/ Daily News/August 09, 2022 Guangzhou -- With the rapid development of digitization, various key information infrastructure and important applications are increasingly dependent on upstream supplies. Cyber criminals and hackers have also found that the supply chain is full of loopholes that can be exploited. Supply chain attack is one of the commonly used technical means in APT attacks. It is often easier to miss, harder to detect, and lasts longer.
What is a supply chain attack?
Supply chain attacks are an emerging threat to software developers and vendors. The attack objects are third-party software vendors, development or testing platforms, open source software, etc. The goal is to infect legitimate applications, exploit the interconnections between supply chains and vulnerabilities contained in open source libraries, reach all customers in the application chain, and attack customer hosts. Its attacks are hidden and persistent, rippling and devastating.
Software supply chain
This section uses the NPM package management and distribution tool (NodeJS) supply chain attack event as an example to describe typical supply chain attack events.
In December 2021, foreign security researchers discovered a malicious NPM module of Java code. NPM is the default package manager for the JavaScript runtime Node.js, and most web applications use NPM components. By the time the NPM security incident was exposed, this malicious code had been downloaded in large numbers, and the malicious code bundled into the NPM module was running in an unknown number of applications and web pages, collecting countless amounts of user data. As of July 1, 2022, a ReversingLabs report tracking NPM indicates that while some malicious code packages have been removed from the NPM module, malicious code still remains in some NPM modules, which have been downloaded more than 270,000 times in recent months, damaging tens of thousands of downstream desktop applications and websites.
Why are supply chain attacks so hard to prevent?
Once a third-party component has a vulnerability or is implanted with a Trojan horse, the program that depends on or is associated with the component will also have the same vulnerability or be infected with a virus. After the third-party component vulnerability outbreak, the customer does not know whether the component containing the vulnerability has been installed.
As shown in the log4j diagram, Apache software, jackcore, and Log4j-core are all dependent on and associated with log4j. Customers only know that Apache and other components are used, but do not know whether log4j is installed.
2. Supply chain vulnerabilities are secretive.
< P > Supply chain vulnerabilities have the most direct, secret and long-term impact on software, and their secrecy makes it difficult for customers to timely discover these vulnerabilities that have established trust relationships. It faces potential security risks from third-party supply chains such as illegal login, data leakage and ransomware.
Log4j2 event. Log4j2 vulnerability is a software supply chain threat from open source components. The targets of vulnerability related attack events are widely distributed and the attack chain is extremely short.
3. The influence of supply chain threats is diffuse.
Vulnerability of upstream products will affect all downstream roles, causing the chain transmission of security risks and increasing the attacked area.
SolarWinds, hackers infiltrated the SolarWinds Intranet and inserted a backdoor into the Orion source code. SolarWinds customers used Orion update servers to upgrade Orion to a new version with a backdoor. Hackers stole customer data through Orion with a backdoor. Lead to a large number of customer core data leakage.
How to defend against supply chain attacks?In view of the above attack characteristics, Youxuan software provides safe, efficient and professional solutions to supply chain attacks, using technology and practices to prevent data, applications and critical business systems from being attacked.
Youhyun Operating system Security Enhancement system (RS-CDPS) for supply chain attacks can be divided into the following steps.
Step 1: Organize security assets
Collect and organize fine-grained security assets and third-party components in hosts and classify them by application and framework so that security management personnel can clearly understand third-party components contained in service applications. Supports one-click keyword search for risk components, helping customers quickly locate risk components and hosts.
Step 2: Open source Vulnerability software Continuous monitoring
Periodically scans used packages and their dependencies and compares them to a wide range of data on vulnerable packages and versions to see if there are any known vulnerabilities in business applications. If a dependency has known vulnerabilities, especially those classified as critical vulnerabilities, alarms are generated and handling suggestions are provided for the security administrator to handle.
Step 3: Protect key files (data)
You can set key files or file paths and dynamically authorize processes or users to read and write files and directories, effectively protecting applications and core data. Even if the supply chain vulnerability appears in the short term, it can effectively reduce or even eliminate the harm caused by the vulnerability.
Step 4: Dynamic process authorization
Based on the principle of "zero trust", RS-CDPS dynamically authorizes process running, allows necessary processes to run at least, prevents malicious termination, modifies process behavior, and effectively defends against unknown virus threats.
Step 5: East-west isolation
< p>< P >< P >< P >< P > Based on service tagging, the application system is taken as the core, and the access relationship between Intranet hosts is collected and displayed through visualization technology. The minimum permission principle is adopted to formulate policies to effectively reduce the horizontal movement of internal attacks.
