When nights are getting longer – part III

GitHub

In April, GitHub was hit by a type of attack that has gained significant momentum in recent years: theft of various forms of authentication and access tokens.

This could involve information in cookies and short-lived access tokens, or longer-lived keys and session IDs. In the specific case, attackers successfully obtained OAuth access tokens – a form of identifying token used to provide access over a configurable period of time without requiring re-authentication – issued to third-party integrators Heroku and Travis CI. With the stolen OAuth tokens, attackers gained access to organisations using Heroku Dashboard and Travis CI products.

GitHub's investigations revealed that the attackers systematically searched downloaded content for additional keys and tokens that could provide even more access. In this way, the attackers obtained, among other things, an AWS API key. This then granted them access to GitHub's Node Package Manager (npm) production environment. Fortunately, without the ability to modify any npm packages, they could only download code.

There are several points to note here. First, theft of API keys and similar tokens often results from inadequate application security or weak handling of secrets (tokens, keys, etc.) in applications, development, build, and test environments.

Second, the cleanup and removal of old permissions that are no longer in use is another often- overlooked point, both in professional application development and use, as well as when we as individuals authorise third-party services and apps for access to our accounts on social media. It is reasonable to assume that in some organisations where Heroku and Travis CI tools were once authorised for access, the organisations no longer actively used these products.

Finally, the handling and follow-up measures taken have been commendable, from all parties involved.

GitHub, regardless of the incident, developed a service that scans code for secrets before it is uploaded to distribution channels.

From a supply chain perspective, it is worth highlighting notification and action: GitHub was quick to notify all affected users, and both Heroku and Travis CI notified their customers and implemented revocation and reissuance of tokens and keys for their services. The latter is not an easy decision, as it affects their services and customers, but it is the right decision to minimise damage and security risks.

Fishpig

For those who may not have heard of FishPig before, it is software for integration between the extremely popular publishing platform WordPress and the very widely used e-commerce software Magento. FishPig is used in over 200,000 online stores.

Attackers compromised FishPig's distribution servers, i.e. the servers from which customers retrieve software and updates. They uploaded modified versions of the software that, when downloaded and installed, infected customers' systems with the Rekoobe trojan, providing attackers with a backdoor into customers' systems. The damage potential was significant, as these are online stores with payment functions. Magento-based online stores have been a favoured target for financially motivated threat actors for years, leading to significant losses in some cases.

There may be reason to question the security monitoring at FishPig, as attackers had access for about 12 weeks before the then ongoing supply chain attack was uncovered.

From a supply chain perspective, this type of attack is challenging for customers because attackers succeeded in including their code in seemingly authentic software. Mechanisms for automatic updates – generally recommended from a security standpoint

– also limit the possibilities for actions such as test-running the update in security-instrumented test and sandbox environments before installation in production. In any case, measures such as test-running the update would be excessively resource-intensive for many of the affected customers.

While these attacks are challenging, better planning might have helped. Rekoobe is a known malware family, and endpoint detection and response (EDR) tools on Linux servers can be an effective tactic to detect its presence and behaviour. It is also crucial to subscribe to and respond to alerts from suppliers.

After the incident, FishPig provided exemplary guidance to affected customers, such as tools that enable even customers with limited expertise to clean up a compromised online store.

3CX

In March 2023, it was revealed that software from the IP telephony company 3CX had been compromised. The exact duration is unclear, but the first reports of observed anomalies among user organisations – initially assumed to be false positives – emerged March 22.

The legitimate software of 3CX, used by over 600,000 companies and more than 12 million daily end-users, turned out to have been supplemented with malicious code for DLL sideloading. In simple terms, this involves inclusion of instructions in the software installation routine to fetch additional code libraries (DLL) from an external source.

The 3CX attack harkens back to the well-known SolarWinds attack, and really all the way back to the attacks by "APT 1" on managed service providers (MSPs). One thing common to APT1, SolarWinds, and a portfolio of intermediate campaigns is the ability and willingness to use supply chain attacks (which have a very broad, visible impact) to take adversarial action on only a few select targets. This modus operandi, along with the absence of economic gain, points towards intelligence- motivated actors.

From a supply chain perspective, we note that the 3CX attack was actually made possible through another software supply chain attack on a company called Trading Technologies and their software for securities (futures) trading, X_Trader. Several security analysts and media outlets describe this as the first time one software supply chain attack has led to another.

The infected version of XTrader was simply downloaded and installed by an employee at 3CX. There is broad consensus among analysis companies that the XTrader campaign and the subsequent attack through 3CX's software are connected to the North Korean “Lazarus Group”.

The X_Trader campaign targeted several other companies, including at least two power companies in the USA and Europe.

The broad secondary campaign through 3CX, targeting the energy sector, and compromising software for securities trading all raise questions about whether the attacker's motivation was primarily economic or geopolitical. Even with strong attribution, it can be challenging to conclude, as Lazarus Group appears to be motivated by both.

