Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf

Join Us:
https://www.linkedin.com/compa
ny/application-security-virtual-
meetups
QR Link:

THE LATEST AND GREATEST
SUPPLY CHAIN SECURITY
INCIDENTS

Yoad Fekete
• A DevOps enthusiast turned avid DevSecOps supporter.
Formerly at Prime Minister's Office Elite Unit, Samsung Next,
Microsoft.
Founded next-gen SCA company Myrror Security.
Cat-lover (yes, dogs as well).
Musician, when life allows.
Weird last name (which means "black" in Hungarian).
Formerly At: Founded:
Raised From:
Who Am I?
2

What's a Software Supply Chain Attack?
Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack
Attacks that allow the adversary to utilize implants or
other vulnerabilities inserted prior to installation in order to
infiltrate data, or manipulate information technology
hardware, software, operating systems, peripherals
(information technology products) or services at any point
during the life cycle.”
3
“

Supply Chain Attacks are on the Rise
4
Main Reasons:
Decreased efficacy of network perimeter attacks
742%
YoY Increase In Attacks
(State of the Software Supply Chain Report)
Increased OSS Usage (>90% of companies use OSS)

Vulnerability vs. Supply Chain Attack
5
A vulnerability: A supply chain attack:
• A non-deliberate mistake (aside from very
specific sophisticated attacks)
Identified by a CVE
Recorded in public databases
Defense possible before exploitation
Includes both regular vulns and zero-day ones
• A deliberate malicious activity
Lacks specific CVE identification
Untracked by standard SCAs and public DBs
Typically already attempted to be exploited
Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack

Maintainer
Compromise
Typosquatting
Distribution
Attack
Malicious Code
in Repo
CI/CD
Attacks
Dependency
Confusion
Software Supply Chain Attack Types
6

Typosquatting
8
“falsk”
Developer
Dependencies

Dependency Confusion
9
The malicious 'torchtriton' package, which compromised the PyTorch machine learning framework,
was observed to have been downloaded over 2,300 times during the period it was available on
the Python Package Index (PyPI).
my-company-utils
v99.99.99
my-company-utils
v99.99.99
$ npm install
my-company-utils
installing version
v99.99.99...
Artifact Server
Developer

Dog Attack
10
Sami, our office dog stole food out of the trash-bin,
causing Myrror’s employees to spend 15 minutes
on incident response

CI/CD Attacks
11
UNC4736
3CX Desktop
App
Trading Technologies
X_TRADER
software package
Victim Victim Victim
Victim Victim Victim
3CX

Distribution Server Attack
12
CDN
Victim
UNC 4899
Internal
Orchestration
System
Commands
Framework
STRATOFEAR
Spearphish
JumpCloud Environment
Customer Environment
Ruby script
FULLHOUSE
.DOORED
TIEDYE

Maintainer Compromise
13
7,854,949
@ledgerhq/connect-kit
add malivious code to
@ledgerhq/connetc-kit
Spear-phishing
Ledger
Users Dapps dev.
Code Libs&SDK
Integrate
Publish
Load
dApps @ledgerhq/connect-kit-loader
@ledgerhq/connect-kit

Supply Chain Security - From Product
Security Point Of View

Agenda
19
▪ The Software Supply Chain Security problem
▪ Software Supply Chain Attacks
▪ Introduction to SLSA
▪ SLSA Levels and Threats
▪ Code dependencies - what the problem?
▪ SLSA Gap for consumers and S2C2F
▪ SLSA Build stage - what the problem?
▪ SLSA is NOT A SSDLC Framework!
▪ Malicious Packages - How to prevent
▪ Summary and Gaps

Attack Flows - What’s Wrong With My CI/CD ?
21
▪ Malicious Packages
▪ 3rd Party Packages with known vulnerabilities
▪ Compromised source
▪ Pulling from untrusted repository

A technique in which an adversary slips malicious code or an entire
malicious component into a trusted piece of software or hardware.
Software Supply Chain Attacks
▪ In modern software development, applications integrate 3rd party code
(Which is a good practice!)
▪ Applications trust the 3rd party to supply secure code
▪ In reality this practice involves some danger
○ Vulnerabilities
○ Malicious code
▪ These issues affect all end products that depend on the 3rd party code

Software Supply Chain Attacks
▪ High spread attack
▪ Low effort compared to an
exploitation of a vulnerability
▪ Low technical skills required
▪ There is a trust in the
relationship between parties
that can be abused
Why would an attacker
go for this approach?

