Organisations not prepared for software supply-chain attacks
Software supply-chain attacks are not a new development and security experts have been warning for many years that they are some of the hardest type of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.
Back in 2012, researchers discovered that the attackers behind the Flame cyber espionage malware used a cryptographic attack against the MD5 file hashing protocol to make their malware appear as if it was legitimately signed by Microsoft and distribute it through the Windows Update mechanism to targets.
That wasn't an attack where the software developer itself, Microsoft, was compromised, but the attackers exploited a vulnerability in the Windows Update file checking demonstrating that software update mechanisms can be exploited to great effect.
In 2017, security researchers from Kaspersky Lab uncovered a software supply-chain attack by an APT group dubbed Winnti that involved breaking into the infrastructure of NetSarang, a company that makes server management software, which allowed them to distribute trojanised versions of the product that were digitally signed with the company's legitimate certificate.
That same group of attackers later broke into the development infrastructure of Avast subsidiary CCleaner and distributed trojanised versions of the program to over 2.2 million users. Last year, attackers hijacked the update infrastructure of computer manufacturer ASUSTeK Computer and distributed malicious versions of the ASUS Live Update Utility to users.
"I don't know of any organisation that incorporates what a supply chain attack would look like in their environment from a threat modelling perspective," David Kennedy, former NSA hacker and founder of security consulting firm TrustedSec, tells CSO.
"When you look at what happened with SolarWinds, it's a prime example of where an attacker could select literally select any target that has their product deployed, which is a large number of companies from around the world, and most organisations would have no ability to incorporate that into how they would respond from a detection and prevention perspective. This is not a discussion that's happening in security today."
While software that is deployed in organisations might undergo security reviews to understand if their developers have good security practices in the sense of patching product vulnerabilities that might get exploited, organisations don't think about how that software could impact their infrastructure if its update mechanism is compromised, Kennedy says.
"It's something that we're still very immature on and there's no easy solution for it, because companies need software to run their organisations, they need technology to expand their presence and remain competitive, and the organisations that are providing this software don't think about this as a threat model either."
Kennedy believes it should start with software developers thinking more about how to protect their code integrity at all times but also to think of ways to minimise risks to customers when architecting their products.
"A lot of times you know when you're building software, you think of a threat model from outside in, but you don't always think from inside out," he said. "That's an area a lot of people need to be looking at: How do we design our architecture infrastructure to be more resilient to these types of attacks? Would there be ways for us to stop a lot of these attacks by minimising the infrastructure in the [product] architecture?
"For example, keeping SolarWinds Orion in its own island that allows communications for it to function properly, but that's it. It's good security practice in general to create as much complexity as possible for an adversary so that even if they're successful and the code you're running has been compromised, it's much harder for them to get access to the objectives that they need."
Companies, as users of software, should also start thinking about applying zero-trust networking principles and role-based access controls not just to users, but also to applications and servers. Just as not every user or device should be able to access any application or server on the network, not every server or application should be able to talk to other servers and applications on the network.
When deploying any new software or technology into their networks, companies should ask themselves what could happen if that product gets compromised because of a malicious update and try to put controls in place that would minimise the impact as much as possible.
It's likely that the number of software supply-chain attacks will increase in the future, especially as other attackers see how successful and wide ranging they can be.
The number of ransomware attacks against organisations exploded after the WannaCry and NotPetya attacks of 2017 because they showed to attackers that enterprise networks are not as resilient as they thought against such attacks. Since then many cyber crime groups have adopted sophisticated techniques that often put them on par with nation-state cyber espionage actors.
Ransomware gangs have also understood the value of exploiting the supply chain and have started hacking into managed services providers to exploit their access into their customers' networks. NotPetya itself had a supply chain component because the ransomware worm was initially launched through the back-doored software update servers of an accounting software called M.E.Doc that is popular in Eastern Europe.
Both organised crime and other nation-state groups are looking at this attack right now as "Wow, this is a really successful campaign," Kennedy said. From a ransomware perspective, if they simultaneously hit all the organisations that had SolarWinds Orion installed, they could have encrypted a large percentage of the world's infrastructure and made off with enough money that they wouldn't have ever had to work again.
"They probably know their sophistication level will need to be increased a bit for these types of attacks, but it's not something that is too far of a stretch, giving the progression we're seeing from ransomware groups and how much money they're investing in development. So, I definitely think that we can see this with other types of groups [not just nation states] for sure."