Mumbai: In 2017, news from CCleaner and NetSarang supply chain attacks made global headlines. This caught the attention of cybersecurity twins, Noushin Shabab and Negar Shabab to dive deeper and uncover details around compromised software development environment.
Compromising software development environment is not a new phenomenon. In order to understand how cyberattackers take advantage of software developers, the twins went back in time to understand the history of compromised compilers.
In June 1974, The US Air Force conducted a security evaluation on MULTICS OS. The report described an infected compiler, used to inject malicious code in OS modules, during the compilation process. In 1983, during his Turing award lecture, American pioneer of computer science, Ken Thompson described how he deliberately injected a piece of malware into a compiler that was capable of infecting programs during compilation.
Negar who works as a security consultant specialising in implementing security in the entire life cycle of software says, “It is essential for software vendors to be trusted by their users. However, despite their skill set, software developers still don’t practise basic cybersecurity hygiene which impacts their software products. This may result to thousands of innocent victims.”
Fast forward to present time, the younger twin Noushin who is a Senior Security Researcher with Kaspersky ANZ, did a further investigation in two well-known supply chain attacks–ShadowPad targeting server management software and ShadowHammer infecting the gaming industry. Both cases displayed compromised linker modules inside the software development environments deployed by attackers.
The final payloads towards end user victims were also hidden on the developers systems in one of these two forms; a separate source code file or a malicious software library. With the help of the trojanised linker, malicious code was instantly linked with the original source code and this resulted in trojanised software programs impacting large number of user victims.
“Investigating and protecting against supply chain attacks is of utmost importance to us, security researchers. Failure in trust and integrity towards supply chains will ruin the reputation of well-respected and reputable software development companies,” says Noushin.
Here are 4 things programmers can do to protect their software development environment?
- Patch and update your software development environment in organised cycles
- Regularly check the integrity of the software development environment
- Examine your software modules after compilation and ensure nothing unwanted is added
- Install Kaspersky Endpoint For Business (KESB) to protect your businesses sensitive data safe
Noushin and Negar’s research titled, A Poisonous Seed was presented at the 2019 Security Analysis Summit (SAS) in Singapore.