Supply Chain Attacks – Week 6

Canonical, the proprietor of Ubuntu/Linux, has announced that they’re temporarily suspending automatic registrations within their Snapstore. I often come across a Linux-inspired blog post on the Internet, being deploying PiHole, security hardening PiHoles using Cloudflare’s DNS-over-HTTPS resolver or an unbound instance, etc, and others. And I have come across the phrase “snaps.” I’ve seen Docker container images built with snaps installed, and I don’t understand why. It appears that snaps are akin to app stores, where you install a sandboxed image and the snapd (snap daemon/service) monitors it for updates upstream.

Now, many of us have heard of some Supply Chain attack where Google (in their Play Store), Apple (in their App Store), and Canonical (in the Snapstore) remove a malicious package/app. Even Python, in their PyPI system have been hit by some intrusion by malicious actors.

Supply Chain Attacks

CrowdStrike does a good job explaining:

supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain.

Software supply chain attacks inject malicious code into an application in order to infect all users of an app, while hardware supply chain attacks compromise physical components for the same purpose.

CrowdStrike: What Is a Supply Chain Attack?

The above examples, in my links, are examples of software supply chain attacks — targetting PyPI, Play Store, App Store, etc. Although CrowdStrike supplies the SolarWind supply chain attack, it’s not exclusively software. There are instances of hardware supply chain attacks, namely Supermicro via Chinese spies.

Conclusion

Aside from awareness, and listening to disclosures of app stores and other dependencies, users are generally the least able to mitigate these exploits, and often times, app stores are informed by users of malicious activities by their solution/product. Also, if you’re a developer (maker of software products), you’ll have dependencies and it’s good to stay vigilant on what you’re including in your software.

I hope this blog post helped raise awareness of this new attack vector. The really tragedy is that it feels like malicious actors are getting better, definitely more prolific in their attempts. So, uh, yeah – keep an ear out for security news, try and sanitize your environments (when you can), and relay the news of this attack type when you can.