{"id":17978,"date":"2020-03-18T01:01:54","date_gmt":"2020-03-18T09:01:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/18\/news-11711\/"},"modified":"2020-03-18T01:01:54","modified_gmt":"2020-03-18T09:01:54","slug":"news-11711","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2020\/03\/18\/news-11711\/","title":{"rendered":"Guarding against supply chain attacks\u2014Part 3: How software becomes compromised"},"content":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Wed, 11 Mar 2020 16:00:32 +0000<\/strong><\/p>\n<p>Do you know all the software your company uses? The software supply chain can be complex and opaque. It\u2019s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project management. It also includes the third-party components, libraries, and frameworks that software engineers use to build applications and products. All this software can be difficult to track and can be vulnerable to attack if not known and\/or not managed properly.<\/p>\n<p>In the U.S. Department of Defense\u2019s Defense Federal Acquisition Regulation Supplement, a supply chain risk is defined as \u201cthe risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.\u201d<\/p>\n<p>If you rely on a web of software providers, it\u2019s important that you understand and mitigate your risk. This Part 3 of our five-part blog series entitled \u201cGuarding against supply chain attacks\u201d illustrates how software supply chain attacks are executed and offers best practices for improving the quality of the software that undergirds your applications and business.<\/p>\n<h3>Examples of software supply chain attacks with global reach<\/h3>\n<p>Starting in 2012 the industry began to see a marked increase in the number of attacks targeted at software supply chains each year. Like other hacking incidents, a well-executed software supply chain attack can spread rapidly. The following examples weaponized automatic software updates to infect computers in large and small companies in countries all over the world and highlight how they have evolved over time.<\/p>\n<ul>\n<li><a href=\"https:\/\/msrc-blog.microsoft.com\/2012\/06\/06\/flame-malware-collision-attack-explained\/\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>The Flame malware of 2012<\/strong><\/a> was a nation-state attack that tricked a small number of machines in the Middle East into thinking that a signed update had come from Microsoft\u2019s trusted Windows Update mechanism, when in fact it had not. Flame had <a href=\"https:\/\/www.npr.org\/2012\/06\/08\/154587988\/how-flame-malware-hijacks-a-computer\" target=\"_blank\" rel=\"noopener noreferrer\">20 modules<\/a> that could perform a variety of functions. It could turn on your computer\u2019s internal microphone and webcam to record conversations or take screenshots of instant messaging and email. It could also serve as a Bluetooth beacon and tap into other devices in the area to steal info. Believed to come from a nation state, Flame sparked years of copycats. While Flame was a supply chain \u201cemulation\u201d (it only pretended to be trusted), the tactic was studied and adopted by both nation states and criminals, and included noted update attacks like <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\" target=\"_blank\" rel=\"noopener noreferrer\">Petya\/NotPetya<\/a> (2017), another nation-state attack, which hit enterprises in over 20 countries. It included the ability to self-propagate (like worms) by building a list of IP addresses to spread to local area networks (LANS) and remote IPs.<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2018\/04\/ccleaner-malware-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>CCleaner<\/strong><\/a> affected 2.3 million computers in 2018, some for more than a month. Nation-state actors replaced original software versions with malware that had been used to modify the CCleaner installation file used by customers worldwide. Access was gained through the Piriform network, a company that was acquired by Avast before the attack was launched on CCleaner users. As Avast says in a <a href=\"https:\/\/blog.avast.com\/update-ccleaner-attackers-entered-via-teamviewer\" target=\"_blank\" rel=\"noopener noreferrer\">blog<\/a> on the subject, \u201cAttackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure.\u201d<\/li>\n<li>In May 2017, <strong><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/05\/04\/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack\/\" target=\"_blank\" rel=\"noopener noreferrer\">Operation WilySupply<\/a><\/strong> compromised a text editor\u2019s software updater to install a backdoor on target organizations in the financial and IT sectors. Microsoft Defender Advanced Threat Protection (ATP) discovered the attack early and Microsoft worked with the vendor to contain the attack and mitigate the risk.<\/li>\n<\/ul>\n<h3>Implanting malware<\/h3>\n<p>There are three primary ways that malicious actors infect the software supply chain:<\/p>\n<ul>\n<li><strong>Compromise internet accessible software update servers<\/strong>. Cybercrooks hack into the servers that companies use to distribute their software updates. Once they gain access, they replace legitimate files with malware. If an application auto-updates, the number of infections can proliferate quickly.<\/li>\n<li><strong>Gain access to the software infrastructure<\/strong>. Hackers use social engineering techniques to infiltrate the development infrastructure. After they\u2019ve tricked users into sharing sign-in credentials, the attackers move laterally within the company until they are able to target the build environment and servers. This gives them the access needed to inject malicious code into software before it has been complied and shipped to customers. Once the software is signed with the digital signature it\u2019s extremely difficult to detect that something is wrong.