written by Denis Rendler (Information Security Officer), in the May 2023 issue of Today Software Magazine.

Read the article in Romanian here

In the world of cybersecurity, the complexities and potential threats hidden within the software supply chain cannot be ignored. The extensive and interconnected network of libraries used in today's software offer a distinct opportunity for malicious actors to exploit weaknesses, infiltrate systems, and cause widespread disruptions.

As developers and organisations around the globe increasingly rely on open-source components to create, deploy, and maintain their software, ensuring the security and integrity of the software supply chain has become a pressing concern.

While open-source software offers numerous benefits, such as cost-efficiency, flexibility, and adaptability, it also presents unique challenges in protecting the supply chain from cyber threats.

With the prevalence of these types of attacks on the rise, especially targeting open-source projects, it's crucial as cybersecurity professionals, to comprehend the associated risks and develop effective strategies to fortify the ecosystem.

In a 2022 study, Sonatype, a company specializing in software supply chain management, shared their insights on these types of attacks. The report highlights that the researchers detected an astounding 742% rise in attack frequency since 2019, with a remarkable 633% increase taking place in 2022 alone.

In this article, we will dive into a few recent examples of attacks, and provide practical guidance on processes and methods for securing the software supply pipeline while enforcing the idea of collaboration and community involvement.

The aim is to empower ourselves with the knowledge and tools necessary to create a more robust and secure open-source environment, safeguarding the software supply chain of our projects against potential threats.

Understanding the Threat Landscape

In the past, bad actors predominantly targeted well-known, publicly disclosed vulnerabilities that remained unpatched.

However, attackers have recently changed their approach, opting to introduce their own vulnerabilities through open-source libraries to maximize the potential damage they can cause or gain access to systems deep into our networks.

Three of the most notorious supply chain attacks in recent years include the SolarWinds Orion application compromise, which affected over 18,000 organisations worldwide, then there is the December 2021 Log4j framework vulnerability that continues to affect Java projects and organisations to this day and the more recent 3CX, where the telecom company fell victim to a linked supply chain attack from a breach on another company's build system.

Therefore, in the ever-evolving realm of cybersecurity, it is essential for organisations and developers to be aware of the various threats that can compromise a software supply chain.

A key step in bolstering the security of the software we rely on is understanding the different types of attacks that target it.

Three widely spread attack vectors that we will analyse in this article are:

1. code injection;

2. dependency attacks;

3. build tools attacks.

Code Injection Attacks

Using a code injection form of attack, malicious actors insert harmful code into an otherwise legitimate software element, which subsequently becomes part of the finished product or infrastructure supporting a product.

Consequences of such an attack may include data leaks, compromised systems, or even total control of the impacted systems.

In 2020, the SolarWinds Orion attack involved adversaries injecting a malicious backdoor, called SUNBURST, into the SolarWinds Orion software. The code was then signed with the company's code signing certificate, suggesting that the built environment was the initial entry point. Through a software update, the malicious code allowed the attackers to compromise the systems of over 18,000 organisations worldwide, including government agencies and private companies.

In March 2021, the PHP project experienced an attempt to inject malicious code into its source code.

While there are numerous instances of code injection attacks targeting web applications developed using the PHP language, due to its language construct and loose typing architecture, the language interpreter itself suffered an attempt at code injection by malicious actors.

The attackers compromised the git.php.net server and pushed two malicious commits to the PHP source code repository. These commits were disguised as minor typographical corrections, but the threat actor also introduced a backdoor into the PHP source code.

The backdoor code would have allowed an attacker to execute arbitrary code on a web server running the compromised version of the PHP interpreter by sending a specifically crafted request.

However, due to the vigilance of the community, the PHP development team quickly addressed the malicious commits and reverted them before any official release of PHP containing the backdoor could be made.

In dependency attacks, the focus is on a software package that functions as a dependency for a larger application or other libraries. By tampering with a widely utilised library, adversaries can potentially impact numerous applications reliant on that particular library, amplifying the consequences of the attack.

