ACSC warns of ongoing targeting of online code repositories

The Australian Cyber Security Centre (ACSC) has released a high priority alert regarding the ongoing targeting of online code repositories.

The ACSC says the alert is relevant to all Australians and Australian organisations, including organisation leaders, that maintain online code repositories, publish public software packages, or use third party packages or software sourced from online repositories.

Threat actors have been observed gaining access to online code repositories through:

• phishing/vishing
• social engineering
• compromised credentials
• compromised authentication tokens
• infected software packages.
   

The following activities have been noted as being performed by threat actors after gaining access to privileged systems and accounts:

• Modifying public packages to initiate supply-chain compromises.
• Running open-source tools to scan for cryptographic secrets, passwords and sensitive keys stored in online code repositories.
• Extracting and leaking identified credentials publicly.
• Migrating private repositories to public repositories.
   

Threat actors have also been observed abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling.

The risk of exposed code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks.

Mitigation advice

The ACSC advises organisations to:

• Investigate affected systems: Review logs for recent package installations, suspicious processes, and unexpected modifications in developer repositories. Analyse any system that hosted a compromised package for malicious activity.
• Validate packages: Validate that only trusted, verified packages are in use; check packages for signs of compromise before installation and updating.
• User awareness: Inform users on the dangers of unverified and under-verified software packages.
• Monitor for secret scanning: Use code repositories’ native security functions to detect malicious secret scanning.
• Rotate potentially exposed secrets: Rotate any secrets found in code repositories accessible from compromised systems.
   

Organisations should also review advice on mitigating cyber supply chain risk; managing cryptographic keys and secrets; identifying and mitigating living-off-the land techniques to understand how threat actors use legitimate tooling to undertake attacks.

The compromise of trusted software packages presents a significant and ongoing risk for organisations. These packages are often widely used and embedded as dependencies within other software, increasing the potential impact when vulnerabilities are identified.

To manage this risk effectively, organisations must be able to rapidly identify which software packages — and which specific versions — are installed across their environments. This information should be accurately collected, maintained, and readily accessible.

Leaders should be able to ask their IT or cybersecurity teams which software versions are deployed on corporate devices and receive timely, reliable responses. This capability enables organisations to quickly assess threat intelligence related to compromised software, determine its relevance to their environment, and take prompt action to reduce risk.

To assist leaders, advice is available in the ACSC document: ‘A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity’.

Image credit: iStock.com/your_photo