TH20101
Detected indicators of tampering that resemble the SolarWinds Orion software compromise.
priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
---|---|---|---|---|---|
fail | high | high | 1 | tampering: fail Reason: indicators of tampering found |
About the issueโ
Publicly disclosed software supply chain compromises can be modeled through their unique set of indicators of tampering. These indicators form a heuristic signature that evaluates during differential analysis, ensuring no similar supply chain attack has affected a software package. Through inspection of changes in behaviors over subsequent versions, a match was made with the indicators of tampering that resemble the SolarWinds Orion software compromise. Malicious actors are known to re-use the attack patterns that were successful in the past. Some malicious actors are also known to emulate other attackers with the intent to misdirect incident responders. Therefore, having a positive tampering match is not sufficient for attack attribution. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider.
How to resolve the issueโ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1195.002 - Compromise Software Supply Chain.
- Investigate your build and release environment for software supply chain compromise.
- Consider hiring an external incident response team to assist with finding the root cause of the compromise.
- You should delay the software release until the investigation is completed, and the detection is verified.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- The attack on SolarWinds: Next-level stealth was key (ReversingLabs blog)
- T1195.002 - Compromise Software Supply Chain (External resource - Mitre ATT&CK documentation)