"IBM Makes Open-Source Tookit Available to Fight Software Supply Chain Attacks"

In most cases, IBM's X-Force Red ethical hacking team has been able to gain access to Source Code Management (SCM) systems in an adversary simulation engagement. Access to SCM systems provides attackers with opportunities for software supply chain attacks as well as lateral movement and privilege escalation throughout an organization. Therefore, X-Force Red is making an open-source toolkit called SCMKit available to raise awareness about the abuse of SCM systems and to encourage the detection of attack techniques against SCM systems. The user can specify the attack module to use, the SCM system, and valid credentials (username/password or Application Programming Interface (API) key) for the appropriate SCM system. To perform reconnaissance of repositories, files, code, and other resources specific to different SCM systems such as GitLab Runners, SCMKit has a number of modules. The kit also enables security teams to investigate privilege escalation, the use of SSH keys to achieve persistence, and more. This article continues to discuss the purpose and availability of X-Force Red's SCMKit.

BetaNews reports "IBM Makes Open-Source Tookit Available to Fight Software Supply Chain Attacks"