IBM makes open source tookit available to fight software supply chain attacks
The power of software supply chain attacks was amply demonstrated by SolarWinds but two years on some organizations are still vulnerable thanks to the use of source code management (SCM) systems.
IBM's X-Force Red ethical hacking team has been able to successfully gain access to SCM systems during an adversary simulation engagement in most cases.
Accessing SCM systems gives attackers opportunities for software supply chain attacks and can facilitate lateral movement and privilege escalation throughout an organization.
To provide awareness of the abuse of SCM systems, and to encourage the detection of attack techniques against SCM systems, X-Force Red is making available an open source toolkit.
SCMKit will be shown at Black Hat USA 2022 Arsenal. It allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. SCMKit has multiple modules available to perform reconnaissance of repositories, files, code, and other resources specific to various SCM systems such as GitLab Runners. The kit also allows security teams to explore things like escalation of privileges and the use of SSH keys to gain persistence.
"The attack modules supported include reconnaissance, privilege escalation and persistence," writes Brett Hawkins of IBM X-Force Red on the company's blog. "Other functionality that are available in the non-public version of SCMKit were not included in consideration for defenders, such as user impersonation and built-in credential searching. SCMKit was built in a modular approach, so that new modules and SCM systems can be added in the future by the information security community."