This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.
The idea that users might accidentally trust software that has been secretly compromised is over 30 years old, dating back to Ken Thompson’s Reflections on Trusting Trust published in 1984. When we choose to execute programs on computers of all types, we’re choosing to trust that none of the people who played a role in creating, packaging and delivering that software either have malicious intent or have been compromised themselves.
In the past two years, we’ve seen multiple cases of compromises in the “Software Supply Chain,” which delivers trusted software and updates to our systems for execution; and the impact of those compromises has continued to escalate. Here are a few examples we’ve noted in that time:
- September 2015 – XcodeGhost: An attacker distributed a version of Apple’s Xcode software (used to build iOS and macOS applications), which injected additional code into iOS apps built using it. Eventually, thousands of compromised apps were identified in Apple’s app store.
- March 2016 – KeRanger: Popular open source BitTorrent client, Transmission, was compromised to include macOS ransomware in its installer. Attackers compromised the legitimate servers used to distribute Transmission, so users who downloaded and installed the program would be infected with malware that held their files for ransom.
- June 2017 – NotPetya: Attackers compromised a Ukrainian software company and distributed a destructive payload with network-worm capabilities through an update to the “MeDoc” financial software. After infecting systems using the software, the malware spread to other hosts in the network and caused a worldwide disruption affecting many organizations.
In each case, rather than targeting an organization directly through phishing or exploitation of vulnerabilities, the attackers chose to compromise software developers directly and use the trust we place in them to access other networks. This can be effective at evading certain prevention and detection controls that have been tuned to trust well-known programs. I predict that, in 2018, both the frequency and severity of these attacks will increase.
Software supply-chain attacks remind us how important it is to create a well-defended network with visibility at every point in the attack lifecycle, and the ability to identify and stop activity that has strayed from the norm. I suggest organizations prepare for this new era of attacks by investigating how their people, process and technology would defend them if their trusted software suddenly turned into malware through an automated update.