Supply chain attacks can exploit entry points in Python, npm, & other open-source ecosystems

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: Researchers discover that entry points across Python, npm, and other open-source platforms can be abused to stage software supply chain attacks. Also: A North Korea-sponsored group, ScarCruft, has been caught leveraging a zero-day flaw in Internet Explorer to infect targets with the RokRAT malware.

This Week’s Top Story

Supply chain attacks can exploit entry points in Python, npm, and other open-source ecosystems

Researchers at Checkmarx have discovered that entry points can be abused across multiple open-source repositories, including PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Creates to stage software supply chain attacks. The Python Packaging User Guide said entry points are “a mechanism for an installed distribution to advertise components it provides to be discovered and used by other code.” While this distribution feature is beneficial for improving modularity, it can also be abused to spread malware to unsuspecting users, Checkmarx warned.

One exploit is command-jacking, where counterfeit packages use entry points that impersonate popular third-party tools and commands. Bad actors then harvest sensitive information when developers install the package. Researchers found that the most widely-used third-party commands for command-jacking include npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. Command-jacking can also involve threat actors using legitimate system command names as entry points to hijack the execution flow.?

Researchers said that command-jacking can become even more effective when using a stealthier tactic known as command-wrapping, where an entry point is created to act as a wrapper around the original command, rather than replacing it altogether. This approach is stealthy in that it silently executes the malicious code while also invoking the original, legitimate command. The malware then returns the results of the execution to the threat actors, all while flying under the radar to victims since “there’s no immediate sign of compromise,” the researchers noted.???

The third style of attack involves malicious plugins and extensions being created for developer tools that have the capability to gain broad access to the codebase itself. This gives the threat actors an opportunity to change program behavior or tamper with the testing process to make it seem as though the code is working as intended.?

(The Hacker News )

This Week’s Headlines

Malicious ads exploited Internet Explorer zero-day to drop malware

A new report by South Korea’s National Cyber Security Center (NCSC) and AhnLab (ASEC) details a newly discovered malicious campaign carried out this past May by the North Korean hacking group ScarCruft (AKA APT37, RedEyes). The campaign leverages a zero-day flaw in Internet Explorer to infect targets with the RokRAT malware, which exfiltrates data from victims. The flaw used is tracked as CVE-2024-38178 and is a high-severity confusion flaw in Internet Explorer, which Microsoft has since released a security update for. ScarCruft is known for its state-sponsored cyber espionage activities that have targeted organizations in South Korea and Europe, in addition to human rights activists and North Korean defectors. (Bleeping Computer )

Researchers uncover Hijack Loader malware using stolen code-signing certificates

Researchers at HarfangLab have disclosed a new malware campaign that delivers “Hijack Loader” artifacts that are signed with legitimate code-signing certificates, with the goal of deploying an information stealer known as Lumma to victims. Hijack Loader (AKA DOILoader, IDAT Loader, SHADOWLADDER), first spotted in September 2023, involves tricking users into downloading a bogus binary under the guise of pirated software or movies. Early cases of attack chains used DLL side-loading, but more cases have popped up in which attackers abuse signed binaries that are able to evade security software’s detection. Researchers assert with low to medium confidence that the code-signing certificates used were generated by the threat actors themselves, and were likely not stolen. "This research underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness,” HarfangLab’s researchers noted. All of the certificates used in the campaign have since been revoked. (The Hacker News )

CISA urges improvements in U.S. software supply chain transparency

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published the third edition of its “Framing Software Component Transparency,” a key document aimed at improving the clarity and usage of the Software Bill of Materials (SBOM). This latest version, developed by CISA’s SBOM Tooling & Implementation Working Group, introduces refined guidelines on SBOM creation and software component identification. The agency hopes that these updates will help organizations address the growing challenges of software supply chain transparency and security. The previous edition of the document was published in 2021, and this latest edition differs from its predecessor in that it further defines essential SBOM attributes into three categories: minimum expected, recommended practices and aspirational goals. The goal: A clear framework for managing the tracking of software components. (Infosecurity Magazine )

Supply chain vulnerabilities are facilitating a surge in ransomware

According to new research from OpenText, nearly two-thirds (62%) of small and medium-sized businesses (SMBs) experienced ransomware through software supply chain partners. Due to this increase in attacks on enterprise consumers of third-party software, the study also found that 90% of SMBs plan to increase their collaboration with software vendors to bolster security. However, that might not be the happy ending it sounds like. That’s because nearly half (49%) of those surveyed are concerned enough to consider changing software vendors over the problem. (Tech Radar )

The strategic use of attack trees in cybersecurity

AppSec expert and leader Derek Fisher explains how attack trees, a graphical representation that provides early views of various attack paths, can be used as a rapid solution within the greater context of threat modeling. Fisher points out that while a full-fledged threat modeling program is essential, it can be time consuming and difficult to perform quickly, which is why attack trees should serve in tandem with threat modeling processes. He explains that attack trees “focus on illustrating potential threat scenarios in a hierarchical manner, breaking down from a primary malicious activity into sub-goals and strategies employed by adversaries.” Fisher stresses that this tool should serve as a critical part of identifying threats early in the software development lifecycle. (Derek Fisher )

For more insights on software supply chain security, see the RL Blog .?

The Best of RL

Webinar | The Survival Guide to Managing Third-Party Software Risk

October 24 at 12 pm ET

Despite mature practices for securing internally-developed software, third-party software risk management (TPSRM) remains a nebulous function that lacks proper ownership and scalable methods. In this session, we’ll dive into the people, process and technology needed to build a scalable TPSRM program. [Register Here ]

Webinar | Supercharge Threat Modeling with Software Supply Chain Security

October 29 at 12 pm ET

The better the data, the better the threat modeling. That’s where modern software supply chain security comes in. Chris Romeo , co-founder and CEO of devici joins RL’s Josh Knox and Paul Roberts for a discussion about marrying threat modeling operations with modern SSCS to modernize it for the next generation of threats coming from software supply chains. [Register Here ]?

Webinar | Learn How to Find ALL the Ghosts in Your Software Supply Chain with Spectra Assure

October 31 at 12 pm ET

This Halloween, join us for an interactive and engaging demo of Spectra Assure, RL’s software supply chain security solution. Save your seat now to learn how Spectra Assure can spot all of the frightening threats lurking in the software you build or buy. Let’s bust some ghosts and secure your software supply chain, together! [Register Here ]

For more great conversations to watch, see RL’s on-demand webinar library .?