Securing the Software Supply Chain

Understanding and Mitigating Major Risks

Securing the software supply chain is becoming increasingly critical as more organizations rely on complex software ecosystems that can expose them to vulnerabilities. These vulnerabilities can lead to significant breaches, affecting not only individual companies but their customers and partners as well. In this blog, we’ll explore four key categories of software supply chain risk and provide proactive prevention strategies. Let’s dive in!

Understanding Software Supply Chain Risks

When we discuss the software supply chain, this includes applications hosted internally, software-as-a-service (SaaS), hosted services, open-source libraries, and more. Each component can potentially introduce security weaknesses, particularly with the rise of AI tools that can now quickly identify and exploit vulnerabilities. To protect against software supply chain threats, it's essential to understand the main types of risks involved:

1. Catastrophic flaws
2. Product vulnerabilities
3. Backdoors and malware
4. Vendor security control gaps
   

Let’s look at each category and how you can proactively reduce your organization’s risks.

Catastrophic Flaws: When Updates Go Wrong

Catastrophic flaws occur when unintended software issues arise during an update or release, potentially causing widespread damage. A recent example is the CrowdStrike incident that took place this summer. On July 19th, a flawed software update caused Windows kernel crashes, resulting in the “blue screen of death” on over 8.5 million computers worldwide. Catastrophic flaws like this demonstrate the critical importance of securing your software supply chain. Let’s look at how your organization can prepare for potential catastrophic events.

Risk Reduction Strategies:

• Rigorous Testing Before Updates: Quickly conduct comprehensive testing across multiple environments to catch as many issues as possible before releasing an update into critical production environments.
• Emergency Response Planning: Have a rollback mechanism and a crisis communication plan to mitigate damage and restore systems quickly if an update fails.
• Backup Systems and Rollback Mechanisms: Keep automated backups and rollback capabilities ready to minimize downtime during an unexpected system failure.

Product Vulnerabilities: Exploiting Plugins and Third-Party Components

Product vulnerabilities often arise from widely used software components, such as third-party plugins or libraries. A notable example is the GiveWP WordPress plugin, which had a critical flaw allowing unauthorized users to create files on web servers and gain complete control. We found an exploit for this vulnerability on the dark web, freely available to attackers, which shows how easily product vulnerabilities can be weaponized. For more details and screenshots of how this happened, watch our software supply chain video at minute mark 4:50.

Another critical vulnerability surfaced in JetBrains TeamCity, a popular tool for managing and sharing source code. Attackers exploited an unpatched flaw to gain access to development environments, where they could steal sensitive source code or implant malicious elements. Over 1,700 servers were found vulnerable, demonstrating the risk posed by such product vulnerabilities. These attacks are becoming increasingly common, and the impacts can be extensive (Remember Log4j?).

Mitigation Tips:

• Monitor Third-Party Components: Maintain an asset inventory of third-party components and ensure regular updates to the latest versions.
• Apply Security Patches Promptly: Use vulnerability scanning tools regularly, but keep in mind that they often lag behind newly discovered vulnerabilities.
• Implement Least Privilege: Limit permissions for plugins and third-party components to reduce the potential damage if they are compromised.

Backdoors and Malware: Breaching the Trust

Backdoors and malware are used by attackers to implant malicious code into trusted software products, compromising customers who install updates. One infamous example is the SolarWinds Orion attack, where hackers planted a backdoor in the SolarWinds Orion software, allowing them access to sensitive systems for over a year before detection. Thousands of customers, including major corporations and government entities, were affected, making this one of the most impactful software supply chain breaches in recent history.

More recently, there was an attempt to introduce a backdoor into the XZ Utilities package, a critical compression utility used by most Linux distributions. The attackers built credibility for years, then tried to insert malicious code into the utility’s update. Fortunately, an observant developer noticed the unusual behavior, preventing the attack from becoming successful. Watch minute 33:36 of our software supply chain video for details and screenshots.

