Chapter 29 Β· Quiz

Malicious Updates Quiz

Test your knowledge. Select answers, then grade all at once.

πŸ“‹ Instructions: Answer all questions, then click Grade Quiz to see your results.
1. What makes a malicious update particularly dangerous compared to other attack methods?
Correct answer: C. Malicious updates exploit the most trusted channel in IT operations. Perimeter firewalls allow update traffic. Endpoint tools treat vendor-signed packages as trusted. The delivery mechanism is the defense bypass.
2. A company downloads a software update, verifies the vendor's digital signature, confirms it is valid, and installs the update. Two months later they discover the update contained a backdoor. How is this possible despite successful signature verification?
Correct answer: B. Code signing verifies that the package was signed by the vendor and not modified after signing. It cannot verify that the package was clean before signing. A build system compromise inserts malicious code upstream of the signing step β€” producing a package that is both compromised and validly signed.
3. An attacker discovers that a target company uses an internal package named "data-pipeline-core" at version 1.2.3. The attacker publishes a package with the same name to a public package registry at version 5.0.0. What attack is this, and what is the expected outcome?
Correct answer: D. Dependency confusion exploits version-preference logic in package managers. When both a private internal package and a public package share the same name, the package manager prefers the highest version number β€” regardless of which registry it comes from. The attacker's v5.0.0 beats the internal v1.2.3.
4. Which defense would have been MOST effective at detecting the SolarWinds SUNBURST compromise, given that the malicious update was validly signed and showed no suspicious behaviour for two weeks after installation?
Correct answer: A. SUNBURST had a valid signature (defeats hash and signature checks), lay dormant for two weeks (defeats sandbox and AV scanning), and was delivered through official infrastructure (defeats network perimeter checks). Only behavioral monitoring β€” watching for unexpected network connections from the monitoring platform after installation β€” ultimately identified the compromise.
5. An organization uses hash verification to validate all software updates before installation. An attacker successfully delivers a malicious update that passes hash verification. At which stage of the pipeline was the malicious code most likely inserted?
Correct answer: C. Hash verification detects modifications that occur after the vendor computes and publishes the reference hash. If the malicious code was inserted in the build pipeline β€” before compilation, signing, and hashing β€” the resulting package will be hashed as-is, including the malicious code. The published hash will match the malicious package, and verification will pass.
6. Matching: Match each supply chain term to its description.

TERM

Supply Chain Attack
Dependency Confusion
Dormancy Period
SBOM

DESCRIPTION

Structured inventory of every component and dependency in a software product β€” enables rapid identification of affected systems when a compromise is disclosed
Attacking a vendor or supplier upstream to compromise all downstream recipients simultaneously
A deliberate delay between payload installation and activation, designed to evade sandbox analysis tools that run for only a few minutes
Publishing a malicious package to a public registry under the same name as a private internal package with a higher version number
7. Analysis: An IT manager says: "We verify the vendor's digital signature on every update we install. This means we are protected against malicious updates." Evaluate this claim. Under what circumstances does code signing protect against malicious updates, and under what circumstances does it not?
Partially correct β€” but the claim overstates the protection. Code signing protects against: (1) in-transit tampering β€” if an attacker substitutes a package during download, the signature will be invalid and the package rejected; (2) distribution server compromise β€” if a package is replaced on the server after signing, the signature will be invalid. Code signing does NOT protect against: (1) build system compromise β€” if the attacker inserts malicious code before signing, the code is compiled and signed alongside legitimate code; the signature is valid and verification passes (SolarWinds SUNBURST); (2) signing key compromise β€” if the vendor's private key is stolen, the attacker can sign any package. The correct conclusion: code signing is necessary but not sufficient. Combine it with behavioral monitoring, SBOM, and vendor security assessments.
8. Evaluation: A development team argues that their project is not vulnerable to dependency confusion because "we use a private registry for all our packages." Evaluate this claim. Is a private registry alone sufficient protection against dependency confusion?
Not necessarily sufficient β€” it depends on package manager configuration. Using a private registry is the right approach, but many package manager defaults check both public and private registries simultaneously and prefer the highest version number regardless of source. In this configuration, an attacker who publishes a package with the same name at a higher version number still wins the resolution, even if a private registry exists.

True protection requires: (1) scope internal package names exclusively to the private registry so they are never resolved from public sources; (2) use namespace prefixes (e.g. @company/package-name) that cannot be claimed on public registries; (3) pre-register internal package names on public registries with benign placeholder packages. A private registry that is not exclusively scoped is a partial defense β€” useful, but not sufficient on its own.