Share this article on:
The high-profile SolarWinds SUNBURST cyber attack that affected organisations across the globe has shone a spotlight on the importance of defending against supply chain intrusions.
These attacks are perpetrated by criminals looking to gain access to protected information or damage an organisation by targeting less-secure elements within a supply chain. While they are nothing new for SecOps and SOC teams, recent events have served to focus attention on how they might be used in the future.
The SolarWinds attack was very well planned and carefully executed. Attackers accessed the SolarWinds development servers and inserted source code that would obscure itself in legitimate Orion software updates.
The attackers then established a covert communications channel and moved stealthily within the target environments to find the most valuable data. This was then exfiltrated without detection.
While this approach clearly works, there are a number of easier methods that can be used. These methods include:
1. Open-source software (OSS) vulnerabilities
Many applications used by organisations are built using readily available open-source libraries and packages to save developers time and effort, and most programming languages use package managers to source and update code.
For example, the popular Node.js runtime engine, which runs programs written in JavaScript, utilises node package manager (npm) to provide hundreds of thousands of free and reusable code packages.
The npm platform uses an online database to search for packages suitable for given tasks while the package manager resolves and automatically installs dependencies. Similarly, the Python programming language uses the Python Package Index (PyPI) repository to store and distribute updates to dependent programs.
Unfortunately, package repositories represent a reliable and scalable malware distribution channel for attackers. Expect to see this weakness exploited in future attacks.
2. Dependency confusion
Dependency confusion can occur during library calls, which are a feature in many modern programming languages that allows programmers to insert dependencies on external code libraries or internal package feeds into their code.
When library dependency calls aren't well defined, or the default action is too permissive or not well understood by the programmer, an organisation could be vulnerable to software supply chain attacks.
For example, if a programming language specifies using the latest library version, an attacker might simply upload an infected library version of the same name but with a newer date stamp to an external repository such as GitHub. Now when the library call is made, the program will download the latest attacker-modified software to the unsuspecting server or application.
3. Typo-squatting
Although more popularly associated with URLs that are created to mimic common typos that send web surfers to fake sites, typo-squatting can also be used to mimic popular OSS package names. When a careless programmer mistypes a particular component's package name, they might be downloading malicious software.
All the attacker has to do is to guess the most popular misspellings and populate the OSS repositories with impostor packages. Alarmingly, industry research shows that in some cases downloads of an illegitimate package comprise almost 30 per cent of the total downloads of the legitimate item.
Be well prepared
As well as being aware of potential attack methods such as these, organisations need to take further steps to minimise their chance of falling victim to a supply chain attack.
One way of being prepared is to deploy effective network detection and response (NDR) tools throughout the IT infrastructure, including any cloud resources that are being used. NDR tools can help security teams identify suspicious traffic within the infrastructure that could be evidence of an intruder.
Taking such steps early can significantly reduce the chance of falling victim to a supply chain attack. Security teams can be confident they will be notified of any suspicious activity and be able to quickly take the actions required to neutralise the threat.
It’s clear that these types of attacks will remain popular among cyber criminals for some time to come. Make sure your infrastructure is prepared.
Glen Maloney is the ANZ regional sales manager at ExtraHop.