Software Supply Chain Security

Recent cyberattacks have highlighted the risk posed by a lack of supply chain security and its implications for enterprise-wide risk. Third-party software used by organizations to power critical operations is increasingly becoming an avenue for malicious actors looking to gain access, making it essential that organizations implement robust supply chain security measures. With the rise of more sophisticated attacks such as SolarWinds, Stuxnet, and NPM, risk management can no longer be based on reactive approaches.

A comprehensive risk management strategy should incorporate steps to harden networks and reduce the risk of falling prey to complex supply chain attacks. By proactively addressing risk through enterprise-wide supply chain security measures, organizations can begin to protect themselves from potential threats and maintain organizational integrity.

Overview

Software supply chain security is an increasingly important issue for organizations. The software supply chain is an essential component of enterprise IT infrastructure, and its security is paramount. Without proper security measures, organizations are vulnerable to malicious actors looking to gain access or disrupt operations. To protect themselves, organizations must secure their software supply chain and take steps to reduce the risk of a successful attack.

This article will discuss the types of software supply chain attacks, the associated risks, and how organizations can protect themselves from them. It will also provide a deeper dive into supply chain security, focusing on the recent NPM package attack and the implications for software supply chain security. Finally, it will provide an overview of the steps organizations can take to secure their software supply chain.

Background

Software supply chain security is the set of measures taken to ensure the integrity and security of the software supply chain. This includes the secure acquisition of software components, the secure coding and design of applications, and the secure deployment of applications in production environments. The goal is to ensure that software is free from malicious code and is securely maintained and supported over its life cycle.

There are several steps organizations can take to secure their software supply chain, including verifying the integrity of the software supply chain, using secure code signing and scanning for vulnerabilities, and deploying applications in secure environments. Additionally, organizations should use security tools to monitor their software supply chain for malicious activity. By taking these steps, organizations can secure their software supply chain and reduce the risk of a successful attack.

Introduction

The software supply chain is an essential component of enterprise IT infrastructure, and its security is paramount. Software supply chain attacks are increasingly becoming an avenue for malicious actors looking to gain access, making it essential that organizations implement robust supply chain security measures. In this article, we will discuss the various types of software supply chain attacks, the risks associated with them, and how organizations can protect themselves from them.

Historical Perspective

I will talk about three different cyber-attacks that will give industry experts, as well as non-technical audiences, a trajectory of historical events. SolarWinds, Stuxnet, NotPetya.

Stuxnet

In 2010, the Stuxnet worm became one of the first publicly known software supply chain attacks. Stuxnet was designed to sabotage the Iranian nuclear program by damaging centrifuges and nuclear fuel processing plants. It was delivered through a USB stick left at an Iranian nuclear facility and targeted industrial control systems used in the facility. Once the worm was installed on a system, it propagated through the network and spread to other industrial control systems.

Stuxnet demonstrated the potential of software supply chain attacks and the need for organizations to secure their software supply chain. The attack highlighted the need for organizations to secure their supply chain by conducting thorough code reviews, using secure code signing, and deploying applications in secure environments. In addition, organizations should use security tools to monitor their software supply chain for malicious activity.

Organizations must ensure they know which software they are using and properly secured.
Organizations should use security tools to monitor their software supply chain for malicious activity.
Organizations should use secure code signing and scan for vulnerabilities.
Organizations should deploy applications in secure environments.

Read about my experience with Stuxnet in Fallujah, Iraq, with the 2nd Reconnaissance Battalion.

SolarWinds

SolarWinds is a software supply chain attack that was discovered in December 2020. It is believed to have been perpetrated by a nation-state actor and targeted U.S. government agencies and private companies. The attack was carried out by exploiting a vulnerability in the SolarWinds Orion software, a widely used IT management platform. The exploit allowed attackers to gain access to the systems of the organizations that were running the software.

SolarWinds demonstrated the potential for software supply chain attacks to cause major damage. The attack highlighted the need for organizations to secure their software supply chain. This includes implementing secure code signing, scanning for vulnerabilities, and monitoring the software supply chain for malicious activity. Organizations should also deploy applications in secure environments and ensure that software is updated.

Organizations must ensure they know which software they are using and properly secured.
Organizations should use security tools to monitor their software supply chain for malicious activity.
Organizations should use secure code signing and scan for vulnerabilities.
Organizations should deploy applications in secure environments.
Organizations should ensure that software is kept up to date.

NPM Event Stream Attack

Software supply chain attacks such as the NPM attack are a more recent. While the attack vector is ever-evolving, the goal remains the same, to gain access to sensitive information or disrupt operations.
The NPM attack event stream supply chain attack that occurred in 2018 was a prime example of this. The attack occurred when the maintainer of the event stream package released version 3.6, which included malicious code without realizing it. The malicious code was then spread to millions of unsuspecting users through popular packages like Azure CLI and VS Code.