Backdoor Malicious payload code
Software Supply Chain Threat Types
Security bug
Intentional
Vulnerability
Malicious
Components
Unintentional
Vulnerability
CVEs
Not a CVE

Real life examples
Unintentional bug (CVE) caused by an OSS vendor
Intentional backdoor (CVE) caused by attacker or vendor
Malicious component (A CVE is usually not assigned)

Project SLSA - “Bird Eye View”
27

Project SLSA - “Bird Eye View”
28

DSSE
30
▪ Problems with JWT and TUF signatures
▪ Not just JSON
▪ No Need Canonicalization
▪ Supports a PAE (Pre-Auth-Encoding)
{'payload': 'SGVsbG8gMTIz',
'payloadType': 'http://example.com/testing',
'signatures': [{'keyid': '2a7141d6',
'sig':
'i16opxQrAEnXJ7x9kTWYd2LtZwEoRQqhYEvxoexvj2/tKXX6DZE8cbQ3eEGb8ZtuWcMk2LjD
LyhpQ2BSGcwQnA=='}]}

Project SLSA - Current Status
31

Infection methods - Typosquatting
33

Infection methods - Dependency confusion
34
From the blog “Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed”
https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/

Infection methods - Hijacking
35
▪ Taking over a legitimate known package and pushing malicious code into it
▪ Possible hijacking techniques:
○ Using hacked maintainers’ accounts
○ Injecting hidden or obfuscated malicious code as part of a seemingly legitimate code contribution
▪ A notable example - “ua-parser-js” package:

SLSA Recommendation for Dependencies
36

Start from “Left” : Do not accept malicious package!
37

Secure Supply Chain Consumption Framework
38

President Biden's Executive Order - Software Supply
Chain Security
40

SBOM Check (3rd Party Packages) - Transitive
Dependencies Issue
41

Build Stage - Isolate or not Isolate?
42
42
▪ Connecting back to the attacker’s server
▪ Receiving commands to execute
▪ Sending back the execution results to the server
▪ Most packages use HTTPS, some employ custom encryption on top of HTTPS
From “hpid/hipid” malicious packages payload code

Common payloads - Sensitive data stealers
43
● Stealing environment variables

Common payloads - Full RAT / Backdoor
44
▪ Combines many of the above “features” (download + exec, upload, modular…)
▪ May contain a persistent backdoor (survives reboot)
▪ Usually based on an OSS tool
○ Custom RAT is a very strong indicator of a targeted attack (rare)

Build Stage - The Problem
45
45
▪ SLSA Requirements (Threat ‘E’ Compromised build Process):

Build Stage - The Problem
46
46
▪ “Warm” setup for CI steps
▪ Only validate provenance signed by trusted control plane (trusted source)
▪ Cannot prevent block malicious package be propagated to CI (potentially to production)
▪ What about packages with Critical CVE’s?
▪ Bottom Line - Build Stage protection might be too late against specific attacks :(

And What About Security Scanners ?
47

SSDLC In Organization and SLSA
48

Detecting known malicious packages
50
▪ Scanning the project’s dependencies
▪ Detecting installed software and versions (SBoM)
▪ Fetching security information from public repositories
○ Problem - Not all repositories save historical data!
■ PyPI - malicious packages are being removed
■ npm - malicious packages are replaced with dummy code
▪ Solution - use a software composition analysis (SCA) tool that detects malicious packages - JFrog Xray
■ Security auditing tools report vulnerabilities only

Detecting a malicious package using Xray
51

Detecting unknown malicious packages
52
▪ Automatic heuristic scanners we use in JFrog Xray
○ Tested on real data (npm/PyPI) and allowed us to disclose 630+ packages
○ Infection methods detectors
■ Typosquatting - similarity between names
■ Masquerading
■ Dependency confusion
■ DNS generation
○ Payloads detectors
■ Download and execute
■ Dynamic code evaluation
■ Shell spawning
■ Sensitive files read/write
○ Obfuscation techniques detectors

Best practices for secure development
53
▪ Use a software composition analysis (SCA) tool as part of your SDLC - JFrog Xray
▪ Define policies and automate actions as part of a DevSecOps process - JFrog Xray
▪ Other useful practices
○ Configure your build system to exclude remote repos for internal packages
■ https://jfrog.com/blog/going-beyond-exclude-patterns-safe-repositories-with-priority-
resolution/
○ Use strict versions for external dependencies for every build
■ https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json

