User Tools

Site Tools


Supply chain attacks

Here, supply chain attacks means injected code (backdoor) into new releases and updates of software packages, that turns a software supply infrastructure into an attack vector.

Date Supply chain Description Impact
Oct 2018 Colourama The official PyPI repository was found tainted again, this time with Colourama (is not Colorama). Colorama is one of the top-20 most-downloaded modules in the Python repository. Colourama, the altered version, when run on Windows servers, adds a script which diverts detected cryptocurrency payments.
Oct 2018 VestaCP The installation script for the control-panel interface that system administrators use to manage servers was found altered to report back generated admin credentials. There are more than 132,000 unexpired TLS certificates for VestaCP users.
Sept 2017 PyPI The official PyPI repository was found tainted with modified code packages. The tainted functionalities were incorporated into software multiple times from June until September.
Sept 2017 CCleaner In September of 2017, security researchers at Cisco Talos and Morphisec disclosed CCleaner had been compromised. The 5.33 version of CCleaner had widespread distribution across multiple industries, but the embedded code appeared to be targeted at specific groups in the technology sector. ~ 2.27 million downloads, but the intent behind the injected packages seems to have been to collect an initial set of reconnaissance data.
Aug 2017 NetSarang Attackers modified at least five software packages distributed by network connectivity and server management solutions provider NetSarang in order to infect its business users with modular backdoor spyware. The latest versions of Xmanager Enterprise 5 (build 1232), Xmanager 5 (build 1045), Xshell 5 (build 1322), Xftp 5 (build 1218) and Xlpd 5 (build 1220) had been compromised. The affected builds were released on July 18 and the backdoor was only discovered on August 4.
July 2017 MeDoc Attackers comprised M.E. Docs (accounting software) update server and sent NotPetya to unsuspecting victims. XDATA ransomware was also distributed via M.E. Doc in June 2017 and possibly as early as April 2017 as part of what many now call a wiper attack - it is impossible for the attackers to decrypt victims' disks, even if they pay the ransom fee.

en/research/stories/cca/start.txt · Last modified: 2018/10/27 16:19 by Digital Dot