Flaws In PowerShell Gallery May Cause Supply Chain Attacks

Significant flaws in the PowerShell Gallery’s policy make typosquatting attacks inevitable while also making it difficult for users to identify the true owner of a software package.

In a blog post Aug. 16, Aqua Security’s Nautilus researchers said these flaws pave the way for potential supply chain attacks on the PowerShell Gallery’s vast user base.

The Aqua Nautilus researchers warned that PowerShell Gallery modules are commonly used as part of the cloud deployment process, and they are especially popular around Amazon Web Service and Azure to interact with and manage cloud resources. The problem: researchers said the installation of a malicious module could be fatal to organizations. 

These findings have let the Aqua Nautilus researchers create a proof of concept (POC) and mimic popular Microsoft PowerShell modules, which have been downloaded millions of times. The researchers said these modules have been downloaded by various organizations across a range of cloud services.

The Aqua Nautilus researchers said despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, the issues remain reproducible and indicates that Microsoft has not implemented any tangible changes.

The Aqua Nautilus research pointed out another example of the increasing threat posed by the software supply chain to organizations, said Ken Westin, Field CISO at Panther Labs. Westin said attackers, particularly nation-state actors, are shifting their attacks left to target software packages and software suppliers upstream to inject or expose weaknesses.

“This shift makes sense as organizations continue to move to a remote workforce with increased cloud workloads and applications, adversaries are shifting their focus, as well — they can get more ROI by compromising software upstream,” said Westin. “Companies and government agencies need to increase their focus on risks posed by software supply chain threats and implement monitoring strategies in their cloud and DevOps processes, an area all too often left to a hands-off approach when it comes to security.”

John Bambenek, principal threat hunter at Netenrich, added that researchers have for years seen malicious libraries and modules in Python and Node. Bambenek said this new research from Aqua Nautilus now brings the use of malicious code into shared projects with PowerShell.

“Mitigation requires fanatical attention to detail in making sure developers are referencing packages precisely and getting exactly what they intend to do,” said Bambenek. “We do not yet have good tools to enumerate all third-party packages used across an organization, and short of having that, DevOps teams may need to have a measure of manual code reviews (at least for external packages) to ensure their relative safety.”

READ MORE HERE