One, foreword
On December 13, 2020, FireEye released an analysis report claiming that SolarWinds, the world’s most famous network security software provider, has been attacked by a supply chain and has been embedded with a Trojan back door. The impact version is 2019.4HF 5-2020.2.1: Machines using this product can be fully controlled by attackers. SolarWinds posted a security notice on its website showing that approximately 18,000 customers downloaded the affected software, affecting more than 250 enterprises, including government agencies, critical infrastructure, and national and public services in North America, Europe, Asia, and the Middle East.
In February 2021, foreign security media published a report that a security researcher successfully broke through and penetrated the Intranet of more than 35 large companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, Uber and many other well-known global enterprises in a security study on supply chain poisoning. The returning of this event is the third party relies on internal package management chaos, companies will be in commonly within a proprietary image maintenance, store some internal development of third-party packages, if developers do not specify a private source when install these packages, so package management tool will be on the public source to search and download depend on the package, when a malicious attacker in public source upload the package name is the same, If the version number of malicious packages is larger, the package dependency tool will automatically pull the malicious packages, resulting in the execution of malicious code.
At present, the frequency and maturity of supply chain attacks are increasing. Supply chain attacks now account for 50 percent of all cyber attacks, a 78 percent jump from last year, according to industry estimates. As many as two-thirds of companies have experienced at least one supply chain attack. At the same time, 80 percent of IT professionals believe that software supply chain attacks will be one of the biggest cyber threats facing companies in the next three years.
Second, software supply chain attack
2.1 Software Supply Chain
Traditional supply chain refers to the network structure of raw material suppliers, manufacturers, distributors, retailers and final consumers involved in the process of product production and circulation through the connection with upstream and downstream members. It is a network of enterprises and business departments involved in the process of acquiring materials, processing materials, and delivering finished products to users.
The traditional supply chain model can be completely applied to computer software and hardware, so the concept of software supply chain is derived: software architecture consisting of a series of behaviors and tools involved in the process of software development, delivery and use.
2.2 Software supply chain attack
As the name implies, the software supply chain attacks are targeted at the development, delivery and use stages. For example, the attack on SolarWinds, the network security software provider introduced in the background, is targeted at the software use stage, while the attack on Python request library requests is targeted at the software development stage.
In all software against the behavior of the supply chain, attacks on development link third-party libraries is the most destructive and the widest scope of attack way, basic it is because the current software stack has a wide variety of third-party libraries, including any third-party libraries is attacked, the entire software is bound to be affected. There are two ways to attack third-party libraries:
- The attackers attack the official servers of well-known software, tamper with the source code of the software to add malicious code, and then provide it to users who go to the official download. This kind of attack is relatively difficult, but the range of influence is extremely broad, all users of the software will be affected. For example, the PHP official code poisoning incident. In March this year, the server git.php.net(the original PHP official code server) was suspected to be attacked, and the attacker submitted two back-door codes to the PHP source code. This backdoor triggers the backdoor by determining whether the User-Agent (not user-Agent) in the HTTP request header contains the Zerodium keyword, and could theoretically affect any site developed using PHP.
- An attacker sends an open source package repository such as: NPM, PyPI, RubyGems, Godoc, Maven, etc., upload packages with malicious code. These packages are usually very similar to some well-known third-party packages in name, such as request and Requests mentioned above. Because of the confusing package names, users can easily download malicious packages and install them. This triggers malicious code. This kind of attack is very low cost, and easy to flood, so the detection and governance of similar malicious software packages is the focus of our next introduction, but also the main object of governance.
Third, attack and defense of third-party software packages
3.1 Attack Methods of Third-party Software Packages
Developers tend to use external services or open source codes or code segments in order to develop efficiency. However, most developers have obsessive trust in external codes and generally do not conduct detailed code audit for the codes that need to be used, which provides opportunities for external risks to be introduced into the software system. So how do these malicious third party packages get introduced? The following is a description of the current common introduction methods.
1. The dependency package is imported incorrectly
In Python, the package name imported will be slightly different from the package name used in the code, as in the pwnTools library
Python
Copy the code1 from pwn import *
Developers may have a habit of typing PIP install PWN when encountering the code.
PIP install pwnTools. This can then be installed into other unintended malicious packages.
2. The same package
Most companies maintain their own image source internally, storing library files for internal use only, often adding special characters such as XX-redis to keep the package name separate from external sources, for some careless developers forget to specify internal sources when downloading packages. The packet management tool searches the public source. If a malicious packet with the same name exists in the public source, the attacker can successfully enter the Intranet.
In particular, note how PIP is managed. Some developments specify the — extra-index-URL = parameter to the private source, but this parameter is automatically looked up between the original pypi.org and the private source, and the newer version is selected for download. Using –index-url= does not cause this problem.
3. The Typo
It is similar to the attack with the same name, but it needs more luck, because it requires users to enter the wrong package name by mistake, so the overall success rate of the attack is relatively low, such as the request malicious package poisoning in the official PyPI warehouse.
4. Introduce risky snippets directly
Attackers intentionally or unintentionally upload code blocks with risks, which are spread through the Internet and have a higher priority in search engines. When developers search for the implementation of corresponding functions, it is easy to directly paste the code into the project, which brings the introduction of risks. The best example is the GEtip function in PHP, which can easily change the user IP by changing the request header, and can also introduce SQLi and XSS problems in combination with other code logic.
