The SolarWinds Software Supply Chain Attack: How Developers Can Protect Applications

If you didn’t know what a software supply chain was – let alone a software supply chain attack – you do now. As someone who’s been researching, studying and talking about this attack vector for the past seven years, the malicious attack on SolarWinds’ Orion leading to public and private sector breaches has been fascinating – but not unheard of.  Yet industry attention switched swiftly to this attack vector as the latest “what happened” story and “how do we not end up like SolarWinds” curiosity.

What Happened to SolarWinds’ Software

Let’s look first to “what happened”. In this particular case, malicious code was inserted somewhere in the build process that SolarWinds has for its Orion product. My colleague Ax Sharma detailed a bit more about this last Monday. Keep in mind, more has unfolded since then – but the general story has remained the same. According to Microsoft

The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.

The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: