One of the issues we talk about frequently is that modern software is made up of component parts, known as "dependencies." Not only is building with open source software dependencies a frequent practice, it often makes up the great majority of software developed today.
Unfortunately, those developing software who build from dependencies face an increasing burden to ensure component safety. Development teams must validate that any software developed outside their organization has not been tainted with malware. And if a problem is discovered, they must act quickly to address the problem.
Not keeping an eye on dependencies means increased danger.
The importance of software supply chain management was again underlined on March 30th when multiple sources suggested 3CX was under attack. The company distributes softphone tools for approximately 600,000 customers for all major operating systems. These native clients (non-web apps) use the open source Electron framework, and both Mac and Windows users were affected.
Specific details about the genesis and results of the attack are still in progress, but we know that:
It was a software supply chain attack, meaning something the company builds from third party tools was compromised. 3CX specifically refers to it as a "complex supply chain attack" (source).
3CX did not immediately recommend upgrading, which is the most common advisory when a compromised part is discovered. Instead, they actively suggested users uninstall the Mac and Windows apps and switch to software based on a different framework (the PWA Web Client App). This is likely because they were not able to immediately find and remove the compromised binaries or code.
These were skilled attackers - The source of the attack is understood to be a competent effort by a state actor, which is part of why the topic gained so much attention. The attack went undiscovered for almost a month.
A broad effort was made to enable targeted attacks. Not everyone who was using 3CX was affected, only some users and likely for information theft, specifically cryptocurrency companies. Ultimately, the 3CX tools and reputation were leveraged to attack specific groups or users.
The attack has in many quarters been compared to the attack on SolarWinds and other groups in 2019. This includes the sophistication of the attackers and how digital signatures did not catch problems.
As we noted shortly after that attack:
"By attacking the SolarWinds software supply chain and mingling their malicious code with the legitimate, trusted code being delivered to their clients, attackers are able to cast a much wider net downstream." (source)
This is just the latest in an ongoing campaign of attacks on the software supply chain. Bad actors are focused on upstream targets that infect a single component, which will then be distributed downstream using trusted software workflows and update mechanisms.
This latest attack highlights how software supply chain management is necessary for development teams and organizations. As Sonatype security researcher Ax Sharma explains:
“The 3CX incident demonstrates how sophisticated threat actors, believed on this occasion to be nation-state hackers, are abusing open source ecosystems like GitHub to host seemingly benign files. In this case, icons, which in fact contain malware. The names of the repo, "IconStorages", and format of files raise no obvious red flags either, and were initially cleared by most antivirus products.
“Any system that's open to the public (i.e. open source) is also open to adversaries, which is why we need novel solutions to safeguard the open source repos and ecosystem before they can be leveraged by advanced persistent threat actors to conduct supply chain attacks. With software supply chain attacks increasing by 742% over the past three years, there is an immediate need for drastic action to turn the tide against malicious actors such as those responsible for the attack on 3CX.”
To learn more about this topic, see our research in the 8th annual State of the Software Supply Chain report. We look at attack types and trends, as well as emerging standards and regulation. Most importantly, we look at dependency management practices to minimize the risk around software supply chain attacks.