Fortifying Your Software Supply Chain: Safeguarding Against Next-Generation Attacks
Reading Time : 8 minutes
In recent years, the software industry has witnessed a surge in code signing attacks. Hackers have been exploiting vulnerabilities in code signing certificates to launch sophisticated attacks on software supply chains, leaving organizations with significant financial and reputational damages. Recent cyberattacks, such as the SolarWinds and Codecov breaches, have highlighted the devastating effects of code signing attacks, causing governments and industry experts to take notice.
The US government, for instance, has issued alerts and advisories warning against the risks of code signing attacks, urging software developers to secure their software supply chains with robust security measures. The need for code signing tools has never been more critical, as they can provide a reliable defence against the potential harm of these attacks.
According to early data from Sonatype’s 8th annual State of the Software Supply Chain Report, released on October 18, 2022, Sonatype has recorded an average 700% jump in repository attacks over the last three years. These figures are massive and what’s more concerning is the threat it poses to customers.
In this blog, we’ll delve deeper into the rise of code signing attacks, explore recent attacks and their consequences, examine reports from government organizations, and discuss the importance of code signing tools in safeguarding software supply chains. By the end of this blog, you’ll have a better understanding of the current threat landscape and what measures you can take to secure your software supply chain against code signing attacks.
Modern Attacks used by APTs
Through time not only our defenses are fortified with cutting-edge technology, but the attacks used by APTs are also getting smart. Hackers are getting swifter in their movements.
Some types of code signing attacks that modern APTs use are listed here:-
Code Signature Spoofing
Attackers can steal legitimate code-signing certificates and use them to sign their malware, bypassing antivirus and other security measures.
Attackers can plant backdoors in compilers, which are then used to inject malicious code into legitimate software programs during the compilation process.
Attackers can intercept and modify software packages as they are being downloaded, injecting malicious code, or manipulating the code’s behaviour to cause harm.
Dependency Confusion Attacks
In this type of attack, attackers take advantage of vulnerabilities in the software development process to inject malicious code into the software supply chain by exploiting dependencies that have the same name as legitimate ones.
But who shoulders the security factor?
Any successful cybersecurity program requires a comprehensive strategy that involves both humans and machines. However, in recent years, APT groups have exploited vulnerabilities in the human factor by leveraging social engineering tactics to penetrate the system undetected. Such attackers exploit security teams’ assumptions about adware and other seemingly harmless applications to move laterally within the network and avoid detection by security solutions.
They can even use legitimate tools already present in the system to their advantage. To mitigate these risks, it is crucial to not only invest in cutting-edge technology but also to educate employees on best practices. A comprehensive approach that combines advanced technology with employee training is necessary to ensure that the human factor is not a weak link in the security chain. By doing so, organizations can better protect themselves from APT groups and other sophisticated threats that target the human psyche.
What leads to certificate compromise?
Code-signing certificates are critical to ensuring software security. However, they are also susceptible to compromise by hackers. Attackers can obtain these certificates in various ways, such as by exploiting three key vulnerabilities.
- The first is key theft, where code-signing certificates and their private keys are often stored in unprotected locations, such as signing servers or developer workstations. A breach in these systems can provide easy access for hackers.
- The second vulnerability is internal misuse, where developers inadvertently make it easy for attackers to obtain code-signing certificates. An example of this is when D-Link accidentally published four code-signing keys in open-source firmware back in 2015.
- The third and most concerning is a signing compromise, where attackers target the signing infrastructure itself. By compromising the infrastructure, attackers can sign malware and distribute it as legitimate software, without detection. In 2019, for instance, hackers compromised ASUS’ Live Update Utility, enabling them to distribute malware to thousands of users undetected.
Here we come into the picture, CodeSign secure is our technology that helps reduce the risk of compromise to a large extent. We directly address the issues related to the factors which ultimately lead to compromise.
Compromise not only cost extravagant money but also user distrust. Breaches are synonymous with chaos for any organization. Patching the vulnerability as soon as possible is the top priority but nobody knows how much time it may take to fix it.
CodeSign Secure is the shield that safeguards you from this chaos.
CodeSign Secure addresses the problems with:
CodeSign Secure starts with virus scanning before commencing any type of signing process. It searches for any viruses or malware that may have been injected into the file before sending it away for the signing process.
CodeSign secure uses client-side hashing, providing you with that extra layer of security for customers. Hashing a file at its origin helps maintain its integrity at its peak and gives the customer a clear view of the file and what comes after signing.
CodeSign Secure never exposing the key while signing the file/code. The file is signed inside the HSM, and the keys are never exposed to the outside world.
Role-based access control
Our organization provides Role-based access control for code/file signing providing correct access and privileges to the user. Ensuring only those with proper roles can access certificates, and keys within the tool.
Revoking compromised certificates
When a certificate expires, it will automatically be renewed, but in the case that a certificate or key is found to have been compromised, the key can be revoked and thus the signing process cannot occur with that key and certificate.
Timestamp your signed code
Avoid the risks of software expiring unexpectedly when the code signing certificate expires. When a code signing certificate expires, the validity of the software that was signed will also expire unless the software was timestamped when it was signed.
Monitor and audit key signing workflows
Certificates and keys are associated with specific applications, and whoever is signing anything gets recorded in the logs of our tool, so we have the IP and the username of anyone attempting to sign. They will be blocked if they do not have valid credentials, or if the key or certificate has expired.
The Internet is going to be more chaotic in the upcoming time. These cyber-attacks are not halting anywhere soon, on the contrary they are going exponentially increase. Protecting our data must be done by us and proper precautions and measures are required to do so.
Not only do we need to use cutting-edge technology but general awareness among the masses. Regular audit policies and proper role-based authentication and access control system are needed to be in place.
Bearing all the responsibility of protecting your product is very heavy and you can always find a shoulder to rely on. We would be more than happy to be that shoulder and help to protect what truly matters to you.