The Increasingly Complex and Varied Vectors to Attack Software Supply Chain

The Increasingly Complex and Varied Vectors to Attack Software Supply Chain

November 23, 2022 | Adeline Zhang

Unlike vulnerability exploitation in products, attack vectors and implementation channels targeting the supply chain in the real environment are more diverse.

Due to the advantages of low development cost, the widespread use of open-source components in projects has become the mainstream development method. The conflict between a rule-relaxed open community and limited maintenance resources provides an opportunity for attackers. Inserting malicious code into open-source code is the most direct way, but this conventional vector can be restrained by methods like manual code auditing. Consequently, attackers are starting to find alternative ways to find weaknesses in manual code inspection. Researchers at the University of Cambridge mentioned a new attack technique called Trojan Source [1], which uses invisible characters in Unicode to construct malicious hidden codes that are hard to recognize by the naked eye to escape manual review. In addition, researchers at the University of Minnesota have proposed ways to submit hidden vulnerabilities to open-source projects and have practiced the Linux Kernel Project [2]. Although this practice has been called off because of strong condemnation from the open-source community, it still unveiled the concealment and potential destructiveness of this attack vector.

Public Code Storage Warehouse is the carrier of open-source software code, from which organizations draw third-party dependency in the process of product development and construction. However, the absence of effective security control and automated countermeasure will make the public code repository a potential platform for the spread of malicious code. In early 2021, security researcher Alex Birsan proposed a new supply chain attack method called Dependency Confusion[3]. An attacker creates a higher version of an item of the same name for a private dependency in a public repository, causing malicious code to be pulled during the construction process. This technique cleverly takes advantage of design flaws in mainstream package managers and uses the ambiguity of package names to implement remote code execution in many products. It is listed as the top Web attack technique by PortSwigger in 2021[4].

As DevOps concept is deeply rooted in people’s hearts and IT cloud services are widely used, automated tools have become popular in modern software development workflow, from construction, testing to deployment.  As a landing practice of DevOps concept, CI/CD platform plays a key role in ensuring continuous integration and deployment. Attacks targeting such platforms are also emerging. In the SolarWinds supply chain attack in late 2020, attackers inserted malicious code into the code repository of IT management software, compiled and deployed to global governments and multinational organizations, which had a significant impact. In April 2021, the Bash Uploader script in products of a software testing firm Codecov was modified due to an error in its Docker image creation process that enabled attackers to obtain sensitive information such as software source code, credentials, etc. [5].

Previous posts on software supply chain security:

References:

[1] Boucher, N. and R. Anderson, Trojan Source: Invisible Vulnerabilities. arXiv preprint arXiv:2111.00169, 2021.
[2] Open Source Insecurity: The Silent Introduction of Weaknesses through the Hypocrite Commit
[3] https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
[4] https://portswigger.net/research/top-10-web-hacking-techniques-of-2021
[5] https://blog.sonatype.com/what-you-need-to-know-about-the-codecov-incident-a-supply-chain-attack-gone-undetected-for-2-months