TH20106
Detected indicators of tampering that resemble the XZ Utils software compromise.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: indicators of tampering found |
About the issueโ
Publicly disclosed software supply chain compromises can be modeled through their unique set of indicators of tampering. These indicators form a heuristic signature that evaluates during differential analysis, ensuring no similar supply chain attack has affected a software package. Through inspection of changes in behaviors over subsequent versions, a match was made with the indicators of tampering that resemble the XZ Utils software compromise. Malicious actors are known to re-use the attack patterns that were successful in the past. Some malicious actors are also known to emulate other attackers with the intent to misdirect incident responders. Therefore, having a positive tampering match is not sufficient for attack attribution. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider.
How to resolve the issueโ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1195.001 - Compromise Software Dependencies and Development Tools.
- Investigate your build and release environment for software supply chain compromise.
- Consider hiring an external incident response team to assist with finding the root cause of the compromise.
- You should delay the software release until the investigation is completed, and the detection is verified.
Recommended readingโ
- T1195.001 - Compromise Software Dependencies and Development Tools (External resource - Mitre ATT&CK documentation)
- A software supply chain meltdown: What we know about the XZ Trojan (ReversingLabs blog)