Identifying supply chain attacks: Can you confidently detect them?
Introducing the Software Supply Chain: Old and New Threats
In the early days of computer malware, a common piece of advice was to steer clear of pirated software. While this wisdom seemed sensible, it was not entirely accurate. In those days, any copying could result in a virus infection, affecting both legitimate and pirated software.
For instance, if you made a legal backup of a program from its official distribution medium, you might assume your copy would be safe. However, if your computer was already infected, that backup would often be carrying the virus as well. This was due to the malware modifying the data during the copying process.
The primary vector for malware contamination in those days wasn't limited to illegal copying. Instead, any uncontrolled and unverified copying was dangerous. In terms of jargon, copying outside an officially vetted and trusted supply chain was risky, while buying software from the supply chain was theoretically safe.
However, this doesn't mean the software supply chain was invincible. Over the years, numerous cybersecurity lapses have been prevalent, jeopardizing the integrity of official software distribution channels. These issues included pre-infected diskettes, CDs, USB devices, and digital devices like digital picture frames and Android phones being shipped with adware or spyware.
Nowadays, supply chain problems have evolved into complex and deliberate attacks, often delivering brand-new malware through a sequence of carefully planned tricks. We'll examine some fascinating real-world examples in the following sections, reminding us of the challenges of stopping cyber threats that appear to originate from within trusted sources.
Reflections on Trusting Trust: A 1983 Computer Science Luminary's Warning
To fully comprehend the threats to the supply chain, we must go back to 1983 and the Association of Computing Machinery's coveted Turing Award ceremony. Computer scientists Ken Thompson and Dennis Richie were honored for their foundational work on the Unix operating system. During his acceptance speech, Thompson presented a particularly troublesome type of attack: creating a booby-trapped C compiler that could inject malware into every program it compiled.
More worryingly, Thompson detailed a method to build this Trojan Horse compiler so that even recompiling it from the original, non-booby-trapped source code would not remove the malicious code. This compromised the supply chain in a subtle way that code review alone couldn't detect.
These ideas were put into practice in a real-world malware sample called Induc, which appeared first in 2009 and targeted the Delphi programming language. While it didn't do any immediate harm to non-developers, when an infected file landed on a computer with Delphi installed, the malware would modify the source code of libraries, embedding the malware and potentially infecting every program built with that tainted code.
Despite its widespread detection and the passage of years, Induc lingered on due to the IT industry's reluctance to learn from Thompson's paper. Many organizations stubbornly denied the possibility that their own software could be infected, even when anti-virus scanners flagged them. This ignorance prolonged the infection, with the supply chain remaining contaminated long after the virus should have been eradicated.
A Modern-Day Supply Chain Attack: SolarWinds (2020)
More recently, the IT world was shaken by a sophisticated supply chain attack on SolarWinds, a popular vendor of network management software. The attackers inserted malicious code into a legitimate SolarWinds software update, ultimately compromising numerous SolarWinds customers, including U.S. government agencies and Fortune 500 companies. This breach led to unauthorized access to sensitive data and prolonged periods of undetected surveillance.
Behind the Curtain: The Double-Barreled Malware Attack on SolarWinds (2020)
The SolarWinds attack was a highly coordinated dual-pronged assault. The first component, Sunburst, was malware SolarWinds inadvertently introduced into its supply chain and sent out automatically as part of a routine update. This malware was digitally signed with SolarWinds' own cryptographic certificate, concealing its true nature from many security tools. After lying dormant for 12 to 14 days upon activation, Sunburst would connect with command-and-control servers operated by the attackers, download and run new malware, extract system details, and manipulate configuration settings.
To make things worse, the Sunburst attackers deployed a special-purpose companion malware known as Sunspot, implanted on SolarWind's own software build servers. Sunspot used similar tactics as Induc, hiding its malicious code inside test files that were activated during the build process only if the source code was compiled for certain systems or operating environments. As a result, the compromised library containing the malware would only be included in specified builds, further camouflaging the attack.
XZ Utils Compromise (2024): A Multi-layered Conundrum
In 2024, another supply chain attack came to light. Known as the XZ Utils compromise, it targeted Linux systems based on the Debian distribution due to a non-standard modification in Debian's OpenSSH server. The attack aimed to insert a login backdoor into the OpenSSH software, the most widely-used remote access tool in the world. The attacker, known only by the pseudonym Jia Tan, targeted the non-standard part of Debian's OpenSSH, specifically the XZ Utils library.
Two Levels of Indirection
Debian uses the rsync toolkit, which includes a customized log file format. The library used in Debian's modified OpenSSH server, therefore, had a related supply chain dependency: if an infected version of the library was loaded when running as a system daemon, the backdoor would be activated.
The Height of Deception: Jia Tan's Malicious Code!
Jia Tan carefully concealed the malware, hiding it inside the test files used by developers. The backdoor would only be included in the library if the source code was compiled for systems based on Debian or those using Red Hat-style update packages. When activated, the backdoor would intercept the cryptographic handshake between the client and server, allowing a remote attacker to run any program with root privileges.
In Disguise, Ready to Strike: The Danger Lurking in Your Infrastructure
As you might have gathered, detecting and preventing supply chain attacks is extremely challenging. The SolarWinds attack, for instance, eluded the cybersecurity experts and vendors of the world, despite the attackers keeping a low profile and being as surreptitious as possible. A different attack, the XZ Utils compromise, went unnoticed until after it was launched, even though the attacker operated publicly and made a great effort to build trust and authority.
To combat these threats, building a positive cybersecurity culture within your team and organization is essential. This includes staying updated on cybersecurity news, maintaining a clear understanding of your network, and having a well-detailed plan for responding to cybersecurity crises. Seeking help from a dedicated cybersecurity partner can assist you in cultivating this culture and better protect your systems and data against increasingly malicious supply chain attacks.
[1] Internet Security Threat Report, 2020, Symantec.[2] 2020 Enterprise Cybersecurity Risk Report, SecurityScorecard.[3] Kaseya Ransomware Attack, Sophos.[4] CI/CD Pipeline Compromised in Codecov Breach, SecurityWeek.[5] Implementing CI/CD Best Practices, Sonatype.[6] Upstream Benefits: The Importance of Testing, SecurityWeek.
Sources: Symantec, SecurityScorecard, Sophos, SecurityWeek, Sonatype.
- With the ever-evolving nature of cybersecurity threats, it is crucial to prioritize endpoint security in the software supply chain, especially as demonstrated by the complex attacks like the SolarWinds and XZ Utils compromises.
- As technology advances, the risk of supply chain attacks growing more sophisticated increases, making it essential to embrace advancements in cybersecurity to combat these threats and secure data effectively.