Three frequently observed methods for executing this type of attack include: typosquatting, brandjacking and upstream library compromise.

In 2020, during a study on typosquatting attacks, ReversingLabs discovered more than 700 malicious Ruby gems - packages created with the Ruby programming language - being uploaded within just a few days.

As Large Language Model (LLM) engines, particularly ChatGPT, have recently surged in popularity, bad actors employed a brandjacking attack to target ChatGPT users introducing a Chrome extension that simulates the original extension's functionality while simultaneously seizing control of a victim's social media accounts.

In December 2021, a critical vulnerability (CVE-2021-44228) was discovered in the Log4j library, widely used open-source Java logging library, specifically affecting versions Log4j 2.0 to 2.14.1. This vulnerability is commonly referred to as "Log4Shell."

The Log4j vulnerability, an upstream library with a widespread use in Java applications, had a massive impact making it a potential threat to countless systems.

Exploiting the vulnerability was relatively simple for attackers, resulting in severe consequences such as full system control.

The best practice of version pinning in software projects, while intended to maintain stability, hindered swift updates to patched Log4j versions. Furthermore, the patching process often required compatibility checks with other libraries and components, adding complexity and prolonging the vulnerability's impact.

Build Tools Attacks

The third category of attacks covered in this article targets automated build systems, which are responsible for independently overseeing an application's build process.

Tools such as Jenkins, GitlabCI/CD, TeamCity and others are highly appealing to malicious actors, as these systems can grant access to secret keys, additional infrastructure components, proprietary code, and more.

In build tools attacks, adversaries exploit vulnerabilities within these tools, manipulating the build process to produce malicious software artefacts. These tainted artefacts can then be distributed to users, who remain unaware of the compromise.

As build tools are often taken for granted, they can present an attractive target for attackers seeking to undermine the integrity of a software project.

At the end of March 2023, it was discovered that 3CX, a telecom company offering VoIP communications, was the target of a supply chain attack using its internal build system.

A tampered version of the 3CX Voice Over Internet Protocol (VOIP) desktop client, containing a hidden Trojan and bearing the digital signature of the company, was reportedly being employed to target the company's customers in a supply chain attack.

"The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," explained 3CX CISO Pierre Jourdan in a blog post.

Strengthening the Software Supply Chain

The Zero-Trust concept is a cybersecurity strategy based on the "never trust, always verify" principle. It assumes that every user, device, and network is a potential threat, whether they are inside or outside an organisation's perimeter. This approach requires that all access requests to resources be authenticated, authorised, and encrypted before they are granted, thus limiting the potential attack surface.

A layered approach to security, also known as defence-in-depth, involves implementing multiple security measures at different levels within an organisation's infrastructure. This ensures that if one layer is compromised, the others can still provide protection.

In the context of software supply chain security, a zero-trust approach combined with a layered security strategy can create a robust, highly secure environment for our projects.

Achieving this robust security can be accomplished by implementing and integrating the following layers:

Secure Development Practices

The first step is implementing secure development practices, such as utilising signed commits and releases, maintaining secure communication channels, and using strong authentication mechanisms, we can reduce the risk of supply chain attacks.

These practices make it more difficult for attackers to impersonate trusted contributors, compromise project infrastructure, or manipulate the development process.

As developers, we should also consider adopting the principle of least privilege, which entails granting the minimum necessary access and permissions to users, processes, and systems.

This approach can help us to limit the potential damage caused by a compromised component or account, thereby reducing the overall attack surface.

Additionally, incorporating security practices like threat modelling, secure coding standards, and regular security trainings can further enhance the resilience of our projects against supply chain attacks.

These practices enable developers to anticipate potential threats, implement secure coding techniques easier, and stay informed about the latest attack vectors and security trends.

Code Review and Auditing

One of the most effective ways for us to guard against supply chain attacks is to review and audit code changes rigorously. This process should involve multiple trusted reviewers in-depth knowledge of the codebase and its dependencies. By carefully scrutinising changes and validating their authenticity, we can significantly reduce the likelihood of malicious code entering the software supply chain.

