Frequent cases of distributing malicious packages through ‘typosquatting’
Prof. Hee-jo Lee’s research team(Korea University) responds to SW supply chain attacks with CENTRIS

The recent Solarwinds incident, which has exposed a lot of companies to cybersecurity threats worldwide, is a ‘all-time great’ incident that once again confirms the dangers of a supply chain attack. Software Supply Chain is the process that ranges from the software development to the distribution, installation, and maintenance of the software. The attacker intervenes to allow the tampered software to be delivered to the user’s system. For instance, in the case of Solarwinds, the maintenance (update) was sought after. The attacker broke into SolarWinds’ system, tampered with the update file and propagated it to the user through the classic update channel.

[Image from utoimage]

Supply chain attacks may also occur during the development phase. Recently, PyPl, a Python developer community, showed that 4,000 fake packages were registered and that Supply Chain attacks may occur during the development stage. Through Python, PyPI is a community that shares software features (packages). The registered fake packages have names that are slightly different for the normal ones. In the case of a developer downloading and installing the fake package mistaken for a normal one, the malicious software would then be planted into the developing software.

As such, Supply Chain attacks have been continuously attempted to aim at reused open-source software. In the case of open-source communities, as anyone can easily access them, Hackers can easily exploit them and developers can easily be attacked as they actively utilize open-source to increase their development efficiency. Thus, tools to prevent such attacks that have been developed by domestic research teams have drawn attention.

CENTRIS© is a technology developed by Professor Hee-Jo Lee’s research team (Head of the Software Security Research Center) at Korea University with the participation of Seung-hoon Woo (first author), Sung-han Park, Seul-bae Kim, Professor Hee-jo Lee (corresponding author), and Professor Hak-joo Oh. The research team is continuously working on open-source security and VUDDY is its representative technology that accurately and quickly detects vulnerable open-source, published in IEEE Security & Privacy (2017).

▲Ph.D Seung-hoon Woo in Korea University CSSA[Image from Korea University]

“Supply Chain attacks are attacks that penetrate the software supply chains such as repositories (storage for software version management) and package management systems in the process of developing and deploying software. Such Supply Chain attacks have been on the rise” the research team said.

Supply Chain attack can occur in 3 main areas: △ Development Server △ Software Repository △ Package Manager. Attackers can insert malicious IDE or plug-ins into the development server itself, manipulate or steal metadata from specific software repositories and distribute malicious packages that have been tampered with through typo-squatting attacks using package managers.

Typosquatting is a social engineering technique used to trick people with similarly shaped text. For example, Microsoft is transformed into rnicrosoft (‘rn’ disguised as ‘m’) or GoogIe (uppercase i ‘I’ disguised as lower-case L). In Supply Chain attacks, typo-squatting is often used to distribute malicious in the shape of normal packages names.

“Especially, typosquatting attacks are one of the most commonly found Supply Chain attacks” the team said and “In reality, not only the discovered fake packages from PyPI but also the 700 malicious typo-squatting package were found on RubyGems last year, a package manager for Ruby programs. For example, a malicious package named ‘acc-poker_types’ was distributed to target the normal package named ‘accc_poker_types’ ” the team added.

▲Open source package being installed[Image from Security News]

With just one attack, Supply Chain attacks can have countless software effects. Particularly, maliciously-modulated software can cause more damages if more and more companies or linked software depend on a particular software. If the case of open-source software, the source code is disclosed at the supply chain stage- being especially vulnerable to supply chain attacks as it is often highly depending on each other in open-source software.

As such, why are so many developers are using open-source software that are likely to cause Supply Chain attacks? It is because it can dramatically reduce the software development time and cost. Open-source is necessary, especially for a competitive program development, where functions from trusted open-source software can be taken and reused without the need for developers to develop specific desired functions. Recently, major technologies such as AI, Big Data, blockchain, Internet of Things etc., are carried out through open-source projects. Competitiveness-wise, implementing software functions without the reuse of open-source software means falling behind, especially due to the compatibility issues.

”Despite the benefits of open-source, the reuse of unmanaged open-source software can pose a number of  security threats. The typical Supply Chain attacks accompanied with other known vulnerabilities, license violation etc may also occur”, the research team said, adding “The small vulnerabilities present in open-source software impairs the security of the entire software and the reuse of non-correlating licenses lead to issues such as copyright infringement. Especially, the reuse of modulated open-sources, which can be distributed via package managers, etc., may lead to serious Supply Chain attacks.

CENTRIS©, a tool developed by Hee-Jo Lee’s research team, quickly and accurately identifies reused open-source software components. Open-source software has often its original structure and code modified during reuse. In fact, according to the research team’s results, 95% of all frequently used popular open-source software has reused code or structural modifications.

In particular, the team explained that, with the existing approaches, it is difficult to accurately detect modified open-source software components. Specifically, existing open-source component detection technology detects only 10% of all open-source reuse. In contrast, CENTRIS© added code segmentation and deduplication algorithms that detect over 90% of all open-source reuses.

“The first step in responding to Supply Chain attacks is to clearly identify components within the software such as ‘which open-source software or which open-source version’ is being used. This information is called the software name or SBOM (Software Bill of Materials). CENTRIS© can even accurately detect modified open-source software components, providing SBOM for specific software.” And “If CENTRIS© continuously manages the software specifications it finds, it will be much faster and effective in responding to Supply Chain attacks” the research team said.

For example, via specification analysis, it can be determined whether a reused open-source software has been malicious tempered and if it is being reused, it allows the developer to delete it. In addition, even for attacks such as typo-squatting or malicious package distribution, it is possible to verify whether the open-source is trustworthy.

Besides Supply Chain attacks, software component information can also be analyzed to determine whether the open-source that is used has known vulnerabilities and has potential license conflicts simultaneously.

The research team said: “As a result, the information provided by CENTRIS© enables developers to secure software in a safer environment. The CENTRIS© prototype will be introduced this coming April 19th, through a large-scale IOTCUBE platform update. In addition, CENTRIS© will be integrated to Labrador, an IOTCUBE vulnerability assessment platform, so that companies can accurately identify open-source software components during the development or inspection stage.”

Original article link :