Best practices for secure development
54
▪ Leverage open source tools
○ pypi-scan for typosquatting detection - https://github.com/IQTLabs/pypi-scan
○ piproxy - https://jfrog.com/blog/python-wheel-jacking-in-supply-chain-attacks/
○ Dependency confusion checker - https://github.com/visma-prodsec/confused
○ jfrog-npm-tools - https://github.com/jfrog/jfrog-npm-tools
■ npm-secure-install - validates versions lockdown
■ package-checker - detects the safest package version to use
■ npm_issues_statistics - analyzes Github issues and alert on unusual activity
○ npm-domain-check - https://github.com/jfrog/npm_domain_check
■ Detect your npm dependencies that can be hijacked with domain takeover

Summary
55
▪ Supply Chain Security - Important!
▪ SLSA is not SSDLC Framework, but complete it
▪ First Tower - prevent “bad” packages be pulled by developers or build process
▪ Second Tower - Isolate build environment (Dependency Resolution)

Supply Chain Risk Mitigation
in Web 2.0 & Web3
Connecting Both Worlds Securely
Shiran Kleiderman,
Co-founder & CEO
shiran@xplorisk.com

The Opportunity
Financial & Productivity R/Evolution
TradFi CeFi DeFi
Compliant. Secure. Stable. Scalable

On Our Way to Decentralization
Centralized
Software
The Rise of Social Media
(Web 2.0)
Giving Power Back to the
People (Web 3)
On-prem, Cloud;
Android, iOS, MS;
Web Server
Distributed;
Ethereum, Cardano;
IPFS, P2P

Global & Unconditional Access to
Financial Services
Purchase of
Crypto
Earn Rewards / Yield Loans Swap
And many more advanced
financial instruments

Web3 Environments are Diverse
Client
Mobile/Web
Apps + APIs
Custodians
Additional
Sources &
Counterparties
On & Off Ramp
Services
Exchanges DeFi
Staking
OTC Lending
Mining
Chains,
Bridges &
“Hops”
Internal
Deployment
Wallets/
Network
External Asset
Managers
Validators
Nodes
Domains Code Repos
Social Media

Web3 <> Web 2.0 Stack (selected)
Transactions
NFTs
Other Digital
Assets
dApps Smart Contracts
Custodians, Wallet Platforms
Programming Languages Compiler Versions
All Coins,
Tokens
Blockchains
Validators, Nodes
Domain
Staking Pools
Source Code
Mining
Internal
Wallets
CEX
EXT. Asset
Managers
Other Crypto
Accounts
Social Media,
Deep/Dark Web

Supply Chain =
Counterparty Risk

➔ Web3 compounds Web 2.0 issues with a 24/7, distributed financial
environment, heavy reliance on counterparties,
elevated by the immutable nature
➔ Immutable blockchain smart contracts offer security benefits but
pose risks due to an inability to patch vulnerabilities (at times)
➔ Communicating Web3 vulnerabilities is tricky → sharing issues
without risking user funds
➔ Supply chain vulnerabilities only expected to rise → barrier of entry
to Web3 is low
Web3 Supply Chain Challenges

https://openssf.org/blog/2023/03/15/new-slsa-survey-reveals-real-world-developer-approaches-to-software-supply-chain-security/
Establish Trust
Verify Trust
Maintain Trust
SLSA Framework & Continuous Security

Uniswap → 100s of Dependencies

Supply Chain Threat Intelligence
“Web3 IOCs”

On/Off-Chain Hybrid Attack
Dec 2023: Xplorisk detected over 1,350 victims hit by a phishing/fund-draining attack.
Victims signed an off-chain transaction via a lookalike domain, which gave the attacker permission to steal funds.

“Malicious” Financial Assets

Copy Cats
A hacker started deploying malicious smart contracts on the BNB chain.
During a ~24-hour period, he deployed 16 different contracts with small tweaks, almost all of them aiming to
manipulate and exploit a specific coin, with the goal of stealing $$$.
He failed this time, but it took 16 attempts before he gave up.

The Needed Paradigm Shift
DeFi PROTOCOL
SECURITY POSTURE
ASSESSMENT
Vulnerability Scanning
Penetration Testing
dApp Security Assessment
Smart Contract Functions
Mapping & Audit
Transactions Review
DeFi PLATFORM & ENTITIES
INTELLIGENCE
ASSESSMENT
Published Media Review
Social Media Review
Existing Litigations Review
Entity Due Diligence,
Who
Where
When
Boots on the Ground Activities
ONGOING
MONITORING &
PREVENTION
On Chain Monitoring
Off Chain Monitoring
Ongoing Anomaly
Detection
Deployment Security

Domains to Excel at Together
Preemptive & Automated Risk Mitigation
Blockchain
Infra
Cybersecurity
& SDLC
Cryptography
Asset
Management &
Accounting
AML,
Sanctions,
Fraud
Crypto Money
Movement

Shiran Kleiderman,
Co-founder & CEO
shiran@xplorisk.com
Automated & Continuous Web3
Risk Mitigation
Keep Safe & Secure
Questions?

