This updated alert is relevant to all Australians and Australian organisations, including organisation leaders, that maintain online code repositories, publish public software packages, or use third party packages or software sourced from online repositories.
Background
The ASD's ACSC is aware of increased targeting of online code repositories.
Threat actors have been observed gaining access to online code repositories through:
- Phishing/Vishing
- Social Engineering
- Compromised credentials
- Compromised authentication tokens
- Infected software packages.
The following activities have been noted as being performed by threat actors after gaining access to privileged systems and accounts:
- Modifying public packages to initiate supply-chain compromises.
- Running open-source tools to scan for cryptographic secrets, passwords and sensitive keys stored in online code repositories.
- Extracting and leaking identified credentials publicly.
- Migrating private repositories to public repositories.
Threat actors have been observed abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling.
The risk of exposed code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks.
Mitigation advice
ASD's ACSC advises organisations to:
- Investigate affected systems: Review logs for recent package installations, suspicious processes, and unexpected modifications in developer repositories. Analyse any system that hosted a compromised package for malicious activity.
- Validate packages: Validate that only trusted, verified packages are in use; check packages for signs of compromise before installation and updating.
- User awareness: Inform users on the dangers of unverified and under verified software packages.
- Monitor for secret scanning: Use code repositories’ native security functions to detect malicious secret scanning.
- Rotate potentially exposed secrets: Rotate any secrets found in code repositories accessible from compromised systems.
- Review advice on mitigating cyber supply chain risk.
- Review advice on managing cryptographic keys and secrets.
- Review advice on Identifying and Mitigating Living Off the Land Techniques to understand how threat actors use legitimate tooling to undertake attacks.
- Review advice on Social Engineering.
Advice for Leaders
The compromise of trusted software packages presents a significant and ongoing risk for organisations. These packages are often widely used and embedded as dependencies within other software, increasing the potential impact when vulnerabilities are identified.
To manage this risk effectively, organisations must be able to rapidly identify which software packages—and which specific versions—are installed across their environments. This information should be accurately collected, maintained, and readily accessible.
Leaders should be able to ask their IT or cybersecurity teams which software versions are deployed on corporate devices and receive timely, reliable responses. This capability enables organisations to quickly assess threat intelligence related to compromised software, determine its relevance to their environment, and take prompt action to reduce risk.
To assist leaders, review advice on A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity.
Where to get help
Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371)