Download this article in PDF format.
As the economic importance of digital innovation accelerated during the global pandemic, so too did the number of cyberattacks aimed at exploiting software supply chains. According to Sonatype’s 2021 State of the Software Supply Chain Report, these attacks are now increasing exponentially.
In 2021, for example, Sonatype tracked a 650% increase in software supply chain attacks aimed at exploiting weaknesses in upstream open source ecosystems. This compares to 2020, when it reported a 430% increase in such attacks.
What is Upstream Open Source Software?
Open source software is based on code that anyone can see, modify and distribute as they see fit, while the term “upstream” refers to the actual flow of data. According to Red Hat, the upstream in open source is the “source repository and project where contributions happen and releases are made.” The contributions then flow from upstream to downstream.
“Open source software is developed in a decentralized and collaborative way, relying on peer review and community production,” Red Hat states. “Open source software is often cheaper, more flexible, and has more longevity than its proprietary peers because it is developed by communities rather than a single author or company.”
According to Sonatype, the most common types of attacks on the software supply chain over the last year included:
- Dependency confusion: The novel, highly targeted attack vector allows unwanted or malicious code to be introduced downstream automatically, without relying on typosquatting or brandjacking techniques. A bad actor determines the names of proprietary (inner source) packages utilized by a company’s production application. Equipped with this information, the bad actor then publishes a malicious package using the exact same name, and a newer semantic version, to a public repository that does not regulate namespace identity.
- Typosquatting: This attack preys on developers making otherwise innocent typos when searching for popular components. For example, if a developer accidentally types “electorn” when their intention is to source “electron," they might accidentally install a malicious component of a similar name.
- Malicious source code injections: Such attacks involve injecting malicious source code directly into an open source project’s repository, and have been conducted in various ways. With code injections, it is likely that no one knows the malware is there, except for the person that planted it. This approach allows adversaries to surreptitiously “set traps” upstream, and then carry out attacks downstream once the vulnerability has moved through the supply chain and into the code bases of thousands of companies.
High-Profile Attacks
Several high-profile supply chain attacks have put a bright spotlight on the vulnerabilities of these networks, with the SolarWinds Orion attack in December 2020 among the most notable attacks. It started with threat actors gaining access to SolarWinds’ internal development tools to inject malicious code into SolarWinds’ Orion update binaries. These trojanized updates delivered a backdoor, known as SUNBURST and Solorigate, to systems running Orion platform versions.
About 18,000 customers automatically pulled these malicious updates, exposing the networks of large companies and government entities like the National Nuclear Security Administration and enabling the bad actors to explore and exploit their networks at will over the course of many months.
“By attacking the SolarWinds software supply chain and mingling their malicious code with the legitimate, trusted code that was delivered to their clients,” Sonatype points out in its report, “attackers were able to plant backdoors on the systems of tens of thousands of SolarWinds’ customers.”
What’s Ahead?
Right now, Sonatype says members of the world’s open source community are facing a “novel and rapidly expanding threat” that’s being driven by aggressive attackers implant malware directly into open source projects with the intent of disrupting the commercial supply chain.
“Although there are many tools designed to protect the perimeter of downstream technology assets, the truth of the matter is this: software itself is increasingly the soft underbelly of digital risk,” Sonatype concludes. “If the past year is any indication, we expect that attackers will continue to target upstream software supply chain assets as a preferred path to exploiting downstream victims at scale.”