T0121 - Compromised legitimate artifact

A compromised legitimate artifact attack is a type of cyber attack in which an attacker replaces a legitimate package or container image with a malicious version, often without the knowledge of the original developer or distributor. This attack takes advantage of the trust that users place in legitimate packages or container images, which are often used to deploy software across multiple environments. In this attack, the attacker may gain access to the repository or registry where the legitimate artifact is stored, either by exploiting a vulnerability or through social engineering tactics. The attacker then replaces the legitimate artifact with a malicious version that contains malware or other harmful code. Once the compromised artifact is downloaded and deployed, it can compromise the system and potentially cause significant harm, such as stealing sensitive data or taking control of the system.

ID: T0121
Type: Technique
Tactic: Resource Development
Summary: Compromised legitimate artifact
State: draft

Mitigations

id

type

summary

description

M1500
Mitigation
Verify third-party artifacts and open-source libraries
Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use. This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this may be a sign that someone interfered and added malicious code. If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1502
Mitigation
Define trusted package managers and repositories
When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured. If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious. In order to avoid this, configure packages to be pulled from trusted package registries.
M1503
Mitigation
Implement SCA analysis
Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.
M1730
Mitigation
Implement code reviews
Code reviews are a valuable tool for improving code quality, reducing technical debt, and ensuring the security and reliability of software applications. Most crucial changes should be reviewed and validated to ensure there are no any security risks. Code reviews can identify defects and vulnerabilities in the code before it's deployed, reducing the likelihood of security breaches, system failures, and other issues. Require code reviews for any changes to source code or configuration files, especially for those affecting the CI/CD pipeline.
M1732
Mitigation
Implement code scanning for security risks
Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code. For every repository in use, enforce risk scanning on every pull request.
M1860
Mitigation
Implement strong authentication mechanisms
Authentication is the process of verifying the identity of a user or entity accessing the SCM system. Strong authentication typically involves using multiple factors to verify the user's identity, beyond just a username and password. This may include factors such as something the user knows (e.g., password), something the user has (e.g., smart card or token), and something the user is (e.g., biometric data like fingerprint or facial recognition). Multi-factor authentication (MFA) can significantly enhance the security of SCM systems by adding an additional layer of protection against unauthorized access.
M1861
Mitigation
Implement strong authorization mechanisms
Strong authorization ensures that users only have access to the resources and actions that are necessary for their job functions and responsibilities, and nothing more. This can be achieved through proper access controls, such as role-based access control (RBAC) or attribute-based access control (ABAC), which define fine-grained permissions and privileges for users, groups, and repositories in the SCM system. Regularly review user permissions and remove all unnecessary permissions for specific users.

Detections

id

type

summary

description

D1090
Detection
Implement package or image integrity verification
Implement mechanisms to verify the integrity of packages or container images downloaded from public registries, such as digital signatures, checksums, or hash values. Compare the downloaded packages or images against trusted sources to ensure that they have not been tampered with during the upload process.
D1500
Detection
Configure monitoring of used artifacts and open-source libraries
Implement regular scanning of used artifacts and open-source libraries for known vulnerabilities. Set up monitoring of reported issues based on regular scanning results.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

References

  1. https://www.legitsecurity.com/blog/why-you-can-still-get-hacked-even-after-signing-your-software-artifacts
  2. https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-09-Improper-Artifact-Integrity-Validation