Chapter 29 Β· Flashcards

Malicious Updates Flashcards

Click each card to reveal the answer.

0 / 8 flipped
What is a malicious update?
A software package that appears to originate from a legitimate vendor and is delivered through normal update mechanisms, but contains attacker-inserted code. The recipient installs it willingly, believing it is a routine improvement or patch. Malicious updates bypass perimeter defenses and endpoint detection by arriving through the trusted update channel β€” signed and packaged as a legitimate vendor product.
What is a supply chain attack?
An attack that targets a vendor, supplier, or third party in the software or hardware delivery chain rather than attacking the end target directly. By compromising a component upstream β€” a build system, firmware, or widely-used library β€” the attacker reaches all downstream recipients simultaneously. One upstream compromise can affect thousands of organizations, all of whom installed the component trusting the vendor.
At what stages of the software update pipeline can an attacker insert malicious code?
Any stage: (1) Source code repository β€” malicious commit before compilation. (2) Build system β€” code injection during compilation, after source review, before binary assembly. (3) Package signing β€” if signing keys are compromised, malicious packages receive valid signatures. (4) Distribution server β€” package replacement after signing. (5) Update download channel β€” man-in-the-middle substitution on unencrypted channels. Each stage is an independent attack surface.
What does code signing prove, and what can it NOT prove?
Code signing proves: the package was signed by the entity holding the signing private key (authenticity), and the package has not been modified since signing (integrity). It CANNOT prove the package was free of malicious code when signed. If an attacker compromised the build system before signing, the malicious code is compiled and signed alongside legitimate code β€” producing a validly signed, compromised package.
What is dependency confusion, and how does it work?
An attack exploiting package manager resolution logic. The attacker discovers a private internal package name, then publishes a malicious package with the same name to a public registry at a higher version number. When the package manager resolves dependencies, it finds both the private (lower version) and public malicious (higher version) packages, and automatically installs the higher version. No user interaction required β€” the package manager does exactly what it was designed to do.
What is an SBOM, and why does it matter for supply chain security?
Software Bill of Materials β€” a structured, machine-readable inventory of every component, library, and dependency in a software product, including versions and origins. When a supply chain compromise is disclosed, organizations with SBOMs can immediately determine whether the compromised component is present in their environment. Without an SBOM, identifying exposure requires manually inspecting every application β€” a process that can take weeks.
What is a dormancy period in a malicious update, and why do attackers use it?
A deliberate delay between installation and activation of the malicious payload. The SolarWinds SUNBURST backdoor lay dormant for up to two weeks after installation before activating. Purpose: sandbox analysis tools typically run samples for only a few minutes β€” a dormant payload shows no suspicious behaviour and is cleared as safe. Dormancy also separates the installation event from malicious activity in time, making forensic attribution harder.
What defenses protect against malicious updates, and what are their limitations?
(1) Code signing β€” verifies post-signing authenticity and integrity; cannot detect pre-signing compromise. (2) Hash verification β€” detects distribution server compromise and in-transit substitution; cannot detect malicious code present before hashing. (3) SBOM β€” enables rapid identification of affected systems after disclosure; reactive, not preventive. (4) Behavioral monitoring β€” detects malicious payload activity post-installation; the only control that can catch build pipeline compromises. No single defense is sufficient β€” defense in depth is required.