One of the issues we talk about frequently is that modern software is made up of component parts, known as “dependencies.” Not only is building with open source software dependencies a frequent practice, it often makes up the great majority of software developed today.
Unfortunately, those developing software who build from dependencies face an increasing burden to ensure component safety. Development teams must validate that any software developed outside their organization has not been tainted with malware. And if a problem is discovered, they must act quickly to address the problem.
Not keeping an eye on dependencies means increased danger.
The importance of software supply chain management was again underlined on March 30th when multiple sources suggested 3CX was under attack. The company distributes softphone tools for approximately 600,000 customers for all major operating systems. These native clients (non-web apps) use the open source Electron framework, and both Mac and Windows users were affected.
Specific details about the genesis and results of the attack are still in progress, but we know that:
The attack has in many quarters been compared to the attack on SolarWinds and other groups in 2019. This includes the sophistication of the attackers and how digital signatures did not catch problems. As we noted shortly after that attack:
“By attacking the SolarWinds software supply chain and mingling their malicious code with the legitimate, trusted code being delivered to their clients, attackers are able to cast a much wider net downstream.“ (source)
This is just the latest in an ongoing campaign of attacks on the software supply chain. Bad actors are focused on upstream targets that infect a single component, which will then be distributed downstream using trusted software workflows and update mechanisms.
This latest attack highlights how software supply chain management is necessary for development teams, and organizations. As Sonatype security researcher Ax Sharma explains:
“The 3CX incident demonstrates how sophisticated threat actors, believed on this occasion to be nation-state hackers, are abusing open source ecosystems like GitHub to host seemingly benign files. In this case, icons, which in fact contain malware. The names of the repo, "IconStorages", and format of files raise no obvious red flags either, and were initially cleared by most antivirus products.
“Any system that's open to the public (i.e. open source) is also open to adversaries, which is why we need novel solutions to safeguard the open source repos and ecosystem before they can be leveraged by advanced persistent threat actors to conduct supply chain attacks. With software supply chain attacks increasing by 742% over the past three years, there is an immediate need for drastic action to turn the tide against malicious actors such as those responsible for the attack on 3CX.”
To learn more about this topic, see our research in the 8th Annual State of the Software Supply Chain Report. We look at attack types and trends, as well as emerging standards and regulation. Most importantly, we look at dependency management practices to minimize the risk around software supply chain attacks.