T0191 - Malicious code in artifacts

By infecting artifacts with malicious code, attackers can gain access to a large number of unsuspecting customers who use these components in their systems or products. This can allow the attackers to steal sensitive information, disrupt operations, or take control of affected systems. Furthermore, because the malicious code is embedded within a seemingly legitimate component, it can be difficult to detect and remove. This makes supply chain attacks particularly dangerous and challenging to defend against. Overall, the goal of infecting artifacts with malicious code is to spread the malware to as many targets as possible, while remaining undetected for as long as possible.

ID: T0191
Type: Technique
Tactic: Impact
Summary: Malicious code in artifacts
State: draft

Mitigations

id

type

summary

description

M1500
Mitigation
Verify third-party artifacts and open-source libraries
Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use. This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this may be a sign that someone interfered and added malicious code. If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1502
Mitigation
Define trusted package managers and repositories
When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured. If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious. In order to avoid this, configure packages to be pulled from trusted package registries.
M1503
Mitigation
Implement SCA analysis
Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.
M1720
Mitigation
Implement regular patches and updates
Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems. They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.
M1730
Mitigation
Implement code reviews
Code reviews are a valuable tool for improving code quality, reducing technical debt, and ensuring the security and reliability of software applications. Most crucial changes should be reviewed and validated to ensure there are no any security risks. Code reviews can identify defects and vulnerabilities in the code before it's deployed, reducing the likelihood of security breaches, system failures, and other issues. Require code reviews for any changes to source code or configuration files, especially for those affecting the CI/CD pipeline.

Detections

id

type

summary

description

D1260
Detection
Implement regular security audit and review
Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage. This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks. It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.

References

  1. https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach
  2. https://jfrog.com/blog/detecting-known-and-unknown-malicious-packages-and-how-they-obfuscate-their-malicious-code/
  3. https://www.legitsecurity.com/blog/why-you-can-still-get-hacked-even-after-signing-your-software-artifacts