Supply chain attacks are an interesting method of compromising a computer system, but how do they work? Tom Explains.
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to [email protected]
Episode transcript:
I heard some software got compromised because of a supply chain attack.
That sounds like malware was delivered by boat or something.
But my SysAdmin friend tells me it’s no joke. What the heck is it?
Confused? Don’t be. Let’s help you know a little more about Supply Chain Attacks.
A supply chain attack can mean a lot of things including people drilling a whole in a warehouse or something. But in the technology world we use the term supply chain attack to mean adding malicious code to software or hardware before it is supplied to its destination. This lets the attacker use it as a Trojan horse. Wait for the compromised admin software or network card to be installed within a company’s network, then attack from within.
Supply chains in tech usually involve multiple vendors. In hardware there is software embedded on parts that may be sent to multiple packagers and assemblers before finally being shipped out for warehousing and distribution. In software, multiple vendors may make components used in the software, some open source and some proprietary. It could be components or dependencies. Little bits of code that do one specific thing and save a lot of time and money so that developers don’t have to rewrite every piece from scratch. Like maybe a clock or a machine learning model. Even when the software is finally done, the software-maker may use intermediaries to distribute the software and to handle pushing out updates.
Any one of those links in the chain can be an opportunity for an attack. Supply chain attacks are conducted by sophisticated actors, often called Advanced Persistent Threats or APT. The attackers will usually conduct surveillance on a supply chain to identify which part of it has the weakest security. You can successfully attack a large well-secured company by compromising a piece of its software made by a smaller less well-secured business.
So the attackers look for an insecure network, unprotected server infrastructure or bad coding practice and exploit it to hide malware in the build or update process in a way that is difficult to detect. The software is released by a trusted vendor, signed and certified without anyone realizing it contains a backdoor or some other malware.
Supply chain attacks come in multiple flavors. Upstream attacks are the most common. That’s where the attackers infect an update, so every installation that updates, gets infected.
Other type of supply chain attacks can include:
Targeting development tools so the developers working on code unknowingly insert malware
Target dependencies – components of software that are frequently included in all kinds of software.
Compromise elements of automation like cloning repositories.
However it’s used, supply chain attacks are efficient because the attacker can just compromise one element, wait for it to appear in multiple places and then choose who to attack. Let’s say a company makes a component that is used in lots of software. Maybe it’s a network management component that goes into all kinds of applications from sales to HR and beyond. The attacker just compromises that one component, which then gets into hundreds of thousands of installs across multiple parts of multiple companies.
And once you’re into a network you can then install more malicious software elsewhere, so that even if the original piece of software is patched, the malicious attacker is still inside.
There are no end of examples of supply chain attacks.
The first supply chain attack was demonstrated in 1984 by one of the creators of Unix, Ken Thompson. For science. He was probing for vulnerabilities and wanted to see if he could hide a backdoor. So he built a compiler that put a backdoor in the login function. He also compromised the compiler that was used to compile that compiler so there wouldn’t be signs of tampering.
One common example is to inject spyware into a firmware installation for a consumer device. This kind of attack has been carried out against multiple computer makers like Lenovo and Asus.
Another example is to infect the software update process. That happened to hard drive utility CCleaner.
Of course the one you most likely have heard of happened to a company called Solar Winds. It offers a network monitoring tool called Orion. Attackers breached SolarWinds and managed to place malicious code in a software update for Orion. Yes the tool you used to monitor your network was compromised to let people into your network. Any company that applied the software update between March and June 2019 unknowingly installed a backdoor to their network. That ended up being around 18,000 networks.
The attackers did not use all these backdoors, but they did exploit many of them including ones at NASA, the US Department of Defense and multiple large companies including Microsoft, Intel, Cisco and security firm FireEye.
Another famous one that you may not realize was a supply chain attack, happened in 2017 when updates for accounting software MEDoc pushed out the destructive NotPetya code.
There are many more and you haven’t heard of most of them because a successful supply chain attack won’t attract attention. Most supply chain attackers want to run quiet, keeping activities at a minimum so as not to be detected. Some even rent out their access to other malicious actors.
Ok so how do we stop them?
Supply chain attacks are hard to defend against. The company affected is not the company that made the software. If you work in any kind of company, you know how hard it is to get people within the same company to cooperate to identify security issues. Now multiply that by one or more vendors in a supply chain to stop supply chain attacks.
So let’s run through the option.
A company could try to screen all its software– and it should– but it won’t always have access to source code and even if it did, will not always catch every cleverly hidden compromise. An update changes the behavior of software by design so it’s hard to tell which changes are intended and which aren’t. FireEye and Microsoft both missed the malware in SolarWinds’ Orion. Not because they are incompetent but because it was that cleverly hidden.
A company could try to write all its software in house, choosing not to trust any vendor. But that would likely end up having more security vulnerabilities of more kinds rather than less. It would also be much more costly than following best practices to prevent supply chain attacks. One of the benefits of using vendors is gaining their expertise and their security efforts at scale.
The common advice these days is to use fewer suppliers and hold them to higher standards of security and quality, while tightening up your own internal network security to make it harder for malicious actors if they do get into your network.
The US issued an executive order in May 2001 charging NIST with setting minimum security standards for a company that wants to sell software to federal agencies. This will cause many companies to raise their standards because they want to sell to the government. But companies who buy software and aren’t the government, can and probably should tailor their own standards as well.
Still, the NIST recommendations are a good template. There are two main areas of defense. Hold your vendors to a high standard to reduce the chance that you are buying software from a compromised entity. And develop robust internal protections that can detect and shutdown compromises if and when they do get in.
Among the security measures recommended for companies to protect themselves are the use of multi factor authentication for all users and admins. Uniquely identify and authenticate each service attempting to access critical software. Don’t trust something just because it’s inside the network. Maintain a software inventory so you know what’s actually running in your system. Encrypt data at rest and in transit. And there’s lots more about training, patching and monitoring. All meant to make it harder for an attacker to move even if they do get inside.
But you also want to make it less likely they get inside your software at all.
To reduce the chance that you are using a compromised vendor there are NIST standards for vendors as well. Vendors must engage in threat modeling, automated testing, code-based analysis, running programs in test cases to look for bugs, check all included libraries and other software and you know, fix bugs when you discover them. Basically make them prove they’ve done everything to help stop malicious actors from infecting their software.
You may be asking why these sorts of things aren’t already common practice. The answer is cost. Companies have been writing software or buying software on the cheap for decades, essentially relying on security through obscurity. Those days are gone. Auditing and certification are expensive but as more companies demand it, the prices will fall. And it’s worth the cost. Ask the victims of the NotPetya and Solar Winds attacks.
There are other movements besides NIST too.
The Consortium for Information and Software Quality for instance developed ISO standards that are the software equivalent of a bill of materials. It lets you know all the components that are in the software you’re buying, when they were last patched and if there are any known outstanding vulnerabilities.
This is a VERY high level overview of this topic. If you’re in an enterprise you should read the full NIST guidelines as well as some very good recommendations from security companies like FireEye and infrastructure providers like Cloudflare and Microsoft.
But I hope it helps you know a little more about supply chain attacks.