
Compromised supply chain within a supply chain poses new risks - ccnafr
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/
======
sologoub
In compiled/installed software, the concept of “supply chain risk” is at least
a thing that companies are aware of. However, when it comes to web software, I
have not heard many companies really conceptualize their “supply chain”
exposure from the myriad of scripts/dependencies injected via tag managers and
other software.

And it’s not just tag managers (GTM/DTM, etc) - React create app command
builds a boilerplate with hundreds of packages as dependency.

Has anyone employed any kind of automated scanning to try and catch known
malicious code in these?

On the tag manager front, I’m afraid the very premise of letting non-technical
people manage code is what makes these a built-in vulnerability. Educating
those in control as to risks seems to be the only option, in addition to
normal malware scanning you have to do if you run ads.

~~~
scarface74
The article also stated that the malware being a part of an installation
utility gave it basically the Windows equivalent of riot access. Why does any
normal app need root access?

~~~
jfim
The installer needs administrative privileges, the same way that make install
needs root to write into /usr/bin.

------
jacques_chester
Supply chain attacks are one of my personal nightmares.

However, on the bright side, cryptominers are continuing to perform a public
service by providing non-destructive whole-lifecycle penetration testing on a
contingent-fee basis.

~~~
walterbell
Which components/stack/supplychain is used by most crypto-miners?

~~~
mkirklions
I like bitcoin, but the GIGO makes these supply blockchains useless. The
enormous costs(slow and expensive) of blockchain makes me think blockchain
shouldnt be used for dApps or logistics.

------
mey
Another supply chain I worry about is package management. Maven, NPM, NuGet,
etc.

------
amelius
> The app vendor’s systems were unaffected.

The vendor doesn't test their software in its entirety?

~~~
steve19
The packages served to the vendor could be legit, but packages served to
everyone else is compromised. The vendor would never know there was a problem.

~~~
windows_tips
One could use hash signatures to detect a problem.

~~~
_Adam
The hash comes from the source of the package, and in this attack that source
was compromised. The malicious code was signed.

------
yCloser
adobe?

~~~
scarface74
The article said it was “alternate” PDF reader.

