans for backdoors. If a malicious actor downloads a back door, it will essentially give him a foothold for later entry into your organization. So he may not ask for a bounty to the decrypt your data, but he might be able to steal all of your data and exfiltrate it somewhere else and then sell it for a higher price.
IS: What can individuals and organizations do to protect themselves from software supply chain attacks?
Perica: From what we see, there are very few protection out there for software developers to make sure that packages they install from these repositories are malware free. Software security vendors that specialize in malware detections typically do not integrate with development environments. Currently, the malware detection task is outsourced to endpoint protection solutions, which in turn focus primarily on malware that targets the end-user. So there is a huge gap in the market currently, which is being exploited by malware authors. You really have to be careful about what you type, doublecheck everything, and
practice due diligence.