Mitigation Tips:

• Software Bill of Materials (SBOM): Request SBOMs from vendors to understand all components in the software you use which list all software libraries used in the solution. This helps you identify exposure when a backdoor vulnerability is discovered.
• Threat Intelligence Monitoring: Implement tools that flag suspicious updates before deployment and monitor threat intelligence feeds for vulnerabilities.
• Regular Source Code Audits: Conduct frequent audits of open-source and internally developed software to detect unauthorized changes. Use code signing to verify the integrity of software updates.

Vendor Security Control Gaps: Risks of Third-Party Access

Vendor security control gaps occur when vendors fail to implement robust security practices, leading to potential compromises. The Sisense breach is an example where attackers accessed Sisense's GitLab portal and stole credentials, including access keys for Amazon S3 storage (Watch minute mark 43:55 of our software supply chain video for details and screenshots). Weak monitoring mechanisms allowed attackers to access and exfiltrate sensitive customer information, as well as administrative control tokens.

Similarly, the Okta breach (Watch minute mark 47:40 of our software supply chain video for details and screenshots) involved attackers gaining access to sensitive files containing session tokens. These tokens allowed attackers to bypass authentication and impersonate legitimate software services, affecting many companies. For example, Cloudflare was compromised, resulting in the theft of its source code, creating further vulnerabilities.

Mitigation Tips:

• Vendor Vetting Policies: Implement vendor vetting controls and use a third-party risk management solution. Read our third-party risk management blog for advice and best practices.
• Third-Party Penetration Testing: Ensure vendors undergo regular penetration testing and provide documentation as part of your vendor selection process.
• Limit Data Sharing: Restrict data sharing with vendors and establish policies for data deletion after it is no longer required. Limit access rights to sensitive data for vendors.
• Secure Integration Points: Use secure API gateways and strong encryption for data shared between your systems and third-party services.

Evil AI Will Increase Software Supply Chain Attacks

Artificial intelligence tools like WormGPT are being used to quickly identify and exploit vulnerabilities. For example, after feeding stolen source code into WormGPT, we discovered multiple vulnerabilities in seconds, complete with exploit instructions. As attackers leverage AI, defenders must also use AI-driven tools to strengthen software supply chain security. AI can assist in proactive code analysis, helping identify potential vulnerabilities before the software reaches production and more.

A Comprehensive Approach to Securing Your Software Supply Chain

Securing the software supply chain requires a multifaceted approach:

1. Understand Your Software Components: Require SBOMs to catalog dependencies and assess potential vulnerabilities in your software. This helps in identifying weak spots that can be exploited.
2.  Establish Vendor Risk Management Policies: Implement third-party risk management measures, including security testing, contractual agreements for emergency patching, and regular security attestations from vendors.
3. Monitor and Respond: Monitor threat intelligence feeds for emerging vulnerabilities and apply patches immediately. Implement 24/7 monitoring to detect threats in real-time and ensure a swift response.
4. Conduct Regular Penetration Testing: Include third-party software in your penetration testing to identify any weaknesses before they can be exploited.
5. Enhance Incident Response Planning: Your incident response plan must consider both your software supply chain and those of your critical vendors. Ensure a rapid rollback mechanism is in place, like companies who were able to recover quickly from the CrowdStrike incident.
   Securing your software supply chain must be a priority to protect against evolving cyber threats. By understanding and mitigating four major types of risks—catastrophic flaws, product vulnerabilities, backdoors/malware, and vendor security control gaps—you can strengthen your organization's resilience against potential attacks.

Please contact LMG Security if you need help with penetration testing, policy development consulting, cybersecurity solutions, or training. Their expert team is ready to help!

This blog is distributed with the permission of LMG Security.

ABOUT LMG SECURITY 
LMG Security is a full-service cybersecurity firm, providing one stop shopping for a wide array of cybersecurity services. Whether you need virtual CISO or regulatory compliance consulting services, testing, solution integration, training, or one of our many other services – our expert team has you covered. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.