The New Era of Supply Chain Attacks: Python Developers Hacked in Sophisticated Supply Chain Attack

The data shows that supply chain attacks can be considered one of the most effective ways to compromise organizations, as they target the weakest links in the security chain. Supply chain attacks usually begin by compromising a supply chain partner, such as a distributor, developer, or supplier.

Once inside the organization, attackers may steal sensitive data, damage systems, or even shut down whole organizations. In this blog, we will examine one of the most recent events of a supply chain attack that took down multiple Python developers.

The Supply Chain Attack: Explained

Cloning a Popular Tool

Multiple Python developers, which included the maintainer of Top.gg, were infected by information-stealing malware after downloading a malicious clone of a highly popular tool.

The tool is called Colorama, a utility that makes ANSI escape character sequences (a standard for in-band signaling to control cursor location, font styling, color, and other options on video text terminals and terminal emulators) work on Windows and has been downloaded more than 150 million times.

The attackers embed software with malware, which is distributed among users. This way, the malware infects the user’s system. This step is akin to creating a counterfeit product that looks identical to the real thing but contains harmful components.

Setting Up a Fake Mirror Domain Through Typo Squatting

To execute their supply chain attack, the hackers cloned Colorama, inserted malicious code into it, and placed the malicious version on a fake mirror domain, which relied upon typo squatting  (registering a domain that closely resembles a legitimate domain) to trick Python developers into mistaking it for the legitimate “files.pythonhosted.org” mirror.

For example, if the legitimate domain is “example.com”, the attackers might register “example1e.com” or simply “example.co”, preying on users who mistype the URL.

Hijacking High-Profile Accounts

The intruders created malicious repositories under their accounts to spread the malware package while hijacking high-profile accounts. These included the GitHub account “editor-syntax,” which maintains the Top.gg search and discovery platform for Discord, a community with over 1,700,000 members.

Using the “editor-syntax” account, the intruders made a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama and starting malicious GitHub repositories to increase their visibility.

The account was hacked via stolen cookies, which the intruders used to bypass authentication and perform malicious activities without knowing the password. As a result, multiple Top.gg community members were compromised. For instance, they could alter the repository of a popular software project to include a dependency that downloads the malicious code instead of the legitimate package.

Hiding Malicious Code

To hide malicious code in Colorama, the cyber-attackers added numerous white spaces, pushing the snippet off-screen so it wouldn’t be visible during quick reviews of the source files. In addition to that, they set the code to be executed every time Colorama was imported. This technique can be considered similar to hiding fine print in a contract by pushing it off the visible page, hoping no one scrolls down to read it.

Infection Procedure

Once the malicious code was executed, the infection procedure continued with several additional steps, such as executing and downloading additional Python code and fetching necessary libraries while establishing persistence.

In the end, the developers’ systems were infected with malware capable of logging keystrokes while stealing data from multiple browsers, including Chrome, Edge, Brave, Opera, Vivaldi and Yandex, Discord, Cryptocurrency wallets, Telegram Sessions, computer files, and Instagram. This is akin to a thief breaking into a house, searching through rooms (applications) and stealing valuable items (data credentials).

Code Signing Vulnerabilities and Mitigation Measures

1. Certificate Theft

Cyber attackers target codesigning certificates through different means, including phishing, social engineering, or compromising CAs (Certificate Authorities). Once the attacker possesses a stolen certificate, they can sign malicious software, ensuring its legitimacy to unsuspecting users.

Developers must adopt strong certificate management practices to mitigate this risk efficiently, which includes safe storage, certificate audits, and two-factor authentication.

Suppose there is an organization called Fintech Innovations Inc.; safe storage of certificates prevents unauthorized access to its code-signing certificates. The organization also conducts regular certificate audits to ensure that each certificate is used as intended. In addition, it uses two-factor authentication for certificate access, which significantly reduces the risks of unauthorized access through compromised credentials.

2. Compromised Build Environment

Supply chain attacks often target software development enterprises’ built environments. By compromising these systems, they can inject malicious code into the final product. Hence, developers must adopt robust security measures for built environments, including continuous monitoring, secure access controls, and vulnerability assessments.

The organization mentioned above implements a continuous monitoring solution that tracks real-time activities within its development and build environments. It also enforces strict access controls on its build environments. Fintech Innovations Inc. also conducts regular vulnerability assessments on the built environment to remediate and identify potential weaknesses.

Secure Code Signing Best Practices

To mitigate the risks of code signing and to protect against supply chain attacks, enterprises must implement the following best practices:

• Secure Key Management

  Organizations must safeguard the private keys used for code signing, ensuring their secure storage and accessibility to the authorized user. They must employ strong encryption, HSMs (Hardware Security Modules), and regular key rotation to minimize the impact of a compromised key. For instance, Google is a well-known organization that uses secure key management for codesigning, which helps it keep cyber attackers at bay.

• CLM, or Certificate Lifecycle Management

  Organizations must establish a robust structure for certificate issuance, revocation, and renewal procedures. They must implement stringent verification processes when renewing or requesting certificates. In addition, they must monitor and audit certificates in use and promptly revoke any expired or compromised certificates.

• Build System Security

  Organizations must also strengthen security measures around the built environment, including intrusion detection systems, secure access control, and continuous monitoring. They need to regularly update and patch build tools and dependencies to mitigate known vulnerabilities.

• Supply Chain Integrity

  Organizations must implement strict controls throughout the software development lifecycle, including continuous integration and deployment (CI/CD) pipelines, secure code repositories, and regular security audits. They must also validate the integrity of third-party libraries and components before incorporating them into software projects.

• User Awareness and Education

  They need to educate users about the importance of code signing and how to verify the software’s authentication. They also need to promote awareness about potential risks and common attack vectors, such as phishing attempts or social engineering.

Conclusion

Moreover, adopting best practices in secure code signing is essential in fortifying defenses against these insidious threats. CodeSign Secure ensures that there is no tampering from unapproved parties and that the published software is from the original publisher. It also keeps you safe from supply chain attacks.