Organizations must ensure that their software supply chain is secure and updated. This includes verifying the integrity of the software supply chain, using secure code signing and scanning for vulnerabilities, and deploying applications in secure environments. Additionally, organizations should use security tools to monitor their software supply chain for malicious activity. Organizations should also ensure that software is updated and that any packages used are from trusted sources. By taking these steps, organizations can reduce the risk of a successful attack.

Deeper Dive

The recent malicious attack on the Bitcoin wallet application Co-Pay exposed a terrifying vulnerability within the npm package manager and Event Stream
package. Cyber attackers managed to gain access to private keys of users’ information, such as passwords and credit card data, after convincing the maintainer of the package to hand it over. Unsuspecting users were sending their information off to an API server through popular packages like Azure CLI and VS Code due to the hidden code they were unsuspectingly installing. Unfortunately, this issue went undetected for over a month, with 8 million users affected in that period. Thankfully, swift action by community members reduced the damage with notifications sent out and mitigation tools created to detect and attempt to fix any compromised accounts.

In September 2018, the maintainer of Event Stream gave the package away to a random person. The person added a new dependency, Flatmap Stream, and released version 3.6 of Event Stream. This version included a tilde or carrot, which meant that any project which depended on Event Stream would automatically update to the new version.
This new version of Flatmap Stream included malicious code discovered after it had been in the wild for over a month. The malicious code used a deprecated method in the crypto library, which caused warnings to be triggered in unrelated projects. This alerted people to the malicious code.
Payload A was the first malicious code and was a bootstrapper that imported a file of hexadecimal strings. This payload used the hexadecimal strings as a key to decrypt the second element in the test data, which was the rest of the malicious code.
Without the warnings triggered by the deprecated method, the malicious code would have likely gone unnoticed. Payload B was the second malicious code and looked for a specific script name in a package.json file. It then used the description of the package.json file to decrypt the third element, which was the final payload, Payload C. Payload C was the code that harvested Bitcoin wallets with at least a hundred or a thousand Bitcoin.
Payload C was deployed by targeting a dependency of the Co-pay Dash wallet application. It was injected into the application during the build stage and executed in the mobile application context.
The community immediately rallied around the malicious code, and tools were written to detect and mitigate the problem. However, this type of attack will likely happen again due to the difficulty of conversations and the lack of buy-in.
To prevent this attack, developers should rethink dependencies, audit dependencies, lock dependencies, check in dependencies, and think twice before adding any new dependencies.

From USBs to NPM Packages

The importance of software supply chain security cannot be understated. In an increasingly interconnected world, the software supply chain is vulnerable to malicious actors. By exploiting vulnerabilities in the software supply chain, hackers can gain access to sensitive data or disrupt operations. Additionally, organizations can face legal and reputational damage from a software supply chain attack. For these reasons, it is critical for organizations to take steps to secure their software supply chain.

Organizations must be aware of the risks associated with software supply chain security and take steps to secure their supply chain. This includes verifying the integrity of the software supply chain, using secure code signing and scanning for vulnerabilities, and deploying applications in secure environments. Additionally, organizations should use security tools to monitor their software supply chain for malicious activity. Finally, organizations should ensure that software is kept up to date.

Not All Systems Are The Same

It is important to remember that not all software systems are the same, and different approaches to software supply chain security may be necessary. For example, while the security of a web application or mobile application may be managed with secure code signing and vulnerability scanning, the security of an embedded system or Internet of Things (IoT) device may require additional measures. For example, embedded systems may require using secure boot technologies to ensure that the software on the device is genuine and has not been tampered with. Additionally, organizations should consider using hardware security modules or trusted computing modules to protect critical data.

Organizations must also consider the implications of their software supply chain on their operations. For example, organizations may need to consider how their software supply chain affects their ability to comply with data privacy and security regulations. Additionally, organizations may need to consider how their software supply chain affects their ability to respond to changing customer needs and demands. Finally, organizations should consider how their software supply chain affects their ability to respond to cyberattacks, such as distributed denial of service (DDoS) attacks.

Conclusion and Key Takeaways

In conclusion, software supply chain security is an increasingly important issue for organizations. Organizations must take steps to secure their software supply chain, including verifying the integrity of the supply chain, using secure code signing and scanning for vulnerabilities, deploying applications in secure environments, and using security tools to monitor the supply chain for malicious activity.
Additionally, organizations should consider the implications of their software supply chain on their operations and their ability to respond to cyberattacks. By taking these steps, organizations can ensure that their software supply chain is secure and can reduce the risk of a successful attack.

Organizations must ensure they know which software they are using and properly secured.
Organizations should use security tools to monitor their software supply chain for malicious activity.
Organizations should use secure code signing and scan for vulnerabilities.
Organizations should deploy applications in secure environments, ensuring that software is kept up to date at all times.
Software supply chain attacks such as SolarWinds, Stuxnet have highlighted the need for organizations to take pro-active steps
The NPM attack event stream exposed a vulnerability within npm package