Public registries are widely used by developers and organizations to download and distribute software packages and container images, making them an attractive target for attackers.
In this type of attack, the attacker creates a package or container image that contains malicious code or files, such as a backdoor or other malware.
The attacker then uploads the package or image to PyPI, DockerHub or other registry, posing as a legitimate user or creating a fake account.
Once the package or image is uploaded, it becomes available for download by other users who may unsuspectingly use it in their projects.
The supply chain attack can have far-reaching consequences as it can affect all systems that rely on the malicious package or image.
For example, a Python package that is downloaded from PyPI may be used by multiple applications and libraries, potentially compromising all systems that use it.
Similarly, a container image with a malicious payload may be used to deploy an application across multiple environments, leading to a widespread compromise.
ID:T0109
Type:Technique
Tactic:Resource Development
Summary:Publish malicious artifact
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1090
Mitigation
Mitigation Implement code and image signing Require digital signatures or code signing certificates for packages or container images uploaded to public registries.
This helps ensure the integrity and authenticity of the artifacts, and helps detect any tampering or malicious modifications.
M1503
Mitigation
Mitigation Implement SCA analysis Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components.
The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.
M1732
Mitigation
Mitigation Implement code scanning for security risks Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code.
For every repository in use, enforce risk scanning on every pull request.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1090
Detection
Detection Implement package or image integrity verification Implement mechanisms to verify the integrity of packages or container images downloaded from public registries, such as digital signatures, checksums, or hash values.
Compare the downloaded packages or images against trusted sources to ensure that they have not been tampered with during the upload process.
D1500
Detection
Detection Configure monitoring of used artifacts and open-source libraries Implement regular scanning of used artifacts and open-source libraries for known vulnerabilities.
Set up monitoring of reported issues based on regular scanning results.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
