Software Supply Chain Attacks Are A Growing Threat
October 3, 2022 Alex Woodie
There’s a lot going on in the world right now, so you probably don’t need something more to worry about. But the cat-and-mouse world of cybersecurity never sleeps, and one of the threats keeping the good guys up at night right now is the growing risk of software supply chain attacks. Unfortunately, security through obscurity won’t provide as much protection for the IBM i server this time around.
Just what is a software supply chain attack? According to the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA), a software supply chain attack occurs when “a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers.”
Software supply chain attacks can involve proprietary software as well as software that’s distributed via open source. It can take the form of malicious files surreptitiously added to vendor software update websites or open source repositories, or it can even involve the actual insertion of malicious code directly into otherwise innocent software products.
Long anticipated by cybersecurity professionals as other avenues of attack were squeezed out, the first documented supply chain security attack occurred in 2014. That’s when Russian cybercriminals exploited vulnerabilities in the Web servers used by industrial control and SCADA system vendors to update customers systems.
According to a 2014 Security Week story, the hackers used the vulnerabilities to install a remote access Trojan (RAT) named Havex in the updates for at least three ICS and SCADA vendors’ products. (SCADA systems, including those running on IBM i servers, apparently are prime targets for malevolent souls.)
Cybercriminals began using this novel method of corrupting victims’ systems because they “are an efficient way to bypass traditional defenses and compromise a large number of computers,” the NIST says in its paper. When they target well-known brands in enterprise software, like SolarWinds, which was the victim of a supply chain software attack in early 2021, they can use the trust that customers have in these vendors and their products against them.
That’s a powerful force, the NIST says in its paper.
“Software supply chain attacks are particularly bothersome and insidious because they violate the basic and assumed trust between software provider and consumer,” NIST says. “Customers have been correctly conditioned to buy and install software only from trusted sources and to download and use patches or updates only from authorized vendor sites. Now, customers must be wary of performing those basic, proper and prudent cybersecurity tasks when purchasing software and maintaining systems, since even authorized resources may be compromised.”
The Log4j vulnerability that surfaced at the end of 2021 adds another twist to the software supply chain security saga. By itself, the Log4j flaw was bad enough–it landed a perfect 10 on the 10-point CVSS v3 rating scale. Exploiting the zero-day flaw in Log4j versions 2.0 and 2.14.1 is relatively easy for the moderately skilled cybercriminal.
But because the open source logging framework is used so widely by other Java-based software, the flaw created a domino effect of security vulnerabilities in other products. Prominent IBM i products, like the heritage version of IBM i Navigator, contained the vulnerable version of Log4j and would not be updated, according to IBM.
The damage didn’t stop there, as various other of IBM’s Java-based products for IBM i contained the vulnerable version of Log4j, including WebSphere Application Server, Integrated Web Services Server (IWS), Integrated Application Server (IAS). IBM i ACS, and OmniFind Text Search Server.
The Log4j vulnerability is so pervasive that IBM maintains a list of products not impacted by it. That list contains more than 500 products not impacted by Log4j, and more than 230 that are impacted by it. Java is also widely used in the IBM i, including by many software vendors. However, it’s unknown how many of these vendor products were impacted by Log4.
The fact that security vulnerabilities are emerging in otherwise trustworthy products is a cause for concern. But flaws in open source software may have a chilling effect in some emerging markets.
In its April 2021 paper Defending Against Software Supply Chain Attacks, CISA described an attack that took place with PyPI, the popular Python Package Index. Researchers discovered 12 malicious libraries loaded into the PyPI distribution that used so-called “typosquatting” tactics. The attack led users who were thinking they were installing a popular Python library called django to instead download malicious clones with names like “djago” and “dajngo.”
“The malicious libraries contained the same code and functionality of those they impersonated,” CISA wrote. “But they also contained additional functionality, including the ability to obtain boot persistence and open a reverse shell on remote workstations.”
Not surprisingly, this has had a chilling effect on Python users. According to Python data science tool provider Anaconda, 40 percent of organizations it recently surveyed say they’re pulling back on their use of open source data science software due to security concerns.
Python-based data science programs aren’t a huge driver of workloads on the IBM i, at least not yet. However, open source software is a growing driver of workloads on IBM i. The anything-goes nature of supply chain security attacks shows that nobody is safe, not even back-office systems like IBM i with a growing appetite for open source.