New forms of software supply chain attacks

        Software supply chain attack is a new attack method , It is different from traditional attacks , A software supply chain attack can affect hundreds or even thousands of different goals .

        In a nutshell , Suppose I am a cyber criminal , Want to inject malicious code N A different goal . In a traditional cyber attack , I need to figure out about N Three independent vulnerabilities affect each system . Although I can reuse the same attack mechanism for multiple targets , But I can't guarantee that my attack will work in all cases . What's worse is , Here N Any one of the goals may have relatively strict security measures , And it's hard to break . This is the traditional attack method .

          Now? , I only need to consider launching a campaign against the same N A systematic supply chain attack is enough , I just need to hack here N A shared dependency in one target can complete the attack on all enterprises in the supply chain . What's more dangerous is , I can try to find the simplest attack surface from countless other sources .

        This is why software supply chain attacks are so dangerous ： A successful attack can affect a large number of targets .

        that , What strategies can the security team adopt to improve the security of the software supply chain ？ What tools can provide the most powerful protection ？ First , I want to introduce three typical software supply chain attacks .

One 、 Examples of software supply chain attacks

01 Event-stream

        Event-stream It's a npm package , Its maintainer is unwilling to carry out subsequent maintenance , So they transferred its publishing permission . The new maintainer added a new one named latMap stream The dependencies of , This dependence is initially benign , And it works .

          however , They later updated latMap stream, Make it carry malicious code , Can sniff installed 100 Bitcoin wallets with multiple bitcoins , And send the key to the remote server . If you update your event-stream Or any dependencies , And for latMap stream Defines a version range , Then it will not hesitate to introduce malicious code .

      There is only one shared resource （npm The registry ）. The target of the attacker is BitPay, But the vulnerability affected other companies , Including Microsoft and most others who don't know event-stream user .

02 SolarWinds Orion

        SolarWinds The incident is probably the most famous example of software supply chain attack . The reason why this happens , It's because hackers get security credentials . After all, if your company is SolarWinds,SolarWinds123 Will not be a good password .

          Once the attacker destroys these credentials and enters SolarWind The Internet , They started in the whole SolarWind Add malicious code to your system . say concretely , The ultimate goal of hackers is Orion platform , The platform is used for infrastructure monitoring and some security features of large organizations .Orion Considered a single 、 Reliable resources . If the user from SolarWinds download , They hope payload come from SolarWinds.

        however , once payload Malicious update , Something like event-stream The attack of .SolarWinds Orion Attacked , Then it affected the Federal Reserve 、 Microsoft 、 Hundreds of organizations including the U.S. Department of energy . This vulnerability has lasted for more than a year , It still plagues many companies and the U.S. government .

03 Codecov Bash

          lately , We met Codecov bash uploader problem . because Codecov Of docker An error occurred during image creation , Malicious participants gain access to credentials , Then the attacker can modify Codecov Document and modify it for use in CI Secure the script of the tool in the environment .

        For the context ,Codecov Is integrated into CI Code coverage tools in the environment . You download a script and upload your code coverage results to Codecov Server for , also , Attackers can change specific scripts .

        Modifying the script allows attackers to extract secret environment variables , If you run the damaged script from the same CI Deploy production services , This situation will become particularly bad . This means that all your production secrets should be considered to have been leaked . What's worse is ,Twilio、GoDaddy And most of the others Codecov Users don't even know about the attack , Know someone checked payload Of hash, Find out that it has something to do with Github Upload script on hash Mismatch .

Two 、 Defend against software supply chain attacks

        Now that we have discussed specific cases in supply chain attacks , The next focus is undoubtedly how to defend them . Broadly , We divide these defense mechanisms into two categories ： Strategies and tools .

Defense strategies against supply chain attacks

1. Use lockfiles：

In the dependency graph ,lockfiles The version of each package will be fixed in a specific registry . This means that even if a new version is released , And your semantic version range specification allows your code to use it ,lockfiles Will not be changed , Unless you explicitly operate it to complete the update . Besides , majority lockfiles Include hash, You can detect packages payload What happened , To prevent man in the middle attacks .

2. Put dependencies into source control ：

Don't install dependencies from the repository every time you install them . You should manage dependencies effectively , For example, sort out a complete SBOM detailed list .

3. Check all codes ：

This is obviously a time-consuming and laborious work , But this is very necessary . Some necessary automation tools can significantly improve your detection efficiency .

Defense tools for supply chain attacks

1.SCA： It can identify and provide repair suggestions for known vulnerabilities in open source code . In view of the popularity of open source code in modern software development , This is an important part of the security technology stack . Common ones SCA Tools include Mend SCA、CodeAnt、Checkmarx SCA wait .

2.SLSA frame ： This is a Google Released a framework for software component supply chain level , It aims to SDLC Expose metadata in software components at different stages , So as to ensure the integrity of software components in the whole software supply chain .

          These strategies and tools have one thing in common ： visibility . trace back to event-stream event , The attack was initially discovered because the security tool issued a warning during installation , It is said that there is a network call that is about to be abandoned on a software package that should not be linked to the Internet . This prompted the security team to realize that this could be the source of a malicious attack .

        Software supply chain attack is very dangerous , It is also difficult to be detected in time , But use the right SCA Tools 、 Build complete SBOM Lists can be effectively resisted .