T0159 - Malicious artifact execution

Malicious artifact execution refers to an attack where an attacker injects or modifies a software component with malicious code that is executed when the component is used by a downstream system in the CI/CD process. When a CI/CD process lacks sufficient mechanisms to validate the integrity of code and artifacts, attackers can insert malicious code that appears to be harmless. This allows the malicious code to pass through the pipeline undetected, potentially causing harm in the CI/CD process or in production. The malicious code can be executed in the CI/CD process or even in production.

ID: T0159
Type: Technique
Tactic: Execution
Summary: Malicious artifact execution
State: draft

Mitigations

id

type

summary

description

M1590
Mitigation
Implement artifact signing and verification
Implementing artifact signing and verification can help prevent malicious actors from injecting or modifying software components with malicious code in the software supply chain. Only components that are signed and verified are allowed to proceed to the next stage of the CI/CD process, ensuring that only trusted components are used in the development and delivery of software applications.
M1591
Mitigation
Validate dependencies
Validate every dependency of the pipeline before use. To ensure that a dependency used in a pipeline is trusted and has not been infected by a malicious actor (e.g., the Codecov incident), validate dependencies before using them. This can be accomplished by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this is a sign that an unknown actor has interfered and may have added malevolent code. If this dependency is used, it will infect the environment, which could end in a massive breach and leave the organization exposed to data leaks, etc.
M1660
Mitigation
Isolate pipeline for unreviewed code
Ensure that pipelines running unreviewed code are executed on isolated nodes, not exposed to secrets and sensitive environments. For sensitive pipelines, for example those that are exposed to secrets, ensure that each branch that is configured to trigger a pipeline in the CI system has a correlating branch protection rule in the SCM. Each pipeline should only have access to the credentials it needs to fulfill its purpose. The credentials should have the minimum required privileges.
M1662
Mitigation
Evaluate pipeline execution permissions
Evaluate the need for triggering pipelines on public repositories from external contributors. Where possible, refrain from running pipelines originating from forks, and consider adding controls such as requiring manual approval for pipeline execution.

Detections

id

type

summary

description

D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Implement continuous monitoring and logging of the CI/CD process
Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow. This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.

References

  1. https://about.codecov.io/security-update/
  2. https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
  3. https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-09-Improper-Artifact-Integrity-Validation