Recursive Dependencies – A Persistent Challenge

We also observe that the organisation of some open-source ecosystems presents security challenges and opportunities for attackers, particularly in the way development handles dependencies. In this case, dependencies refers to code or software modules that another software project relies on and, therefore, is dynamically fetched and included. In some ecosystems, such as npm, these recursive dependency structures can be very deep.

Several attack concepts take advantage of this, as well as other aspects of how open-source development and distributionis organised:

Malicious dependencies – Event-stream incident¹, 2018

In August 2018, a developer with the screen name "Antonio Macias" published the flatMap-stream parser library on npm. He contacted the developer responsible for the widely used parser library event-stream and suggested including the flatMap-stream parser library as a dependency to the event-stream parser library. That September, the next version of event-stream was released, dynamically incorporating flatMap-stream code. In October, the codebase of flatMap-stream was updated with malicious code. From that point on, all new installations of event- stream continued to automatically pull in flatMap-stream, thus also including the malicious code into event-stream.

Event-stream is a popular package and itself a dependency in at least 3,931 other packages. However, the real target of the attack was a single software project: the highly popular bitcoin wallet Copay. The introduced code in flatMap-stream was effective only within Copay, enabling the theft of bitcoins and private keys.

Dependency confusion – Alex Birsan, 2021

In Digital Security 2021, we discussed how security researcher Alex Birsan demonstrated “dependency confusion" attacks¹² early in the year:

"An additional factor contributing to reducing time and cost is the dynamic use of third-party libraries like Node, JQuery, and Chartbeat. Dynamically included libraries are either downloaded when the application is built or when it runs in a browser. On one hand, such libraries often contribute to more secure code, as they frequently help programmers 'do things right,' while on the other hand, they increase the risk of compromise through the supply chain. This was aptly demonstrated in February when a security researcher described how he had exploited this type of dynamic download by publishing packages with conceptual 'malware' to various public frameworks (npm, RubyGems, and PyPI) with the same or nearly the same names as several major technology companies used for their internal modules."

The consequence was that automatic build tools at the affected companies loaded Birsan’s publicly published software components with the same names, instead of components from the company's private internal codebase. This behaviour basically allows for anyone gaining knowledge of internal package names, to replace private code with their arbitrary code.

Npm Manifest Confusion attack¹³, 2022

npm packages have a so-called "manifest file," which contains metadata about the code package and lists dependencies on other packages. Former GitHub employee Darcy Clarke has uncovered that there are no mechanisms comparing the published manifest file with the one included in the tar-compressed downloadable code package.

Many software security tools evaluated software packages only on the basis of the information in the standalone manifest file. Build tools, however, orchestrate the build process based on the version included in the tar-compressed package. This provides an opportunity for a publisher or attacker to include malicious or known vulnerable code in the included manifest file, and thus in the built software, while the standalone published manifest file may not mention it and security tools thus not detect it.

Ensuring authenticity in opensource code – several initiatives on the horizon

Although code signing and publishing checksums that can be verified upon download are far from new, comprehensive and standardised solutions for scalable signing and traceable authenticity for open-source code have been lacking. This has led to much use of open-source components in software projects either relying on trust on insufficient grounds or depending on retrospective control using third-party tools searching for "known bad." Signing and traceable authenticity for open-source components, libraries, images, and more have therefore gained increasing attention. One such framework is Sigstore²², backed by Google, Redhat, Linux Foundation, Chainguard, and Purdue University.

Another approach to stay ahead, rather than searching for and uncovering malicious influence after the fact, is to use third parties who perform security vetting of popular open-source code and republish it in their own distribution channels. One such service that has gained much attention since its launch in 2022 is Google Assured Open Source Software²³. While Sigstore ensures verifiable and traceable origin and authenticity, Google Assured Open Source Software goes considerably further, including:

• Build process and documentation in accordance with SLSA-2

• Comprehensive SBOM for each package, with additional information such as vulnerability information, in SPDX and VEX formats

• Fuzzing²⁴ and vulnerability testing

• Distribution from infrastructure operated and secured by Google

Continuity and Availability Risks in Supply Chains

Several events, to some extent coinciding, have posed significant challenges in supply continuity in recent years, highlighting a different type of supply chain risk: supply continuity and availability disruptions. The societal impact of the Covid-19 pandemic, a ship stuck in the Suez Canal²⁵, increased geopolitical tension with conflicts on various fronts, including trade, and the outbreak of war in Europe have each influenced supply continuity in their own way, and underscored how dependent the world has become on supply continuity, and thus vulnerable to such events.

The Pursuit of Efficiency

Since its origin in Japan in the 1950s and 60s, just-in-time production has spread widely as the preferred method for resource- and capital-efficiency optimised manufacturing. The concept, along with the necessary just-in-time logistics, permeates throughout the entire value chain and has, from the 1970s to the 1990s, gained global prevalence across industries.

