Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden
Source: Ars Technica
Overview
A recent supply‑chain attack that began on March 23, 2023 has exposed data from security firms Checkmarx and Bitwarden. The breach originated from Checkmarx’s GitHub repositories and was part of the broader Trivy campaign.
Checkmarx Breach
“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company did not disclose the specific types of data that were leaked.
Bitwarden Breach
Socket reported that Bitwarden was also compromised in the same supply‑chain attack. The connection to the Trivy campaign was established because the payload used the same command‑and‑control (C2) endpoint and core infrastructure as the Checkmarx malware.
The Trivy Attack and TeamPCP
The Trivy attack was carried out by a group calling itself TeamPCP, known for operating as an access‑broker. Access brokers:
- Compromise credentials from victims.
- Sell those credentials to other threat actors.
TeamPCP’s strategy focuses on targeting tools that already possess privileged access.
Connection to Lapsu$
In the Checkmarx case, TeamPCP sold access credentials to Lapsu$, a ransomware group largely composed of teenagers. Lapsu$ is noted for both its technical skill in breaching large organizations and its tendency to taunt victims after successful attacks.
Impact and Implications
The incidents illustrate the cascading effects a single breach can have:
- Both Checkmarx and Bitwarden were affected, raising the risk of subsequent attacks on their customers or partners.
- Downstream compromises could arise from the initial breach.
Socket CEO Feross Aboukhadijeh emphasized that security organizations are attractive targets because their products handle sensitive data and are widely distributed.
“You will see this same thread throughout these compromises. Attackers are treating security tools as both a target and a delivery mechanism. They are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim.”