The SolarWinds attackers were able to insert malicious code into Orion software by subverting the build environment, the process which a program is compiled and deployed. Sunspot Malware watched build servers for any commands and replaced source code with its own malicious instructions. The problem this posed to security teams was the fact that the Orion software was digitally signed with a valid certificate from SolarWinds, which made it seem trustworthy. There was no way for organizations that used the Orion software to know that SolarWinds itself had been compromised.
Enter the Reproducible Builds concept, a program working to find a solution to supply chain style attacks such as the recent SolarWinds events. “This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users.” Current methods of signing software prove to be either overly complicated slowing production or plain insecure as some of these public key digests exist as a Readme file or on websites with actively exploited vulnerabilities. So with that, the Linux Foundation partnered with Red Hat and Google have released the Sigstore Project. Users can generate ephemeral short-lived cryptographic key pairs while the Sigstore PKI service provides a signing certificate upon an immutable transparency log using an OpenID connection grant.
Analyst Notes
Software supply chain security is paramount to a more general cybersecurity program. As with the SolarWinds attacks the public was made aware at the inherent vulnerabilities and ease of attack that can be employed when a build environment is compromised, especially when it’s a closed source project. While the best practices of limiting operating systems to only run signed software is one of the must check boxes, at this time it does not guarantee running a completely secure product. Projects like the Linux Foundation’s Sigstore are a leap forward in protecting the software supply chain. However, these programs are in their infancy and will not negate the need for active risk mitigation programs. Binary Defense offers a team of seasoned Threat Hunters to seek out threats in a development environment. With active hunting, vulnerabilities and compromise may be discovered before any damage is done and greatly reduces costs involved in full breaches and ransomware attacks.
https://www.linuxfoundation.org/
https://sigstore.dev/
https://reproducible-builds.org/
