Software supply chain attacks continue to plague the industry, with recent incidents at GitHub and Micro-Star International (MSI) highlighting the ongoing vulnerabilities. Despite these attacks, it appears that lessons from previous breaches have not been fully learned or implemented. These attacks highlight the need for organizations to prioritize security measures and take proactive steps to protect their software supply chain.
In December, an unauthorized user gained access to GitHub’s systems and stole three encrypted code-signing certificates. These certificates included one Apple-issued Developer ID certificate and two DigiCert-issued code-signing certificates for its desktop and Atom applications. While the attacker did not decrypt or use the certificates, GitHub opted to revoke them as a precautionary measure. However, this breach had significant disruptive consequences for its user base.
Similarly, MSI fell victim to a software supply chain attack where hackers gained access to private signing keys for both MSI’s firmware and Intel’s UEFI. This type of attack poses a serious threat, as malware can be hidden within firmware and UEFI, potentially allowing hackers to compromise systems and exfiltrate sensitive information. The increasing usage of open source software has contributed to this trend, as compromises in build platforms, poor code-signing hygiene, and exploitation of third-party software create entry points for attackers.
Code-signing certificates, which are used by software developers to digitally sign applications and other artifacts, have become highly sought after by criminals. These certificates provide a level of trust and assurance to end users that the software has not been tampered with. However, criminals have started targeting code-signing certificates as an attack vector. In a recent attack on Nvidia, the Lapsus$ extortion group stole employee credentials and proprietary data. To further their malicious activities, they utilized stolen Nvidia code-signing certificates and private keys to sign malware in Nvidia’s name. This allowed the malware to appear legitimate to unsuspecting victims and facilitated its spread onto their systems.
The consequences of a stolen code-signing certificate with a private key can be detrimental to a company’s reputation and financial well-being. Malicious software signed with a stolen private key can quickly propagate, as users are more likely to trust software signed with a reputable certificate. Browsers and operating systems often display messages confirming the trustworthiness of software during installation, inadvertently aiding the spread of malware.
To mitigate code-signing certificate attacks, organizations must adopt a comprehensive approach that includes policy, process, and technology. Establishing a robust certificate policy aligned with industry standards and regulations is essential. Starting from June 1, 2023, the CA/Browser Forum for code signing will enforce the use of strong key protection for new code-signing certificates. This necessitates the use of FIPs and/or Common Criteria-certified solutions and hardware for key generation and protection.
Implementing a key rotation strategy is another critical policy to enhance software supply chain security. Relying on a single key and certificate for all code signing can be highly disruptive if the key is compromised. Utilizing unique keys and certificates whenever possible helps mitigate the impact of a security breach. Additionally, controlling user access to critical signing keys through approval workflows or scheduled release windows adds an extra layer of protection.
Process controls are equally vital in securing code-signing certificates and regulating access to them. Organizations should assess signing processes, determine who has control over key and certificate access, and define approval and signing workflows. It is essential to evaluate how software engineers store certificates with private keys, as keeping them in code repositories can introduce vulnerabilities during the CI/CD process.
Furthermore, organizations should ensure that open source libraries used in software development are devoid of vulnerabilities. Conducting thorough scans for threats such as malware insertion, private key leakage, and other vulnerabilities in the final software image can help identify and mitigate risks. Generating a complete software bill of materials (SBOM) at the time of signing is also crucial. SBOMs provide a record of everything included in the binary and help monitor changes over time, serving as a requirement for many industries.
While building in-house solutions backed by hardware security modules (HSMs) may not be feasible for most organizations, partnering with solution experts can help secure different stages of the software supply chain. Employing a software supply chain solution equipped with managed signing practices can automate the signing process securely, without exposing private keys and certificates in the source code repository or build server. This approach reduces risk, centralizes controls, and enforces policy.
In conclusion, businesses that develop critical software must prioritize security measures to protect their software supply chain. Learning from past software supply chain attacks and implementing a multifaceted approach that includes policy, process, and technology is essential for safeguarding software and maintaining customer trust and confidence. By adopting proactive security measures, organizations can mitigate the risk posed by software supply chain attacks and protect their reputation and financial well-being.