CAPEC-693 Détail

CAPEC-693

Nom

StarJacking

Probabilité d'attaque

Moyen

Gravité typique

Haute

Statut

Stable

Publié

2022-09-29
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

Informations du CAPEC

Flux d'exécution

1) Explore

[Identify target] The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

2) Experiment

[Spoof package popularity] The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

3) Exploit

[Exploit victims] The adversary infiltrates development environments with the goal of conducting additional attacks.

Technique

Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
Passive: The adversary waits for victims to download and leverage the malicious package.

Conditions préalables

Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.

Compétences requises

Ability to provide a package to a package manager and associate a popular package's source code repository URL.

Atténuations

Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.
Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.
Reference vulnerability databases to determine if the software contains known vulnerabilities.
Only download open-source packages from reputable package managers.
After downloading open-source packages, ensure integrity values have not changed.
Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-494	Download of Code Without Integrity Check The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Références

REF-721

StarJacking – Making Your New Open Source Package Popular in a Snap
Tzachi Zornstein.
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00

Détail du CAPEC-693