A threat actor is systematically targeting cloud credentials, SSH keys, authentication tokens, and other sensitive secrets stored in automated enterprise software build and deployment pipelines after compromising Trivy, the widely used cloud security scanning tool.
Trivy is an open source scanner that organizations use to identify vulnerabilities in container images, code repositories, and infrastructure configurations. Many organizations have embedded Trivy deep into their automated CI/CD software development pipelines, making it a high-value target for attackers. Aqua Security, the primary maintainer of the scanner, sells a separate commercial version of Trivy, which, according to the company, does not appear to have been impacted by the supply chain attack.
Multistage Supply Chain Attack
The compromise began in February, when the attacker exploited a misconfiguration in Trivy’s GitHub Action component to steal a privileged access token. The attacker subsequently used the token to infiltrate Trivy’s repository automation and release environment.
The Trivy team discovered and disclosed that initial intrusion on March 1. They executed a credential rotation at the time, but it was not as comprehensive as they thought it might have been, because the attacker managed to retain access to the environment and also capture newly rotated secrets.
On March 19, the attacker used those credentials to force-push malicious code to 76 of the 77 previously released versions of trivy-action, the GitHub Actions that organizations use to run Trivy scans inside their automated CI/CD pipelines. A CI/CD pipeline that referenced any of those versions would have pulled down and unknowingly executed the malicious code instead of the legitimate original.
The attacker similarly poisoned all seven versions in the setup-trivy repository for setting up the scanner. In addition, the threat actor exploited a compromised automated service account called aqua-bot to publish a malicious version of Trivy, v0.69.4, and manipulate its GitHub Action tags.
“Rather than introducing a new, clearly malicious version, the attackers used a more sophisticated approach,” Aqua Security said in a blog post on March 22. “By modifying existing version tags associated with trivy-action, they injected malicious code into workflows that organizations were already running.”
Because many automated CI/CD pipelines rely entirely on version labels without verifying that the code hasn’t changed since they first started using it, they continued running as usual without detecting the tampering, Aqua said.
In a March 23 update, Aqua disclosed that the threat actor had exploited the compromised automated service account (aqua-bot) to also publish two compromised Docker images, v0.69.5 and v0.69.6, effectively spreading malware through Trivy’s trusted release pipeline.
Credential Stealing Payload
The Trivy security team and Aqua described the payload itself as a credential-harvesting infostealer that scans more than 50 filesystem locations for SSH keys, cloud provider credentials for AWS, Google Cloud, and Azure, Kubernetes authentication tokens, Docker configuration files, environment variable files, database credentials, and cryptocurrency wallets.
Their analysis showed the malware using AES-256-CBC with RSA-4096 hybrid encryption to encrypt and transmit stolen data to attacker-controlled infrastructure. In instances where such exfiltration is not possible, the malware creates a public GitHub repository on the victim’s account (named public tpcp-docs) and uploads the data from there, Trivy and Aqua said.
“This combination of credential compromise, abuse of trusted release channels, and silent execution within CI/CD pipelines is a clear example of a modern software supply chain attack,” Aqua said. “Rather than targeting a single organization, the attackers leveraged widely trusted tooling to reach downstream users at scale.”
What makes the attack particular troubling is that it affects a security tool that many organizations rely on and implicitly trust to detect vulnerabilities and to protect them against attacks. This is the second recent incident involving either a security tool or a vendor. Earlier this month, Outpost24 reported an incident where someone attempted to steal credentials from a C-level executive at the company using a sophisticated seven-stage phishing chain.
Though that particular attack failed, the incident and now the one involving Trivy are evidence of growing attacker interest in targeting vendors and products that most companies implicitly trust and to which they provide near unfettered access to their environments.
Aqua and Trivy urged organizations that used any affected version of Trivy, trivy-action, or setup-trivy during the exposure windows to treat all secrets accessible to those pipelines as compromised and to rotate them immediately. Aqua recommended that affected organizations audit Trivy versions to see if they might have pulled or executed the weaponized Trivy v0.69.4 version from any source and to remove them immediately.
The company also urged a review of all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy for signs of compromise. Aqua’s blog post specified other actions that organizations need to take to mitigate risk from the supply chain attack.
