The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a “High Alert: Act Quickly” advisory regarding the malicious targeting of online code repositories.
“This updated alert is relevant to all Australians and Australian organisations, including organisation leaders, that maintain online code repositories, publish public software packages, or use third-party packages or software sourced from online repositories,” the ACSC said in its 1 April advisory.
As has been previously reported – this is the second such advisory circulated by the ACSC in five months – hackers have been gaining access to popular code repositories via phishing campaigns, compromised credentials and authentication tokens, and previously infected software packages.
Once access is gained, threat actors have been observed modifying packages to achieve supply-chain compromise; scanning for cryptographic secrets, passwords, and sensitive keys; extracting credentials for further compromise; and modifying private repositories to public repositories.
“Threat actors have been observed abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling,” the ACSC said.
“The risk of exposed code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks.”
The ACSC recommends that organisations review their logs for recent package installations, validate their packages, educate their users regarding the potential for compromise, and monitor for secret scanning of code repositories.
What network defenders need to know
“The compromise of trusted software packages presents a significant and ongoing risk for organisations. These packages are often widely used and embedded as dependencies within other software, increasing the potential impact when vulnerabilities are identified,” the ACSC said.
“To manage this risk effectively, organisations must be able to rapidly identify which software packages – and which specific versions – are installed across their environments. This information should be accurately collected, maintained, and readily accessible.
“Leaders should be able to ask their IT or cyber security teams which software versions are deployed on corporate devices and receive timely, reliable responses. This capability enables organisations to quickly assess threat intelligence related to compromised software, determine its relevance to their environment, and take prompt action to reduce risk.”
Dennis Baltazar, principal cloud and DevSecOps solutions at Avocado Consulting, said this second warning from the ACSC is a “clear signal that the threat has not abated – and that many organisations have yet to act”.
“Code repositories are under active attack. What’s significant here is not just attacker capability but attacker tradecraft,” Baltazar said.
“This wave of repository targeting blends social engineering with living-off-the-land (LOTL) techniques – abusing legitimate tools and workflows so malicious activity looks like business as usual. Attackers don’t need bespoke malware when pipelines are already paved for them.
“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.