The recently disclosed hack of the voice over IP (VoIP) software vendor 3CX led to malicious code linked to a North Korean state actor being pushed to thousands of the company’s customers in the form of a signed software update for the company’s desktop client application.

It is the most prominent example of a software supply chain attack since SolarStorm, the 2020 compromise of the SolarWinds Orion software — and it won’t be the last such incident. In fact, security experts believe that sophisticated cyber campaigns targeting software supply chains will become even more prominent in the months and years ahead — and there’s a good reason why.

Diamond-Quality Cyber Offense

Strategically, the growing interest in software supply chain attacks is a variation of the old baseball adage to “hit ‘em where they ain’t.” Attributed to early 20th century player Wee Willie Keller, the adage was a charge to Keller’s teammates to hit the baseball to parts of the playing field where opposing players weren’t standing, ready to field it.

That’s a simple idea, but it’s difficult to pull off in both baseball and cyber offense. For baseball players, the challenge is to hit a spherical ball traveling at upwards of 100 mph with a cylindrical bat — and then direct where the ball goes. For cyber adversaries, “hit ‘em where they ain’t” requires steering attacks around a forest of security tools including Endpoint Detection and Response (EDR) software that can detect novel threats, as well as Security Information and Event Management (SIEM) technology, which aggregates security feeds to spot emerging threats and attacks. A successful threat actor today, less confident of avoiding detection, needs to have a firm foothold in target environments before the opportunity for detection arises.

Software supply chain attacks are the inevitable result. They allow attackers to take advantage of weaknesses in the security of development organizations to place malicious code within signed software updates. They then exploit the trust relationship between the software publisher and its downstream customers to plant that code in protected environments.

Such attacks are paying off for cyber adversaries because the current moment finds software publishers and their customers particularly vulnerable to exploitation. For publishers, the embrace of agile DevOps methodologies makes development teams reliant on long and complex supply chains of open source and third-party libraries and microservices to quickly assemble applications.

However, security measures to address the increased cyber risks have lagged. Sure, there are plenty of “uniforms in the field” to catch threats like software vulnerabilities or out of date open source or third party libraries using technologies like Static- and Dynamic Application Security Testing (SAST and DAST) as well as Software Composition Analysis (SCA). But there are big gaps in detection for things like malicious open source libraries that use “typosquatting” to fool developers into including them in builds, or tampering that adds features such as back doors to legitimate internal or third-party code.

On customer networks, traditional security tooling isn’t configured to tilt against signed software updates from legitimate publishers. And most existing security tools can’t interrogate binaries for undocumented behaviors and functions that may be hiding malicious code. Attackers who are able to sneak code into otherwise legitimate applications stand a good chance at seeing it slip by existing cyber defenses.

3CX incident highlights software supply chain risks

We can see that in the 3CX incident, where attackers believed to be the North Korean APT group LABYRINTH CHOLLIMA appear to have infiltrated the company’s development environment and tampered with 3CX’s versions of two open source libraries used to build its 3CXDesktopApp clients. The modifications appended malicious shellcode to one of the libraries that, when executed, downloaded and installed an information stealer application and a malicious backdoor in victims’ environments.

The security lapses extended to 3CX’s customers, which trusted and deployed the signed update received from the company. The objective may have been to target 3CX customers in the cryptocurrency industry, say reports. It was only after some flavors of EDR software, tipped off by the presence of shellcode in the update files, began blocking the update that customers became aware of any discrepancy. For many 3CX customers, however, the detection came too late: malicious software was already installed and running within their environments and sensitive data potentially exfiltrated.

Analysis by researchers at ReversingLabs showed that it didn’t need to play out that way. There were clear signs that the 3CXDesktopApp update had been tampered with that should have prevented shipping the compromised client update — had the developers been looking for them. Those included evidence that a binary that was digitally signed by Microsoft has been modified post-signing so as not to break the signature integrity — a technique used by some APT groups to shuttle malicious code into victim environments.

We need to shift on software supply chain risk

On the baseball diamond, the answer to “hit ‘em where they ain’t” was “the shift.” Baseball teams began collecting detailed statistical analyses of batters, then used that data to “shift” fielders to the areas of the field where a batter was most likely to hit the ball. The result: much better defense, and much less offense.

Something similar needs to happen within development environments. Existing tools like SAST, DAST and SCA need to be supplemented with new capabilities that address weaknesses in the software development lifecycle that malicious actors are exploiting. The ability to spot malicious code lurking in open source or third-party libraries and interrogate binaries post-compilation and detect evidence of tampering or unexplained features and functionality is critical.

Attacks like those on 3CX and SolarWinds aren’t going away, but they can be managed. As development organizations embrace new security capabilities designed to detect threats in development pipelines, we can make sure that malicious actors have a harder time knocking one out of the park.