In short, nothing is produced or delivered to the next link in the supply chain until there is a concrete need, order, or forecasted need for it. There are few or no buffers; all processes are optimised, and inventory is considered "waste" (cf. Lean/Kaizen).

This approach creates a significant need for coordination and vulnerability to consequences in case of disruptions in one part of the supply chain. Both of which only worsens as each link in the supply chain becomes ever more specialised, leading to more suppliers, and supply chains become deeper and broader. This has driven a different dimension of risk in supply chains: supply continuity risk. Including this as a “security risk” might inspire many interesting discussions over semantics and professional terminology, but it is undoubtedly a risk dimension that, since the last time we addressed suppliers and supply chains in Digital Security, has repeatedly manifested itself and gained increased attention. In the context of an increasingly tense geopolitical situation, control over the supply of critical goods and materials has been weaponised.

The Supply Chain – Part of Continuity and Resilience

In Digital Security 2022²⁶, largely based on the experiences of disruptions in supply chains and acute needs that arose in Ukraine in the weeks and months following the invasion, we argued that Norway should consider establishing buffer stocks of standard information and communication technologies (ICT) components. However, this is only one proposal within – broadly speaking – one industry. It is in part addressed to Norwegian authorities, based on our reflection that this is a form of essential national resource.

For businesses in general, including actors in critical sectors with fundamental national functions, an assessment of supply continuity risk and measures to address it must be part of each organisation's plans for continuity and resilience.

This opens a Pandora's box of information needs:

• Do we have an overview of our critical resources, and do we know who the critical suppliers are?

• Have we taken into account that the loss of some resources that may seem less critical in their nature can still cause continuity disruptions to the organisation?

• Do we know who the critical sub-suppliers to the suppliers are, and how far down the chain can we gain and maintain visibility?

It also motivates innovative thinking regarding potential risk-reducing measures:

• Given foreseeable scenarios in an ever more unpredictable world with heightened geopolitical tensions, could it make sense to actually tie up more capital in stockpiling critical resources?

  • Can we collaborate with someone on this? Perhaps even competitors? Can industry associations play a role in coordinating joint efforts?

  • Can we achieve such collaboration among competitors without breaching competition and anti-cartel laws and regulations?

• Should we diversify the supply chain and spread supply continuity risk by establishing multiple alternative suppliers for the same critical resources?

  • Do we then know that the suppliers do not ultimately rely on the same critical input factors/sub-suppliers? (Thus nullifying most of the risk mitigation effect.)

  • Could the increase in security risk associated with broadening the supply chain, in which more suppliers and sub-suppliers become vectors for supply chain attacks against us, actually be greater than the reduction in supply continuity risk?

Highlighted by the commissions

Both the Defence Commission and the Total Preparedness Commission emphasise in their assessments, both generally and within specific sectors, the importance of preparedness and resilience. The vulnerability created by long and complex supply chains is thoroughly discussed, with clear conclusions about the need for strengthening and measures — primarily initiated by, but certainly not exclusively in the context of — government agencies.

It is also noted that many critical components are produced by very few geographically concentrated actors or are dependent on input factors (minerals, etc.) where active sources are geographically concentrated. The vulnerability resulting from super-efficient just-in-time supply chains is also highlighted. Among the commissions' measures, we find: strengthened self-sufficiency, buffers, and emergency stockpiles, supplier diversity for having multiple options, and strict guidelines regarding which countries of origin we should dare to expose ourselves to or become dependent on for supplies.

From the report of the Total Preparedness Commission (NOU 2023:17), we would like to highlight, among other things:

«There is a need for greater resilience regarding the storage of critical input factors and increased self-preparedness. We have experienced a long period of globalisation and increasingly efficient but complex international supply chains. This has provided us with inexpensive trade goods. At the same time, our own stockpiles have been reduced, and in certain areas, we have become dependent on countries and regions with which we do not share common interests.»

«China continues to challenge the Western community in several ways. The country seeks to control strategic infrastructure, resources, and value chains.»

«The pandemic and the war in Ukraine have exposed vulnerabilities related to access to expertise and materials. It is not guaranteed that specialised expertise and spare parts are always available from abroad.»

«Societal functions are becoming increasingly dependent on long and complex digital value chains, making it more challenging to control all involved actors and subcontractors. Dependencies in multiple links increase the risk of vulnerabilities being exploited, digital services becoming unavailable, unauthorised access to sensitive content, and content being altered in a way that makes it uncertain what is genuine or false.»

«The close connection between digital systems and long digital value chains with often unknown dependencies on a large number of actors further complicates the work of digital security.»

«The Commission believes that digital services have become so crucial for maintaining critical societal functions that authorities must take greater responsibility for security across value chains and across all sectors of society.»

«To reduce digital vulnerabilities nationally in critical infrastructure, it has become increasingly important to determine which countries one does not want materials from or other forms of dependence. The Commission believes that going forward, Norwegian authorities must, to an even greater extent, set conditions and provide advice regarding which countries, technologies, and services are considered a risk to national security.»