How can organizations tackle the growing menace of attacks that shake trust in software?
Cybersecurity is only as good as the weakest link, and in a supply chain this could be virtually anywhere. The big questions may be, “what and where is the weakest link?” and “is it something that you have control over and can actually address”?
A supply chain consists of everything between the raw materials and the end product, encompassing the supplier of raw materials, the manufacturing processes, the distribution and finally the consumer. If you consider a bottle of mineral water, any malicious contamination introduced through its path to the consumer compromises the entire supply chain.
The well poisoned
Cybersecurity is no different – a contaminated chipset placed into a device such as a router potentially contaminates the end product, creating an issue for the consumer. In software, you can also get a “contaminated component scenario”, one that security vendor FireEye found themselves in when they were hacked recently. When the company discovered that it been the victim of a cyberattack, a deeper investigation found that the attacker had slipped a malware-laced update into a network management product called Orion, made by one of the company’s software providers, SolarWinds.
The backdoor – which FireEye named SUNBURST and that is detected by ESET as MSIL/SunBurst.A – was implanted into Orion prior to the code being provided to FireEye, thus creating a contaminated end product for the consumer. In this case “the consumer” meant some 18,000 commercial and government organizations that installed the tainted update through the Orion update mechanism, thereby becoming the ultimate victims of the attack. At least 100 of them were targeted for follow-on hacks, with the bad actors inserting additional payloads and burrowing deeper into the companies’ networks.
And therein actually lies the sprawling damage potential of supply-chain attacks – by breaching just one vendor, bad actors may eventually be able to gain unfettered and hard-to-detect access to large swaths of its customer base.
The writing is on the wall
A bit of a watershed moment for cybersecurity, the SolarWinds incident brought echoes of earlier attacks of similar ilk, including the compromises of CCleaner in 2017 and 2018 and the attacks involving the NotPetya (aka Diskcoder.C) wiper disguised as ransomware, which spread through an update to a legitimate tax accounting package called M.E.Doc. And back in 2013 Target fell victim to a breach that was traced back to the theft of login credentials from a third-party HVAC supplier; indeed, it was this attack that began to bring supply-chain attacks into focus.
Fast forward to the recent past, and ESET researchers have uncovered several examples of these kinds of attacks over the past couple of months alone – from the Lazarus group using hacked security add-ons, to Operation Stealthy Trident attacking highly regionalized chat software for businesses, to Operation SignSight, used to compromise a certificate authority, to Operation NightScout, a hacked Android emulator.
While the assaults varied in methodology and attack patterns, they were very specific in their targeted demographic. From South Korean to Mongolian or Vietnamese intended audiences, the attacks were custom-tailored. It makes a certain kind of sense, in a kind of a riff on targeted marketing efforts, which tend to be more effective than broad, but very expensive “spray and pray” approaches. Targeted attacks depend on the motivations that drive any given campaign.
Supply-chain problems can wreck your life
Supply chains are the digital “duct tape” that binds our e-life together. They contain the robots that assemble and program the billions of devices we now rely upon. Left home without your phone and drove miles back to get it? Yeah, that dependent. Medical device dependent. How would you know if they got hacked? You probably wouldn’t, and you’re not alone.
Automation makes sense: The robots are better at it than you or me. But what happens when the robots go rogue? Stomping through Tokyo streets is an obvious, if overdone, popular culture manifestation, but so might placing quiet backdoors in building control software. Less likely to get caught, too.
There used to be hard lines between hardware and software; now it’s a blur. From microchips and system on a chip (SoC) cores to Xylinx FPGA code, manufacturers and integrators sort of “mash up” a bunch of core logic and stuff it into a chip that gets soldered onto a board. Much of the heavy lifting in the off-the-shelf code has already been done and is open source, or at least widely available. Engineers just download it and write the glue code that ties it all together and ship a finished product. It works great. Unless the code is corrupted somewhere along the way. With rudimentary toolchains that still use variants of ancient serial protocols for access (really) and other totally undefended protocols, digital shenanigans are ripe for the picking.
And lately, someone has been picking them with increasing frequency – and ferocity.
It’s difficult to be confident that every link in any supply chain is tamper free. From fake chips placed in-line for snooping network traffic to corrupt SoC code, this stuff is far less likely to make itself known than rampaging robots. Implanting internet-accessible backdoors for future use is high on the list for would-be attackers, and they’re willing to go to great lengths to pull it off.
It has become a global race, with the accompanying marketplace spooling up. Turn in a serious software bug and you get a T-shirt and bounty; sell it to a nation-state threat actor and you can put a down payment on your own island. In this environment it’s hard to imagine the supply chain being above suspicion. In fact, we’re finding quite the opposite.
Keeping the well clean
The feasibility for any company to be in full control of its supply chain and to guarantee that no raw components that are incorporated into its own products or services has not been contaminated or exploited en route to the eventual consumer is probably near zero. Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management; in the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code.
Here are 10 high-level recommendations for reducing risks that stem from vulnerable software supply chains:
- Know your software – keep an inventory of all open-source and proprietary off-the-shelf tools used by your organization
- Keep an eye out for known vulnerabilities and apply the patches; indeed, attacks involving tainted updates should by no means discourage anybody from updating their software
- Stay alert for breaches impacting third-party software vendors
- Drop redundant or outdated systems, services and protocols
- Assess your suppliers’ risk by developing an understanding of their own security processes
- Set security requirements for your software suppliers
- Request regular code audits and inquire about security checks and change control procedures for code components
- Inquire about penetration tests to identify potential hazards
- Request access controls and two-factor authentication (2FA) to safeguard software development processes and build pipelines
- Run security software with multiple layers of protection
An organization needs to have visibility into all of its suppliers and the components they deliver, which includes the policies and procedures that the company has in place. It is not enough to have legal contracts that apportion blame or make the supplier responsible when the reputation of your own company is at stake; at the end of the day, the responsibility lies firmly with the company that the consumer purchased the product or service from.
written by Cameron Camp, Tony Anscombe, ESET We Live Security