In a recent supply chain attack, malicious actors were able to compromise the software update process of Click Studios, a password management software company. The attackers inserted a modified DLL file into the update, which allowed them to gain access to customers’ password records. The compromise was detected and shut down after approximately 28 hours, but during that time, the attackers were able to harvest the password records of affected customers.
Following the attack, the attackers launched phishing campaigns targeting Click Studios users. These phishing emails contained links to an updated version of the malware, further compromising the security of affected individuals.
One notable aspect of this supply chain attack is the social engineering element. In addition to tampering with the technical aspects of the update process, the attackers also altered the user manuals, help files, and PowerShell build scripts to point to their malicious content distribution network (CDN) server. This social engineering tactic took advantage of the trust that users have in CDNs, as they are commonly used for legitimate purposes such as delivering updates and scripts.
This type of attack, known as a dependency confusion attack, has become increasingly common in 2021. It exploits a weakness in open-source ecosystems where a private dependency with the same name as a public one can be replaced by the attacker’s version with a higher version number. This allows the attacker to inject their own code into software builds, potentially compromising the security of the entire supply chain.
Ethical hacker Alex Birsan demonstrated the effectiveness of dependency confusion attacks by hacking into 35 big tech firms and earning over $130,000 in bug bounty rewards. His research disclosure prompted copycat attacks, with thousands of fake packages flooding popular open-source repositories. Resolving this vulnerability requires measures such as reserving the names of private dependencies on public repositories and implementing automated solutions to prevent conflicting dependency names from entering the supply chain.
Another concerning aspect of supply chain attacks is the theft of SSL and code-signing certificates. Compromised SSL certificates can threaten the security of encrypted connections, while stolen code-signing certificates allow attackers to sign their malware as legitimate software updates. The infamous Stuxnet attack was a prime example of this, where attackers used stolen private keys to sign their malicious code as “trusted.” It is essential for companies to promptly revoke compromised certificates to prevent their misuse by attackers.
Developers’ CI/CD infrastructure has also become a target for supply chain attacks. Attackers have been able to abuse automation tools such as GitHub Actions to mine cryptocurrency and introduce malicious code into legitimate repositories. By filing altered pull requests and exploiting vulnerabilities in automated processes, attackers can successfully compromise the software supply chain. Securing CI/CD pipelines and developer tooling and infrastructure has become crucial in preventing these types of attacks.
Finally, social engineering remains a potent tool for dropping malicious code into the supply chain. Exploitation can come from unexpected sources, as demonstrated by the University of Minnesota researchers who intentionally introduced vulnerable code patches into the Linux kernel source code. Developers may not always have the bandwidth to thoroughly vet every code commit, making it easier for malicious actors to slip through the cracks. It is imperative for organizations to prioritize secure coding practices and educate developers on the risks of social engineering attacks.
In conclusion, supply chain attacks continue to pose a significant threat to software security. Whether through technical exploits, social engineering tactics, or the theft of certificates, attackers are finding increasingly sophisticated ways to compromise the software supply chain. Companies must take proactive measures to secure their supply chains, including implementing secure coding practices, using automated solutions, and securing their CI/CD infrastructure. Only by addressing these vulnerabilities can organizations protect themselves and their customers from the devastating impact of supply chain attacks.