RISK PRIORITIZATION AND
MITIGATION:
DEPENDENCY,
REACHABILITY, AND
PACKAGE UPDATE

Who Am I?
2
Dvir Babila
• An engineering manager turned DevSecOps product leader
Employee #8 @SentinelOne, Employee #7 @ Cycognito,
Employee #1 @ Cyrus, Employee #10 @ Myrror
Focused on making open-source security less terrible for
everyone
Formerly At: VP Product

Vulnerabilities
In other words:
A Vulnerability is a weakness in an information system,
system security procedures, internal controls, or
implementation that could be exploited or triggered by a
threat source.
Formal Definition:
Think of a vulnerability as a hole in the wall of your house,
someone might come through it
Source: https://csrc.nist.gov/glossary/term/vulnerability
3

Open Source Vulnerabilities
Source: The Open Source Security & Risk Analysis (OSSRA) Report
Open source libraries are the
foundation for literally every
application in every industry.”
4
“

Direct VS. Indirect Dependencies
A direct dependency is a package
you include in your project.
An indirect or transitive dependency is a
package that your project does add directly, but is
used by one (or more) of your direct
dependencies.
Application
Direct Dependency
Application
Direct Dependency
Transitive
Dependency
Transitive
Dependency
Transitive
Dependency
5

Alert fatigue follows
On Alert Fatigue
Source: Unknown, but sounds right
SCA Platforms
generate alerts for
vulnerabilities
There are a lot of
dependencies, and thus
a lot of vulnerabilities
Definition:
Vulnerability Alert Fatigue is when application security
professionals become desensitized to SCA
vulnerability alerts, and are not sure which
vulnerability to address first.
6

Fixing Transitive Dependencies
7
Direct
Dependency
Vulnerable Function
Application
InDirect
Dependencies
Vulnerability is found in a
transitive dependency
Too many vulnerabilities to fix
Do we have a newer version that
fixes the child dependency
vulnerability?

What's in a Hole
Can we fix the hole?
What can pass through
that hole?
Is it possible to go
through the hole?
Can an intruder
reach the hole?
8

What's in a Hole — i.e. Vulnerability Prioritization
Things To Think About Regarding Vulnerabilities
Exploitability
Business Impact
Reachability
Fix Available?
Fix Available
Exploitability
Business Impact
Reachability
Can we fix the hole in the wall?
Is it possible to go through the hole in the wall?
What can pass through that hole and what could it do to
the residents?
Can an intruder reach the hole in the wall?
9

Prioritizing Approaches
Runtime vs. Static
You can choose to prioritize in one of two stages in the application's lifetime:
Dynamically
i.e. at runtime
Statically
i.e. at the code level
10

Is a Fix
Available?
Easy Peasy?
Direct Dependency Fix vs.
Transitive Dependency Fix
Upgrading all the vulnerable
dependencies in one shoot vs.
one by one
11
Direct
Dependency
There's a vulnerability in
the transitive function (like
we see here), but do we
have a version on the direct
dependency that fixes it?
Vulnerable Function
Application
InDirect
Dependencies
fix?

Exploitability - Without App Context
CVSS EPSS
12

Business Impact - Adding App Context
13

Reachability
Source: https://myrror.security/the-definitive-guide-to-vulnerability-
reachability-analysis-part-1/
14
Formal Definition:
In vulnerability analysis terminology, reachability is a
property of a piece of code that indicates whether it will
(or will not) be called under an application’s normal
operational conditions.
Application code
hibernate
jackson
slf4j
spring-web
mongodb
REACHABLE
UNREACHABLE
The reachable part of
Jacksondoes not call
the vulnarable function
UNREACHABLE
The reachable part of
monogdbdoes not call the
vulnarable part of slf4j

Calculating Reachability
Build AST from source code
All external calls are entry points to the CFG
Analysis of all source code external calls (calls
to dependencies from the source call)
Travel across the CFG from the entry points
and try to see if you reach all the vulnerable
functions
15
Java Code Simplified AST
public class C {
int m (int i) {
m (i);
}
}
class
method ‘C’ ‘public’
param
‘m’ int
member formal
name return
member name modifier
block
call
‘m’ ‘i’
‘i’
int
member type name
name
declaration
declaration
arg

Thank You!
Questions?
To be continued…
https://www.linkedin.com/company/application-security-virtual-meetups

Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf

More Related Content

Similar to Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf

More from lior mazor

Recently uploaded

Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf