Meet the Founders
Meet the Arnica Founders @ RSA
Book time!
Meet the Founders
Book time!
SOFTWARE SUPPLY CHAIN

Tracing the Impact of a Clothing Retailer's Software Supply Chain Breach on Your Production Environment

Mike Doyle
Head of Security Research
May 25, 2022
Mike Doyle earned a Computer Science degree in 2003, just in time to watch the post-bubble job market dry up. Handy with a bash prompt, he found work as a system admin in an attempt to edge back into development. Instead, he moved toward security consulting and penetration testing (which is what he always wanted to do anyway). Doyle believes that hard problems require elegant solutions.

TL;DR

When open-source developers walk away from maintaining their projects, it poses a high risk to all source code that is dependent on them. This is pretty much what happened with the CTX Python library.  

This post includes a couple of indicators of compromise, which will help you understand how to catch these scenarios in the future.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

What Happened?  

Part 1: HauteLook Account Abandonment from GitHub

Between September 2021 and May 2022, the Nordstrom-owned clothing brand named HauteLook closed their GitHub account. They had been receding from the open-source community.  

In September 2021 they zapped their popular AliceBundle repo without a word.  

On May 15th, 2022 the GitHub username HauteLook was registered, again, by an interested third party.

Figure 1

Figure 1. The Security Researcher Somdev Sangwan identifying the date that HauteLook's GitHub account was recreated.

It means that the new owner of the GitHub account could act on behalf of the deleted account.

Part 2: FigLeif’s Domain Squatting

The open-source developer FigLeif (the name sounds like a typo-squatting) was stale between July 2020 and May 2022. He had developed and maintained the CTX python package, which affords python developers the syntactic sugar of addressing data structure elements in efficient attribute-access notation (i.e. foo.bar.baz) rather than the cumbersome item-access notation (i.e. foo["bar"]["baz"]) functionality which may seem frivolous to the uninitiated, but try typing all those brackets and quotes sometime - your pinkies will hate you for it ;-)

FigLeif's email domain expired in August 2021 but was reregistered by the same interested third party from Part 1 above.

Figure 2

Figure 2: figlief.com domain registry recent history.

Part 3: Recreating a Retired Repo, Exposing a GitHub Vulnerability

The same interested third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a sadly named password hashing library, PHPass.  

GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner.

Figure 3

Figure 3: A screenshot taken by Yunus Aydin, the interested party.

Having done this, the interested party, a security researcher and college student named Yunus Aydin, blogged about the attack and posted it to his LinkedIn.

Part 4: Push Malicious Code to the GitHub Repositories CTX and PHPass

Yunus modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app Yunus controlled.

Figure 4

Figure 4: Screenshot showing the code which sends AWS environment variables.

This is dangerous because many applications, especially cloud hosted and containerized ones, store sensitive secrets in environment variables.

Part 5: Upload CTX to PyPi from FigLeif’s Account

Since Yunus managed to take over FigLeif’s domain, he managed reset the password to PyPi, which followed by uploading the malicious package to PyPi on May 14.

Figure 5

Figure 5: The PyPI project page for the malicious CTX package, archived by The Wayback Machine.

Part 6: A Random Search on GitHub Identified PHPass

The security researcher, Somdev, found additional instance of the same by running a GitHub search. Thank you!

Figure 6

Figure 6: The Security Researcher Somdev Sangwan found the PHPass issue.

Do NOT Blame Open-Source Contributors

All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHPass and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.

Conclusion: What Can You Do To Strengthen Your Organization's Supply Chain Security?

  • Lock all used package versions. If a dependency management system is in use, such as Poetry or Pipenv, use poetry.lock and Pipfile.lock respectively.  
  • If you maintain open-source projects, make sure MFA is enforced. Don’t use email as the 2nd factor.
  • Set your domain registration to auto-renew.
  • To avoid pushing malicious code by other contributors to your open-source project, maintain a CODEOWNERS file to enforce reviews of PRs. Based on our research, it also increases the quality of your code. We can automatically generate and maintain CODEOWNERS files for you.
Next
Next blog image
THE LATEST UPDATES

More from our blog

The Essential Guide to SCA and SAST
SOFTWARE SUPPLY CHAIN
The Essential Guide to SCA and SAST
Simon Wenet
Simon Wenet
March 25, 2024
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
SOFTWARE SUPPLY CHAIN
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
Nir Valtman
Nir Valtman
March 25, 2024
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
SOFTWARE SUPPLY CHAIN
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
Simon Wenet
Simon Wenet
March 25, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}

SOLUTIONS
BENEFITS
COMPANY
Developer Access Management
Arnica for Security
Arnica for DevOps
About
Anomalous Developer Behavior
Careers
Secret Detection & Mitigation
Arnica for Developers
Contact
Continuous SDLC Compliance
Arnica for Compliance & Risk
Security
Software Bill Of Materials (SBOM)
Status
INTEGRATIONS
RESOURCES
LEGAL
GitHub
Announcements
Terms of Use
Azure DevOps
Blog
Privacy Policy
Chat
Press
Docs
Solutions
Code Security (SAST, SCA, IaC)
Secret Detection & Mitigation
Software Bill Of Materials (SBOM)
Automated Developer Access Management
Anomalous Developer Behavior
Security Reporting & Audit
Application security posture management (ASPM)
Company
About
Careers
Security
Contact
SUBSCRIBE TO OUR NEWSLETTER
Subscribe to our newsletter to receive the latest content and updates from Arnica.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, I agree to Arnica's privacy policy.
© 2022 Arnica, Inc. All rights reserved.
© Arnica, Inc. All rights reserved.
info@arnica.io
|
Linkedin logoInstagram logo