PHP
Copy the code<? phpfunction getip() {
if($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]){
$ip = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
}
elseif($HTTP_SERVER_VARS["HTTP_CLIENT_IP"]){
$ip = $HTTP_SERVER_VARS["HTTP_CLIENT_IP"];
}
elseif ($HTTP_SERVER_VARS["REMOTE_ADDR"]){
$ip = $HTTP_SERVER_VARS["REMOTE_ADDR"];
}
elseif (getenv("HTTP_X_FORWARDED_FOR")){
$ip = getenv("HTTP_X_FORWARDED_FOR");
}
elseif (getenv("HTTP_CLIENT_IP")){
$ip = getenv("HTTP_CLIENT_IP");
}
elseif (getenv("REMOTE_ADDR")){
$ip = getenv("REMOTE_ADDR");
}
else{
$ip = "Unknown";
}
return $ip;
}
Copy the code3.2 How Can I Defend against Third-party Malicious Software Packages
- Enterprises should build their own software sources (such as PyPI, NPM, Godoc), and software synchronization must come from official sources. The self-created internal source can converge the source. Once a supply chain attack occurs, the self-created internal source can quickly delete third-party malicious packets from the internal source to cut off the transmission of malicious packets. And through the internal source of a variety of logs, you can know which services use malicious packages, so that you can quickly trace the source to stop loss.
- Real-time monitoring of each official source, using the similarity algorithm to calculate whether there is a similar or the same package with the internal private package name, when such a package is found, using code analysis, machine learning and other methods to determine whether there is malicious behavior of the package.
- When synchronizing packages from various software sources, perform real-time scanning, either static scanning or dynamic sandbox scanning.
- Strengthen the sharing of vulnerability hazards, develop the habit of internal code review, and avoid directly pasting malicious code.
Exclusive disclosure: Open source software package storage inventory in 1200+ malicious packages
In May this year, Wuheng Lab used its own third-party malicious software package detection tool WolfHunter to detect the open source software package repository, and found that there were 1000+ malicious packages on the official source of PyPi and 200+ malicious packages on the official source of NPM. These packages mainly obtain all kinds of sensitive information, rebound shell, remote download Trojan horse and so on.
WolfHunter, a third-party malware software package detection tool developed by Wu Heng Laboratory, a fusion of static code scanning, dynamic sandbox scanning (byte has been open source YikeID HIDS), machine learning and other technologies of malicious code detection tools.
The following describes the tracing process of the typical Rbperf malicious software package.
On May 14, Wuheng Lab monitored that PyPi uploaded a Rbperf package, which belongs to the malicious package of Rebound shell.
The author ID of the Rbperf package is CH13FD357R0Y3r through traceability and continuous monitoring.
PyPI homepage:pypi.org/user/ch13fd…
Twitter homepage: twitter.com/Shanmuga_20…
Reddit homepage: www.reddit.com/user/ch13fd… Malicious packages were also suspected to have been uploaded to PHP, but have been deleted
From May 14, 2021 to June 16, 2021, the attacker uploaded 7 malicious packages, involving 8 versions, 4 IOC, with more than 1,000 downloads, affecting more than 30 countries and regions.
Qlib_server, Proxy65, py-fbzMQ, dspltools, rbperf, OSXFrameworks, CalDAVTester IOC: 13.233.214.229, 65.1.120.255, 3.108.43.183, 13.235.23.90
Specific information is as follows:
Based on the analysis of the seven malicious packets, it is found that the attacker can send remote commands. These packages are all phishing by forging some major open source software packages to induce more people to install them. For example, qlib_server is a data service system of Microsoft/Qlib-server. The specific forged details are as follows:
The following details how the qlib_server package triggers the malicious behavior. During the installation of the qlib_server package, the malicious code in setup.py is loaded, the remote C2 is connected, and the loop waits for the remote C2 to issue the command and execute it (the other packages are similar and will not be described here).
Malicious component package list
The following is a list of malicious software packages discovered so far. We hope that you can screen the dependent libraries used by internal companies according to the list, so as to avoid internal use of these malicious software packages and cause losses to the company. Some malicious packages have been deleted by contacting PYPI officials. For more details, you can download malicious packages from other sources.
Bytedance. Feishu. Cn/sheets/SHTC… (Please copy the link to your browser to view it)
6. Follow-up plan
Currently, it mainly supports the scanning of components on PYPI and NPM sources. In the future, it will gradually support the scanning of open source software libraries such as RubyGems, Godoc and Maven. In accordance with the principle of jointly building a security ecosystem, we will regularly publish the details of discovered malicious software packages so that readers can check the information to protect their information assets.
Seven, conclusion
Open source is of great significance to the development of software. Many enterprises have more or less introduced the third party dependence of open source in their business, so that enterprises can pay more attention to the development of business. However, the introduction of third-party dependencies inevitably leads to the introduction of security vulnerabilities in open source code, which can often deal a fatal blow to business. As more and more third-party dependency vulnerabilities are disclosed, more and more enterprises begin to attach importance to the security of third-party dependency.
Without constant laboratory dedicated to the escort for the company and the industry business, also the third party relies on the impact on the business security are of the utmost importance, in testing company at the same time, the safety of a third party relying on without constant laboratory also focus on mining has never been revealed loopholes in the third party relies on and security hidden trouble, and will continue to share with the industry research results, To help enterprises avoid security risks, and also hope to cooperate with peers in the industry to make contributions to the development of network security industry.
Want to join without constant laboratory classmate see here: security.bytedance.com/security-la…
Refer to the link: www.freebuf.com/news/257865… medium.com/@alex.birsa… www.aqniu.com/news-views/… www.secrss.com/articles/28…