ML Model Repositories: The Next Big Supply Chain Attack Target

The techniques are similar to ones that attackers have successfully used for years to upload malware to open source code repositories, and highlight the need for organizations to implement controls for thoroughly inspecting ML models before use.
Repositories such as Hugging Face are an attractive target because ML models give threat actors access to sensitive information and environments.
They are also relatively new, says Mary Walker, a security engineer at Dropbox and co-author of the Black Hat Asia paper.
Machine Learning Pipelines, An Emerging Target Hugging Face is a repository for ML tools, data sets, and models that developers can download and integrate into their own projects.
Like many public code repositories, it allows developers to create and upload their own ML models, or look for models that match their requirements.
Hugging Face's security controls include scanning for malware, vulnerabilities, secrets, and sensitive information across the repository.
It also offers a format called Safetensors, that allows developers to more securely store and upload large tensors - or the core data structures in machine learning models.
The repository - and other ML model repositories - give openings for attackers to upload malicious models with a view to getting developers to download and use them in their projects.
Wood for instance found that it was trivial for an attacker to register a namespace within the service that appeared to belong to a brand-name organization.
There is little to then prevent an attacker from using that namespace to trick actual users from that organization to start uploading ML models to it - which the attacker could poison at will.
Wood says that when he registered a namespace that appeared to belong to a well-known brand, he did not even have to try to get users from the organization to upload models.
Instead, software engineers and ML engineers from the organizations contacted him directly with requests to join the namespace so they could upload ML models to it, which then Wood could have backdoored at will.
Another example is a model confusion attack when a threat actor might discover the name of private dependencies within a project, and then create public malicious dependencies with the exact names.
In the past, such confusion attacks on open source repositories such as npm and PyPI have resulted in internal projects defaulting to the malicious dependencies with the same name.
Malware on ML Repositories Threat actors have already begun eyeing ML repositories as potential supply chain attack vector.
Only earlier this year for instance, researchers at JFrog discovered a malicious ML model on Hugging Face that, upon loading, executed malicious code that gave attackers full control of the victim machine.
Wood's demonstration involves injecting malware into models using the Keras library and Tensorflow as the backend engine.
Wood found that Keras models offer attackers a way to execute arbitrary code in the background while having the model perform in exactly the manner intended.
In 2020, researchers from HiddenLayer used something similar to steganography to embed a ransomware executable into a model, and then loaded it using pickle.


This Cyber News was published on www.darkreading.com. Publication date: Mon, 18 Mar 2024 22:10:13 +0000


Cyber News related to ML Model Repositories: The Next Big Supply Chain Attack Target

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
9 months ago Feeds.dzone.com
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
1 year ago Csoonline.com
ML Model Repositories: The Next Big Supply Chain Attack Target - The techniques are similar to ones that attackers have successfully used for years to upload malware to open source code repositories, and highlight the need for organizations to implement controls for thoroughly inspecting ML models before use. ...
8 months ago Darkreading.com
CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
9 months ago Cisa.gov
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
11 months ago Theregister.com
Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
1 year ago Securityweek.com
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
4 months ago Wordfence.com
How AI could bolster software supply chain security - SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now. Supply chain security was a significant topic that speakers ...
5 months ago Techtarget.com
SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
11 months ago Helpnetsecurity.com
New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
6 months ago Securityboulevard.com
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
4 months ago Bleepingcomputer.com
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
7 months ago Itsecurityguru.org
Best of 2023: Diamond Model of Intrusion Analysis: A Quick Guide - Any intrusion into a network calls for a thorough analysis to give security teams cyber intelligence about different threats and to help thwart similar future attacks. Effective incident analysis has long been held back by uncertainty and high false ...
10 months ago Securityboulevard.com
Is an open-source AI vulnerability next? - Applications developed within open-source communities often face more significant security challenges because they are free and widely available, supported by volunteers, and because of other considerations. Even if a major open-source AI project ...
6 months ago Helpnetsecurity.com
Assessing and mitigating cybersecurity risks lurking in your supply chain - Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. Blindly ...
9 months ago Welivesecurity.com
How to detect poisoned data in machine learning datasets - Almost anyone can poison a machine learning dataset to alter its behavior and output substantially and permanently. With careful, proactive detection efforts, organizations could retain weeks, months or even years of work they would otherwise use to ...
9 months ago Venturebeat.com
Cyber Insights 2023: ICS and Operational Technology - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. At the same time, ICS/OT is facing an expanding attack surface caused by ...
1 year ago Securityweek.com
Establishing Reward Criteria for Reporting Bugs in AI Products - At Google, we maintain a Vulnerability Reward Program to honor cutting-edge external contributions addressing issues in Google-owned and Alphabet-subsidiary Web properties. To keep up with rapid advances in AI technologies and ensure we're prepared ...
11 months ago Darkreading.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
1 year ago Securityweek.com
Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack - MUST READ. Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack. Sweden's liquor supply severely impacted by ransomware attack on logistics company. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors ...
5 months ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)