Open-source software supply chain attacks are on the rise – but they’re mainly our own fault

Daphne Frik

11 April 2024

How do we find vulnerabilities in software and prevent cyberattacks? Most of the time, it takes entire teams at big tech companies. Often, we do not even find them before it’s too late. But sometimes, it only takes one person paying attention at the right time.

At the end of last month, a software engineer working for Microsoft noticed a backdoor in XZ Utils, a compression and decompression library available on almost all installations of Linux. While doing routine maintenance and reviewing a log of automated tests, the engineer found a few error messages he did not recognize, the New York Times reported. Later, he noticed that SSH was using more processing power than normal, and he was able to trace the issue to XZ Utils. When going through the source code, the engineer found malicious code in the latest versions of XZ Utils, allowing the creator of this backdoor to hijack a user’s SSH connection.

Described as “one of the best-executed supply chain attacks we’ve seen described in the open,” the backdoor seemed to have been several years in the making, according to researchers looking at the attack.

So far, however, no impacted devices have been found. Although the damage could have been widespread, as ZX Utils is heavily used in embedded systems and firmware deployment, the slow deployment of the device updates seemed to have played a positive role in preventing damage, Spiceworks noted.

Supply chain incidents

The recent incident highlights the issues that are inherent to the nature of open-source software. Yet, when attacks involve an entire supply chain, things can get even worse.

This became clear during the SolarWinds attack. At the end of 2020, hackers gained access to the networks, systems, and customer data of the U.S.-based software company. The hackers were able to do so by gaining unauthorized access to the network, injecting malicious code into the third-party software used by SolarWinds, and sending out software updates with hacked code.

The hack triggered a huge supply chain incident that affected thousands of organizations, such as Microsoft, Cisco, Deloitte – and several U.S. government departments.

Open-source software risks

In software supply chain attacks, attackers are looking for weaknesses in the code to exploit. Usually, these attacks are used as a vehicle to gain access to something. When it comes to open-source software, attackers might have an easier way in.

Open-source software supply chain attacks have tripled since 2019, according to Sonatype’s 2023 State of the Software Supply Chain Report. The software company logged over 245,032 malicious packages in open-source projects available to public download in 2023, which was double the number seen from 2019 to 2022. CPO Magazine highlights from the report that “correctable user behavior continues to be by far the leading cause of software supply chain attacks,” as 96 percent of the projects that pose a risk have a version available that removes the vulnerability. In summary – users should be updating their software in a timely manner.

Protecting against attacks

Other than updating our software on time, a few other strategies can help prevent attackers from gaining access. Firstly, companies need to have a software bill of materials (SBOM): a list of all open-source and third-party components present in a codebase. This SBOM also needs to include all licenses, versions, and patch statuses.

Every software component in the SBOM should then be scanned for publicly disclosed cybersecurity vulnerabilities during the entire CI/CD pipeline, from build to test to deployment to run time. As Infoworld rightly points out, vulnerability scanning should start at the earliest stages of the software development lifecycle, before issues become more difficult to fix.

Lastly, a company should have zero-trust initiatives. As CSO Online explains, “At its core, zero trust is a way to think about and structure a security strategy based on the idea of ‘trust no one and nothing, verify everything’.” By adopting a different mindset that removes implicit trust and replaces this with verification among the different frameworks, security challenges can be more easily spotted and addressed.