SOFTWARE SUPPLY CHAIN

Tracing the Impact of a Clothing Retailer's Software Supply Chain Breach on Your Production Environment

Mike Doyle
Head of Security Research
February 24, 2023
Mike Doyle earned a Computer Science degree in 2003, just in time to watch the post-bubble job market dry up. Handy with a bash prompt, he found work as a system admin in an attempt to edge back into development. Instead, he moved toward security consulting and penetration testing (which is what he always wanted to do anyway). Doyle believes that hard problems require elegant solutions.

TL;DR

When open-source developers walk away from maintaining their projects, it poses a high risk to all source code that is dependent on them. This is pretty much what happened with the CTX Python library.  

This post includes a couple of indicators of compromise, which will help you understand how to catch these scenarios in the future.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

What Happened?  

Part 1: HauteLook Account Abandonment from GitHub

Between September 2021 and May 2022, the Nordstrom-owned clothing brand named HauteLook closed their GitHub account. They had been receding from the open-source community.  

In September 2021 they zapped their popular AliceBundle repo without a word.  

On May 15th, 2022 the GitHub username HauteLook was registered, again, by an interested third party.

Figure 1

Figure 1. The Security Researcher Somdev Sangwan identifying the date that HauteLook's GitHub account was recreated.

It means that the new owner of the GitHub account could act on behalf of the deleted account.

Part 2: FigLeif’s Domain Squatting

The open-source developer FigLeif (the name sounds like a typo-squatting) was stale between July 2020 and May 2022. He had developed and maintained the CTX python package, which affords python developers the syntactic sugar of addressing data structure elements in efficient attribute-access notation (i.e. foo.bar.baz) rather than the cumbersome item-access notation (i.e. foo["bar"]["baz"]) functionality which may seem frivolous to the uninitiated, but try typing all those brackets and quotes sometime - your pinkies will hate you for it ;-)

FigLeif's email domain expired in August 2021 but was reregistered by the same interested third party from Part 1 above.

Figure 2

Figure 2: figlief.com domain registry recent history.

Part 3: Recreating a Retired Repo, Exposing a GitHub Vulnerability

The same interested third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a sadly named password hashing library, PHPass.  

GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner.

Figure 3

Figure 3: A screenshot taken by Yunus Aydin, the interested party.

Having done this, the interested party, a security researcher and college student named Yunus Aydin, blogged about the attack and posted it to his LinkedIn.

Part 4: Push Malicious Code to the GitHub Repositories CTX and PHPass

Yunus modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app Yunus controlled.

Figure 4

Figure 4: Screenshot showing the code which sends AWS environment variables.

This is dangerous because many applications, especially cloud hosted and containerized ones, store sensitive secrets in environment variables.

Part 5: Upload CTX to PyPi from FigLeif’s Account

Since Yunus managed to take over FigLeif’s domain, he managed reset the password to PyPi, which followed by uploading the malicious package to PyPi on May 14.

Figure 5

Figure 5: The PyPI project page for the malicious CTX package, archived by The Wayback Machine.

Part 6: A Random Search on GitHub Identified PHPass

The security researcher, Somdev, found additional instance of the same by running a GitHub search. Thank you!

Figure 6

Figure 6: The Security Researcher Somdev Sangwan found the PHPass issue.

Do NOT Blame Open-Source Contributors

All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHPass and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.

Conclusion: What Can You Do To Strengthen Your Organization's Supply Chain Security?

  • Lock all used package versions. If a dependency management system is in use, such as Poetry or Pipenv, use poetry.lock and Pipfile.lock respectively.  
  • If you maintain open-source projects, make sure MFA is enforced. Don’t use email as the 2nd factor.
  • Set your domain registration to auto-renew.
  • To avoid pushing malicious code by other contributors to your open-source project, maintain a CODEOWNERS file to enforce reviews of PRs. Based on our research, it also increases the quality of your code. We can automatically generate and maintain CODEOWNERS files for you.
THE LATEST UPDATES

More from our blog

The Essential Guide to SCA and SAST
The Essential Guide to SCA and SAST
February 13, 2024
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
November 20, 2023
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
November 14, 2023

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}