Automated tools, such as static code analysis (SAST) and dynamic analysis (DAST), can be utilised to assist with the code review process. These tools can help identify potential vulnerabilities by providing valuable insights into the application's behaviour, coding errors or suspicious code patterns that may have been overlooked during the manual review.

Furthermore, integrating security testing into the continuous integration and continuous delivery (CI/CD) pipeline can help to catch potential issues earlier in the development process.

Vulnerability Management

Proactive vulnerability management is essential for detecting and remedying weaknesses in our software projects.

By regularly scanning for vulnerabilities in code and dependencies, we can identify and address issues before they can be exploited.

Additionally, participating in open-source communities and sharing information about vulnerabilities can help to strengthen the overall security of the ecosystem. This collaboration not only fosters a sense of shared responsibility, but also ensures that knowledge and best practices are disseminated widely.

We must establish processes for tracking and applying security updates and patches to their software stack.

Keeping software up to date is a critical aspect of vulnerability management, as it helps to minimize the window of opportunity for attackers to exploit known vulnerabilities.

To further strengthen their defenses, we should consider implementing tools and platforms that offer automated vulnerability detection and remediation capabilities, an overview of open-source license limitations and obligations found through solutions such as software composition analysis (SCA).

Supply Chain Risk Management

Incorporating supply chain risk management strategies into an organisation's security plan can help to identify and mitigate potential threats.

This may include evaluating the trustworthiness of third-party vendors, monitoring the security posture of dependencies, and establishing contingency plans in the event of a compromise.

We should also consider implementing software bill of materials (SBoMs) to document and track the components included in our software stack. SBoMs provide a comprehensive view of an application's dependencies, enabling organisations to assess the potential risks associated with each component and ensure the timely application of security updates.

Another crucial aspect of supply chain risk management is conducting regular risk assessments, which can help organisations identify potential vulnerabilities and develop appropriate mitigation strategies. These assessments should consider factors such as the criticality of each component, the complexity of the software stack, and the potential impact of a compromise on the organisation's operations and reputation.

Education and Training

Educating developers and other stakeholders about the risks associated with open-source software supply chain attacks and the best practices for mitigating these risks is crucial. By raising awareness of the potential dangers and encouraging the adoption of secure development practices, organisations can foster a culture of security that helps to protect their software ecosystem from supply chain attacks.

Regular training sessions, workshops, and online resources can be employed to ensure that all team members are familiar with the latest security practices, tools, and techniques.

By instilling a security-focused mindset across the organisation, it becomes easier to identify and address potential risks before they escalate into full-blown incidents.

Conclusions

A software project's supply chain presents a unique set of challenges and risks, but with a thorough understanding of attack vectors and the implementation of robust security measures, we can work together to defend against potential threats.

By prioritising code review, vulnerability management, secure development practices, supply chain risk management, and education and training, we can foster a more secure and resilient ecosystem.

In the face of ever-evolving cybersecurity threats, it is crucial for organisations and individuals to remain vigilant, adaptive, and proactive in their efforts to safeguard the integrity and security also of the open-source software used in their supply chain.

By working together as a community, we can pool our expertise, resources, and knowledge to create a safer and more secure open-source ecosystem for all.

As the open-source movement continues to gain momentum and more organisations embrace the benefits of open collaboration and innovation, it is imperative that we remain committed to ensuring the security and integrity of the open-source software supply chain.

With new attack vectors emerging and the stakes being raised higher than ever, our collective vigilance and dedication to good practices are crucial. By staying informed, engaged, and proactive in our approach to security, we can help to shape a brighter future for the open-source community and the countless organisations and individuals who depend on it.

In conclusion, the challenges presented by open-source software supply chain attacks are complex and multifaceted, but they are not insurmountable. By understanding the nature of these attacks and adopting a proactive approach to security, we can mitigate the risks and protect the valuable contributions of the open-source community.

Join our community of problem-solvers