f5-logger

Problem

Potentially unwanted applications (PUAs) can be considered a risk by some software users. This threat type typically collects private user data, or in more extreme cases, tampers with system security settings. Most threat prevention solutions detect and block PUAs. Software packages that trigger security solution detections also tend to increase the number of support calls and open tickets from users.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. Python Package Index (PyPI) repository is often abused by threat actors to publish software packages that exhibit malicious behaviors. Malware authors use numerous tactics to lure developers into including malicious PyPI packages in their software projects. Most malicious packages published on PyPI target developers and their workstations. However, some are designed to activate only when deployed in the end-user environment. Both types of Python malicious packages are detected by proprietary ReversingLabs threat hunting algorithms. This detection method is considered proactive, and it is based on Machine Learning (ML) algorithms that can detect novel malware. The detection is strongly influenced by behaviors that software components exhibit. Behaviors similar to previously discovered malware and software supply chain attacks may cause some otherwise benign software packages to be detected by this policy.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community, it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of being the first to try out a new project lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Developers that use open source components within their applications can specify the exact version of the component their application depends on. However, since components are frequently updated, some developers opt to always use the latest version of the software component. This helps reduce the number of vulnerabilities that open source components can introduce in the application. However, it does expose the developer and the build environment to risks associated with software supply chain attacks. Should a threat actor hijack the ownership of the software component publishing account, or even its publishing token, they could issue a malicious update that can infect the build environment or the application itself. To ensure that the build system updates the software component to a malicious version, threat actors often set the version number to an unusually high value. If a build system is instructed to use the latest component version, it will install the component with the highest version number, and execute its code.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.