CP
cyberpings
VulnerabilitiesHIGH

Trivy Vulnerability Scanner - Supply Chain Attack Exposed

SWSecurityWeek
TrivyAqua SecurityTeamPCPsupply chain attackinformation stealer
🎯

Basically, hackers broke into a security tool and replaced it with a dangerous version that steals information.

Quick Summary

Aqua Security's Trivy vulnerability scanner was compromised in a supply chain attack. Users need to check their systems for the malicious version and take action to protect their data. The ongoing threat highlights the risks associated with open-source software.

What Happened

In late February, Aqua Security's Trivy, an open-source vulnerability scanner, fell victim to a supply chain attack. The attack was first disclosed on March 1, when maintainers revealed that the GitHub repository had been compromised through a GitHub Actions workflow issue. Malicious versions of the application were published, including compromised VS Code extensions on the Open VSIX marketplace. This incident is part of a broader automated attack campaign targeting multiple open-source repositories.

The attackers managed to delete some legitimate releases and inject malicious code into the Trivy ecosystem. This included a malicious release of Trivy (version v0.69.4) that was distributed across various channels, including GitHub Container Registry and Docker Hub. The attack leveraged compromised credentials, allowing the threat actors to push malicious updates that would infect users' systems with an information stealer.

Who's Affected

The impact of this attack primarily affects users of the Trivy scanner, particularly those who downloaded the compromised version v0.69.4. Aqua Security confirmed that none of its commercial products using Trivy were affected, as they follow a controlled integration process. However, users who executed the malicious version need to act swiftly to mitigate potential damage. The maintainers have urged users to check for any installations of the compromised version and to look for suspicious repositories in their GitHub organizations.

What Data Was Exposed

The malicious version of Trivy was designed to extract sensitive information from users' systems. Specifically, it targeted the Runner.Worker process memory to dump secrets and credentials. The stolen data was then encrypted and sent to a remote server. If the exfiltration failed, the malware created a public GitHub repository to upload the data. This means that any secrets or tokens used in CI/CD pipelines could be at risk, potentially leading to further compromises.

What You Should Do

Aqua Security recommends immediate action for users who may have used the compromised versions of Trivy, trivy-action, or setup-trivy. Users should:

  • Rotate all credentials, tokens, and secrets used in their environments.
  • Remove any affected artifacts from their systems, especially if they executed Trivy v0.69.4.
  • Monitor for repositories named tpcp-docs in their GitHub organizations, as this may indicate that the fallback exfiltration mechanism was triggered.

Additionally, Aqua continues to investigate the ongoing threat, as suspicious activity was identified as recently as March 22. Users should stay vigilant and keep their systems updated with the latest secure versions of Trivy.

🔒 Pro insight: The Trivy attack underscores the vulnerabilities in open-source supply chains, necessitating rigorous credential management and monitoring practices.

Original article from

SecurityWeek · Ionut Arghire

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Ubuntu Vulnerabilities - Security Advisory Released

Ubuntu has issued a security advisory for vulnerabilities in the Linux kernel. Multiple versions are affected, putting many users at risk. It's vital to apply the updates to safeguard your systems.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Vulnerabilities in ICS Products - CISA Advisories Released

CISA has issued urgent advisories for vulnerabilities in multiple ICS products. Affected systems include those from Schneider Electric and Mitsubishi Electric. Organizations must act quickly to apply updates and mitigate risks. Don't wait until it's too late!

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Red Hat Security Advisory - Critical Linux Kernel Updates

Red Hat has issued a critical advisory for vulnerabilities in its Linux kernel products. Users must update their systems to avoid potential security risks. This is essential for maintaining system integrity and protecting sensitive data.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Dell Security Advisory - Multiple Product Vulnerabilities Alert

Dell has issued security advisories for vulnerabilities in several products. Users of Dell Policy Manager, NetWorker, and PowerSwitch are urged to apply updates. Ignoring these updates could lead to serious security risks. Stay proactive to protect your systems.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Vulnerabilities - Agent Val Transforms Exposure Management

Agent Val is changing the game in vulnerability management by validating real risks in real-time. Organizations can finally focus on what truly matters, reducing wasted resources. This AI-driven solution enhances security operations and ensures better risk management. It's a must-have for modern cybersecurity strategies.

Qualys Blog·
HIGHVulnerabilities

Vulnerabilities - The Broken Physics of Remediation Explained

A new study reveals that security teams are struggling to keep up with vulnerabilities, often falling behind attackers. This highlights a critical need for improved remediation strategies to protect organizations effectively.

Qualys Blog·