<\/li>\n<li><strong>Attack third-party code libraries<\/strong>. Malware is also delivered through third-party code, such as libraries, software development kits, and frameworks that developers use in their applications.<\/li>\n<\/ul>\n<h3>Safeguarding your software supply chain<\/h3>\n<p>There are several steps you can take to reduce the vulnerabilities in your software. (We&#8217;ll address the vulnerabilities and mitigation strategies related to <em>people<\/em> and <em>processes<\/em> in our next post.):<\/p>\n<ul>\n<li>Much like the hardware supply chain, it\u2019s important to inventory your software suppliers. Do your due diligence to confirm there are no red flags. The <a href=\"https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Supply-Chain-Risk-Management\/documents\/briefings\/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">NIST Cyber Supply Chain Best Practices<\/a> provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls\u2014both cyber and physical\u2014are in place.<\/li>\n<li>Set a high standard of software assurance with partners and suppliers. Governmental organizations such as the <a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/infosheet_SoftwareAssurance.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Department of Homeland Security<\/a>, <a href=\"https:\/\/safecode.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">SafeCODE<\/a>, the <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_SAMM_Project\" target=\"_blank\" rel=\"noopener noreferrer\">OWASP SAMM<\/a>, and the <a href=\"https:\/\/www.ncsc.gov.uk\/information\/commercial-product-assurance-cpa\" target=\"_blank\" rel=\"noopener noreferrer\">U.K. National Cyber Security Centre\u2019s Commercial Product Assurance<\/a> (CPA) provide a model. You can also refer to Microsoft\u2019s <a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/practices#practice7\" target=\"_blank\" rel=\"noopener noreferrer\">secure development lifecycle (SDL)<\/a>. The SDL defines 12 best practices that Microsoft developers and partners utilize to reduce vulnerabilities. Use the SDL to guide a software assurance program for your engineers, partners, and suppliers.<\/li>\n<li>Manage security risks in third-party components. Commercial and open-source libraries and frameworks are invaluable for improving efficiency. Engineers shouldn\u2019t create a component from scratch if a good one exists already; however, third-party libraries are often targeted by bad actors. Microsoft\u2019s <a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/opensource\/?activetab=security+analysis%3aprimaryr3\" target=\"_blank\" rel=\"noopener noreferrer\">open source best practices<\/a> can help you manage this risk with four steps:\n<ol>\n<li>Understand what components are in use and where.<\/li>\n<li>Perform security analysis to confirm that none of your components contain vulnerabilities<\/li>\n<li>Keep components up to date. Security fixes are often fixed without explicit notification.<\/li>\n<li>Establish an incident response plan, so you have a strategy when a vulnerability is reported.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<h3>Learn more<\/h3>\n<p>\u201cGuarding against supply chain attacks\u201d is a five-part blog series that decodes supply chain threats and provides concrete actions you can take to better safeguard your organization. Previous posts include an <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/10\/16\/guarding-against-supply-chain-attacks-part-1-big-picture\/\" target=\"_blank\" rel=\"noopener noreferrer\">overview of supply chain risks<\/a> and an <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/02\/03\/guarding-against-supply-chain-attacks-part-2-hardware-risks\/\" target=\"_blank\" rel=\"noopener noreferrer\">examination of vulnerabilities in the hardware supply chain<\/a>.<\/p>\n<p>We also recommend you explore NIST <a href=\"https:\/\/csrc.nist.gov\/Projects\/Supply-Chain-Risk-Management\" target=\"_blank\" rel=\"noopener noreferrer\">Cybersecurity Supply Chain Risk Management<\/a>.<\/p>\n<p>Stay tuned for these upcoming posts as we wrap up our five-part series:<\/p>\n<ul>\n<li>Part 4\u2014Looks at how people and processes can expose companies to risk.<\/li>\n<li>Part 5\u2014Summarizes our advice with a look to the future.<\/li>\n<\/ul>\n<p>In the meantime, bookmark the\u00a0<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security blog<\/a> to keep up with our expert coverage on security matters. For more information about Microsoft Security solutions, visit our website: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.microsoft.com\/en-us\/security\/business<\/a>. Also, follow us at\u00a0<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/11\/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised\/\">Guarding against supply chain attacks\u2014Part 3: How software becomes compromised<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/11\/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Wed, 11 Mar 2020 16:00:32 +0000<\/strong><\/p>\n<p>Set a high standard of software assurance with internal teams, partners, and suppliers to reduce your risk of a software supply chain attack.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/11\/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised\/\">Guarding against supply chain attacks\u2014Part 3: How software becomes compromised<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[22452,17187,21496],"class_list":["post-17978","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-microsoft-defender-advanced-threat-protection","tag-security-intelligence","tag-windows-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17978"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17978\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}