Software technology evolved, and hackers evolved with it. The arms-race with bad actors was mostly restricted to vulnerabilities and attacks directed at the deployed software. Attacking the software supply chain, albeit not unseen, was not the primary target for the bad guys…
The attack many addressed as the start of a shift in the Advanced Persistent Threats (APTs) modus operandi was the SolarWinds attack. Not the first, but with such impact that made headlines and took ITsec by storm.
Examples: SolarWinds, Codecov, Kaseya
SolarWinds is a major software vendor which provides tools for network and infrastructure monitoring. One of the company’s products is Orion, an infrastructure monitoring and management platform. It is used by more than 30,000 public and private organizations to manage their IT resources. Orion accesses IT systems to obtain log and system performance data.
In December 2019 hackers accessed the networks, systems and data of thousands of SolarWinds customers. They attacked its software supply chain inserting malicious code into the platform. Subsequently, SolarWinds delivered the backdoor malware as an update to the Orion software, which hackers could access and impersonate users and accounts of victim organizations. The SolarWinds breach supposed a cybersecurity awakening for all organizations operating in the cloud-native world.
This supply chain attack was followed by others such as Codecov, a software code coverage tool. In January 2021, an attacker extracted a credential stored by mistake in Codecov’s Docker image, which the actor used to modify a uploader script in the tool. The actor just inserted a single line of code that sent all the CI’s environment variables to the attacker’s controlled server when the script was executed. For months, the bad actors gained potential access to systems that used the modified Codecov script.
Later, on July 2, 2021, the attack on Kaseya occurred. Its VSA platform is used by many MSPs that provide IT services to other companies to perform patch management and customer monitoring. Hackers attacked Kaseya VSA’s supply chain, compromising its infrastructure and subsequently releasing malicious updates on VSA’s local servers to infect the managed companies’ systems, encrypting their data and demanding a ransom. Ransomware via a trojanized tool used by MSPs on their managed companies, which are the end targets. How clever!
Since the SolarWinds incident, there have been more and more attacks against the software supply chain, impacting the image and economics of companies such as Samsung, Uber, Nissan, Nvidia, among many others. According to Gartner, “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase since 2021.”
A New Generation of Attacks
Attacking a company’s proprietary applications or production environments only generates a single victim. This, coupled with the fact that the vast majority of companies have already implemented AppSec protections like AST, SCA or WAF tools, has led to the emergence of a new generation of attackers aiming the software development pipeline. Supply chain attacks can affect thousands of companies with just one simple attack: the ideal amplifier.
The development infrastructure is an easy target for attackers. Its large attack surface provides access to the production environment and its data. The entire infrastructure of DevOps tools: repositories, source control management systems, build tools, deployment tools, Infrastructure as Code templates, containers, scripts files, etc. is fairly large and vulnerable. Moreover, all these tools are far from the control of the security area and are managed by the development and production teams. Hackers know this and take advantage of these weaknesses.
The New Target
Often developers write secrets in the source code such as credentials and keys for testing during development. These are stored in files often under version control, and can be found by attackers in the future, even if the files or secrets are removed. This will allow attackers to install backdoors, read the source code, insert malicious code, extract sensitive data, etc… Once malicious actors have valid login credentials they can move laterally through the SDLC. These credentials allow them to move to other tools and gain advanced user privileges to search for higher value information.
Hackers can use credentials to breach the SDLC, but they also can break into repositories or tools inaccurately configured or left insecure, that put systems and data at risk.
Attacks also target open-source packages. We all know horror stories about attacks that exploit known vulnerabilities, such as Log4j. On the other hand, supply chain attacks are different: attackers injects malicious code into popular open source packages for later use in the build process by many organizations in the world.
In short: hackers can exploit privileged access, misconfigurations and vulnerabilities in the CI/CD pipeline infrastructure as a vector to insert malware in a software that could be used by many.
How to protect our SDLC
The number of supply chain attacks is growing steadily, and the market is reacting to this scenario. Some organizations have established frameworks to address software supply chain security, like the NIST Secure Software Development Framework (SSDF) and Google’s Supply Chain Levels for Software Artifacts (SLSA). However, there are not many companies that make it a priority to protect DevOps tools and infrastructure to avoid attacks on their supply chain. In fact, 82% of CIOs think they will be vulnerable to them.
Companies must not only worry about protecting their applications but also the software infrastructure and artifacts that are part of their SDLC as bad actors are targeting the supply chain. The breadth of the attack surface, the lack of awareness on the part of development teams of this type of attack and the lack of specialized security tools is allowing attackers to focus on the software supply chain.
Protecting our pipeline is becoming more urgent every day, and a priority for CISOs, who must ensure that security teams pay attention to the supply chain and work together with Devops teams to protect SDLC from this type of attack.
Using tools that help us secure our SDLC, identify backdoors, suspicious behavior, and stop supply chain attacks is necessary to keep our DevOps environment private and secure. The first tools to protect software supply chain security are beginning to emerge. Some are more focused on the Dev side and others on the Ops side. And some, such as Xygeni, have the mission of protecting the integrity and security of the software ecosystem throughout the entire DevOps.
To read more