In the last 3 years, at least 6 cases of relevant security incidents related to software manipulation have been made public, such as that incident called NotPetya, back in 2017.
These incidents (which seem to be linked to a Chinese group that, depending on the research firm that you ask, is known as Barium, ShadowHammer, ShadowPad or Wicked Panda) have made us realize that, not only should we evaluate the security of the companies that connect to our systems, and of those others that manage our information, but we must also know the security level of the internal systems of those companies that develop the software we use.
Yes, Yes. We have not gone mad. These attacks we mentioned, and we can call attacks on the software supply chain, cannot be easily detected by any other route, since the attackers are capable of violating the developers' systems to the point that the manipulated versions go signed with the developer's certificate. That is, they are undetectable for any type of antivirus, firewall or other common protection measures, using the patching process itself as an attack vector. In other words, those who apply good practices are punished.
This type of attack takes the concept of security in the supply chain to the extreme, since in the end they do not stop exploiting a relationship of trust that we have with a third party. Rather than an external service provider, it is an external developer. In fact, it means maximizing the "profitability" of the attack, since infecting a developer can reach hundreds of thousands, or even millions of users. It worths to remember the cases of the Asus update software or the well-known CCleaner. Both suffered attacks that affected software signed with the official certificate by the respective company, which prevented detection systems from triggering any alarm.
There are even incidents related to four parts, that is, attackers violate software used by a developer, so that they can infect all developments that use such software (e.g.: corrupting a Visual Studio compiler or a tool like Xcode).
Well, the best way to deal with attacks on the software supply chain, as Andy Greenberg explains at WIRED, is to "try to discover the internal security practices of the companies whose software you are using". We are not talking about evaluating development processes to analyze whether they are OK, or their level of maturity, as CMMI would do, but rather that companies that develop software should also qualify their level of internal cybersecurity implemented in their working environment to convey trust to the users of their software.
Suscribe to our newsletter here
You can follow us on twitter.com/leet_security