Nurit Bielorai
Nov 10 · 7 min read
The software supply chain has quickly risen to become one of the largest security obstacles for companies to tackle. The challenge is clear; the modern software development process is composed of an ever-growing amount of interconnected parts. We’re talking about multiple tools, steps, plugins and packages, as well as different languages, frameworks, and connectivity methods. Although this is what inherently enables companies to develop their software in the most agile and fast way, it has also resulted in the creation of one of the most dangerous cyber-attack vectors of the past decade; software supply chain attacks.
One of the major dangers of this vector is that it’s not just a single point that needs to be protected; rather, it is a collection of multiple small entry points. For attackers, all it takes is identifying the weakest of these multiple entry points, breaching it, and then using it to trigger long-lasting damage across the software’s supply chain. This is a much more dangerous concept than that of lateral movement; the victim is no longer the breached company, but all of the users of its software.
So let’s dive deeper into some of these entry points…
Modern software development pipelines consist of various steps within the continuous integration and continuous delivery (CI/CD) process. Typically, multiple tools and services are used at each of these steps to run the process, introducing an added layer of risk.
There are many ways to divide the (sub) attack vectors, but for the purpose of this blog I’ll divide it into internal and external risks.
Open-source packages are like a gold-mine for attackers – They are by default open and highly popular, meaning typically easier to penetrate and an opportunity to reach massive amounts of users.
So this is how it usually works: Attackers gain access to or ownership of an open-source package or library. They tamper with it, usually injecting malicious code inside it. It then gets merged, updated, and downloaded by thousands if not millions of users who are looking to use and get the benefits of the original open-source package. This is how attackers essentially poison the well; they poison the open-source package and get developers to unintentionally contaminate the software they’re developing, usually opening backdoors that the attackers can later access or use to get sensitive data.
The challenge is not hard to understand; there are hundreds of thousands of open-source packages with an even larger number of contributors. It’s easy to lose track and visibility over the packages you’re using and the security level of each one. This leads software development teams to unknowingly pull malicious versions of the OS package they want into their development. Just to add to this risk, there are many vulnerabilities and misconfigurations discovered within these packages on a weekly basis that attackers can take advantage of as a way to trigger attacks, even if the package initially pulled in was “secure”.
We don’t need to look far; in the span of a week, three major supply-chain attacks were triggered from this vector.
The case of COA – COA stands for command-option-argument, and its an open-source library that averages ~9M downloads a week on NPM. It’s estimated to be used by 5M open-source repositories on Github and its used in React packages all over the world. Before this week, the last version (2.0.2) had been released 3 years ago. Suddenly, this week several new versions appeared on NPM. That was the first warning sign.
10 minutes after, a thread was opened by Roberto Overdijk about the fact that these new versions had broken his build. Soon after, many developers joined the discussion and confirmed the issue.
Following the community investigation, it was discovered that the new versions contained a suspicious preinstall script which we now know launched a malicious javascript file. It seems like the malware in question is Danabot, a password-stealing Trojan for Windows. When downloaded, it can perform malicious activities such as steal passwords from web browsers and applications, steal stored credit cards, and take screenshots of active screens.
“preinstall”: “start /B node compile.js & node compile.js”
Soon after discovering the breach, developers spotted that another popular open-source component, RC, had also been affected. This is an even more popular library than coa, with ~14M downloads a week.
Unsurprisingly, both of these attacks have been linked to the large scale supply chain attack on ua-parser-js that was discovered last week. The malware found in the three attacks is virtually identical, establishing a likely link between the threat actors behind the separate incidents.
As mentioned at the beginning of the article, this is just one of the attack vectors within the software supply chain that security and devops leaders need to worry about. We know the security risks can be overwhelming and it’s not always easy to allocate resources and budget to deal with this complexity.
Argon can provide you with an effective security solution that fits your Dev pipeline, enabling you to prevent these attacks by:
To learn how Argon can help you close this and the rest of the attack vectors within the software supply chain, reach out to info@argon.io
DevOps has evolved into a standard practice of software development. According to…
Logging in to websites to access your accounts isn’t as secure as…
Today’s businesses and enterprises are heavily dependent on software and applications for…
Cookie | Duration | Description |
---|---|---|
__hssrc | session | This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
JSESSIONID | session | Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__hssc | 30 minutes | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. |
bcookie | 2 years | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
lang | session | This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
messagesUtk | 1 year 24 days | This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded. |
Cookie | Duration | Description |
---|---|---|
__hstc | 1 year 24 days | This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_1HW5JYG3DC | 2 years | This cookie is installed by Google Analytics. |
_gat_UA-191589358-1 | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
hubspotutk | 1 year 24 days | This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts. |
Cookie | Duration | Description |
---|---|---|
bscookie | 2 years | This cookie is a browser ID cookie set by Linked share Buttons and ad tags. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
Cookie | Duration | Description |
---|---|---|
AnalyticsSyncHistory | 1 month | No description |
li_gc | 2 years | No description |
UserMatchHistory | 1 month | Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. |