Attributed by Nathan Wenzler, chief cybersecurity strategist, Tenable
The XZ-Utils backdoor is one of the most well-executed supply chain attacks sharing a podium spot with SolarWinds Orion attack and Log4Shell vulnerability. Carefully hidden in a widely-used open-source library, the sophisticated backdoor could have allowed remote code execution (RCE) on millions of systems if it hadn’t been accidentally discovered sooner. If successfully exploited, it could have caused serious damage to established software build processes as the backdoor would have given attackers the same level of control over affected systems as authorised administrators.
The identification of this vulnerability brings to the fore why organisations must be doubly careful in deploying open-source code. Open-source development is a great way of pooling developer talent to make a piece of software the best it can be, but it often comes at the cost of security.
Shadow IT and backdoors in open source code
According to a recent report, 90% of today’s most popular applications contain open-source code and 74% of the applications scanned for security risk in 2023 contained high-risk vulnerabilities. As any developer can contribute code or code changes to open source projects, there’s a high risk of malicious code being injected into a piece of software. Typically, open-source projects operate on the premise that many developers are reviewing the code and notice and remove any malicious code before the software is publicly available. This isn’t foolproof because malicious actors are getting better at obfuscating the true nature of the code they inject.
In the case of XZ-Utils, the backdoor wasn’t hidden in the code itself but was hidden in separate “test” files, reassembled and inserted into the library during compilation. Open source software can introduce unknown risks into environments, potentially leading to cyberattacks, as malicious code becomes increasingly stealthy and the complexity of the code bases grows and becomes more difficult for individual contributors to review thoroughly. Identifying backdoors within any of the applications or libraries they use, is now increasingly difficult and not entirely foolproof.
Defending against these types of threats for any type of application requires a combination of automated security tools in use to access the code base and/or full application access to validate the code and functionality of the program along with the human expertise and depth of knowledge to review findings and correct them before the code is released into production. However, proprietary, closed-source applications don’t generally allow this level of access, and open source applications may seem risk-free to automated security tools. If backdoors are well-hidden like in the case of XZ-Utils, automated tools can miss it, and organizations are left with the option of manually reviewing the software line by line if they want to perform their due diligence and try to ensure no malicious code is present. And even then, it won’t necessarily guarantee that the malicious code will be found.
This is a challenging problem that forces most organisations to accept the risk to gain the benefits of using open-source code
Securing the software supply chain
It’s impossible to completely monitor the security practices of software vendors as they don’t typically open their source code to the public or allow anyone to test their software in depth. This makes third-party risk very difficult to analyse and it remains a challenge for all organisations.
Securing the software supply chain depends on how strong an organisation’s security practices are. Some organisations choose not to use open source software to minimise the risk arising from it. Others manually vet the third-party risk, where software vendors and partners are solicited to provide reports that validate their security practices.
With preventive security in mind, organisations must conduct proper due diligence including scanning and assessing code and applications as often and as thoroughly as is feasible. If software vendors don’t permit a complete audit, they must review the state of the security program around third-party-built applications or code bases. And, on the more reactive side of dealing with risks, organisations must also have strong incident response teams that can quickly contain and mitigate backdoors once it’s been detected. These processes can help organisations minimise the overall damage from these types of attacks once they’re detected.
Known backdoors are easily detected by security tools that can test the code but the challenge lies in uncovering unknown vulnerabilities and backdoors introduced into code libraries. Often, these are only noticed once they’re activated and other networks and user events are triggered within the IT environment. This makes preventive security a challenging prospect against such attacks. It requires organisations to quickly detect anomalous behaviour and mitigate it to contain the attack before it leads to widespread data and service loss.
The XZ-Utils incident merely serves as a reminder that supply chain attacks are a major security threat and organisations must pay attention to securing their supply chains or risk being at the receiving end of an attack.
