11/5/2021

The Software Supply Chain - A History of Security Failure

Author: Cole Kennedy

Securing the supply chain

Beginning in 2020, the cybersecurity marketplace and the IT industry segments it serves became painfully aware of an emerging threat - Supply Chain insecurity. For the previous decade, cybersecurity vendors, industry experts and national governments had been focusing on a handful of threats to corporate networks and the growing threat to freestanding devices that comprise the emerging Internet of Things (IoT/IIoT), fostering the evolution of a range of AI and ML-based technologies to protect network entry points, especially end-point security and stopping email-based insecurities.

But suddenly, IT and dev managers realized that they couldn’t even trust their sources of key elements of the enterprise software stack, the software supply chain.

Following are descriptions of the most egregious supply chain attacks of 2020 and 2021:

Build System Attack:

Solar Winds

The most infamous of these supply chain attacks is SolarBurst. The Solarwinds Orion Platform simplifies monitoring, analysis, and management of the complete IT stack in one place. The Sunspot malware attacks Orion by monitoring processes on infected hosts and detects when the build tool MSBuild.exe runs. Sunspot determines whether MSBuild is building the Orion software and injects the SunBurst/Solarigate backdoor into the resulting Orion software.

The malware takes pains to cover its tracks, including restoring the original source file at the end of a build and using file checksums to prevent the backdoor source file from being copied when the file in the source code that it replaces is updated.

Impact: The host system used to build Orion became infected with the Sunspot malware, which propagates to the rest of the Orion supply chain.

TestifySec's SoloarSploit is a red team tool that emulates the SolarWinds CI compromise attack vector. We created this tool to help enterprise understand and defend against this complex attack vector. Visit our GitHub repository for the source code

Malicious Maintainer Exploit:

The Great Suspender

The Great Suspender is a lightweight Chrome extension to reduce memory footprint by suspending quiescent browser tabs after a configurable length of time. The original developer stopped maintaining the code in June 2020 and “sold” the project to an unknown entity. The new maintainer altered the extension to collect ALL browsing information and forward it to the project owner’s server, effectively tracking all user web activity.

Impact: after two million downloads of the extension, Google eventually removed it from the store but an unknown, substantial number of deployments likely remain on user systems in the wild.

Vulnerable Default Configurations:

SonarQube

SonarQube is an open-source platform for continuous inspection of code quality. SonarQube performs automatic reviews with static code analysis to detect bugs and security vulnerabilities. SonarQube installs on web servers and source code hosting systems like BitBucket, GitHub, GitLab, Azure DevOps systems, etc. Many of these systems (according to the FBI) are employed with default, unprotected configurations with default admin credentials.

Impact: Misconfigured SonarQube installations can allow bad actors to access code repositories and steal source code from US government agencies and private businesses.

Misconfigured Cloud Storage:

Twilio SDK

Twilio offers a family of server and client-side API libraries including the Task Router SDK library for Communications Platform as a Service (CPaaS).

Impact: through misconfiguration, attackers were (theoretically) able to inject malicious code to steal data from cloud-hosted storage buckets. Twilio quickly remediated the exploit and no customer data theft was reported.

Dev Team Impersonation:

PHP Language Project

The popular PHP language supports the development of many server-side web applications and is deployed on 78.4% of all websites with server-side programming (w3rtechs.com). PHP is built and maintained as an open-source project, with its own self-hosted GIT server. That GIT server was compromised, and two malicious commits (with forged developer signatures) enabled inclusion of backdoor capabilities.

Impact: Code changes introduced a remote code execution backdoor to any PHP server built from the source-code that included these commits.

Remediation was non-trivial and involved both technical and practices-based steps:

  • Membership in the PHP GitHub organization now required 2FA-enabled accounts
  • Write access to the repository migrated from a self-built karma system to a restricted one open only to members of the PHP project GitHub organization.
  • The PHP team stop maintaining their own infrastructure and declared their GitHub PHP project repository as the primary source.

Source Compromise:

Codecov Bash Uploader

Codecov is a code coverage tool for developers that integrates with GitHub, BitBucket, and GitLab. An attacker gained access to the CodeCov bash uploader script using an error in the Codecov Docker image creation process. This error allowed an attacker to extract the credentials needed to modify the Bash script.

Impact: unauthorized alterations of this script that could affect

  • credentials, tokens, keys that passed through the Codecov CI runner
  • services that these credentials allowed access to
  • information about the git remote, i.e., the origin repository using the uploader script.

Compromising Codecov credentials enabled modification of their source by the attacker, in turn leading to a potential Dev Tooling compromise for Codecov users.

Code Injection:

Homebrew Dev Tooling Compromise

Homebrew is a package manager for macOS and also for Linux. Homebrew-Cask extends Homebrew to support installing large binary files via the command-line, for example, applications like Google Chrome, Dropbox, VLC and Spectacle (vs. downloading .dmg files and dragging them to the Applications folder).

Impact: A vulnerability in the review-cask-pr GitHub Action used on homebrew-cask and all homebrew-cask-* taps (non-default repositories) in the Homebrew organization allow an attacker to inject arbitrary code into a cask and having it merged automatically, is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action.. This flaw allows the parser to be spoofed into ignoring the offending lines, resulting in successfully approving a malicious pull request.

Platform Misconfiguration:

Visual Studio Code Dev and QA tool compromise

Microsoft Visual Studio Code is a source-code editor for Windows, Linux and macOS with support for debugging, syntax highlighting, intelligent code completion, snippets, code refactoring, and embedded Git.

Impact: A vulnerability in Visual Studio Code issue management and a lack of authentication checks cloud enabled the could allow bad actors to obtain push access, and write to the repository.

Conclusion

The above are examples of KNOWN issues in the enterprise software supply chain. Some were discovered by cybersecurity researchers while others were detected fortuitously in the wild, by project and site owners or by end-user organizations

Follow up

This is the first of three blogs about IT Supply Chain Security:

  1. The Software Supply Chain - A History of Security Failure
  2. Supply Chain Attack Typology - How Bad Actors Corrupt and Exploit
  3. How to Secure the Software Supply Chain - Best Practices

You can also view my presentation on these topics from CMS CISO Cybersecurity Forum 2021