Software Supply Chain Attacks – Cyber Defense Magazine

In today’s rapidly evolving business landscape, software supply chain attacks are becoming increasingly common—and more sophisticated. The XZ backdoor attack, though largely contained, served as a stark reminder that the software supply chain remains one of the most vulnerable points in an organization’s cybersecurity defenses.

While much of the focus following XZ has been on the immediate response and patch management, it’s critical to look at a broader, longer-term solution: how organizations can better secure their third-party software integrations and establish robust risk management strategies moving forward. Given the sheer volume of open-source software dependencies, third-party APIs, and integrations that form the backbone of modern infrastructure, it’s no longer enough to react to incidents as they arise. We must shift to proactive and continuous protection models to address the risks posed by third-party software. For example, by building security in from the start, we can identify vulnerabilities early, strengthen vendor relationships, and reduce the likelihood of such supply chain attacks.

What is the “XZ Backdoor Attack”?

The XZ backdoor attack is a malicious supply chain attack that targeted an open-source compression library used in Linux systems. The XZ library, which is widely trusted for compressing and decompressing files, was compromised when threat actors inserted a backdoor into its source code. This backdoor allowed the attackers to secretly gain access to systems using the affected versions of the library (specifically versions 5.6.0 and 5.6.1), and potentially execute remote code, steal data, or maintain persistent access to systems without detection.

This type of attack is particularly insidious because it exploits the inherent trust placed in open-source software. Many organizations rely on these libraries without having the resources to audit the code themselves, which is why the XZ backdoor went unnoticed for so long.

Who was behind it?

While no specific group has claimed responsibility for the XZ attack, it fits within a broader pattern of supply chain attacks frequently attributed to advanced persistent threat (APT) groups, particularly China’s APT41 and Russia’s APT29 (Cozy Bear). These state-sponsored actors are known for their sophisticated tactics, techniques, and procedures (TTPs) aimed at infiltrating widely-used software components.

Their TTPs typically involve:

• Compromising trusted software updates or libraries: Much like the XZ backdoor, these groups infiltrate legitimate software components that are trusted and widely used, embedding malicious code that can spread across multiple systems without detection.
• Exploiting supply chain weaknesses: APT41 and APT29 often target third-party software vendors with less stringent security, using them as entry points into more secure environments.
• Long-term persistence: These actors excel at maintaining stealthy, long-term access to systems, giving them the ability to collect intelligence or launch attacks over an extended period.

The level of sophistication and the strategic targeting of critical software libraries, combined with these TTPs, suggest that the XZ attack was likely the work of a highly-resourced state-sponsored group, making APT41 and APT29 strong suspects.

Victims and Impact:

Who was affected? While the full scope of the XZ backdoor attack remains unclear, several notable Linux distributions were affected by the compromised versions of the XZ Utils library (versions 5.6.0 and 5.6.1). The attack specifically targeted systems running these versions, putting them at risk of remote code execution and data compromise.

Some of the affected distributions include:

• Fedora Rawhide and Fedora Linux 40 Beta: These development versions of Fedora were found to be using the compromised XZ Utils versions.
• openSUSE Tumbleweed and MicroOS: These distributions were also confirmed to have included the backdoored library, leading to a vulnerability window until updates were applied.
• Kali Linux: Users who updated their installations between March 26th and 29th, 2024, were impacted by the attack.
• Arch Linux: Certain versions of Arch Linux were found to have incorporated the affected XZ libraries, making them susceptible as well.

Most of the affected Linux vendors, such as Fedora, openSUSE, and Kali Linux, have taken swift steps to advise users to update their systems, patch the vulnerable versions of the XZ library, and provided guidance to check for potential security breaches. While the stable versions of many major Linux distributions, such as Red Hat Enterprise Linux (RHEL) and Ubuntu, were not affected, the presence of these backdoored packages in widely-used development versions like Fedora and openSUSE underscores the potential for widespread impact if vulnerabilities remain undetected in supply chains.

The Risks of Third-Party Integrations: Lessons from XZ

The XZ backdoor attack highlighted the real-world risks of relying on third-party software vendors and open-source components. Organizations often use dozens, if not hundreds, of third-party libraries and tools, most of which they do not control directly. The attack on XZ exploited a vulnerability that was years in the making, but the implications go far beyond that single incident.

What makes this issue particularly troubling is that many organizations lack visibility into the code that forms the foundation of their business-critical applications. Worse, some companies may not even realize how many third-party integrations are embedded in their systems. The reliance on third-party vendors, open-source projects, and outside APIs means that your software is only as secure as the weakest link in your supply chain.

Proactive Strategies for Securing Third-Party Software

“’Building Security In’ applies to both software development and to third-party or open-source software selection” said John Pescatore, former SANS Director or Emerging Security Trends. “Having vendor risk assessment be a highly weighted evaluation criteria in all software procurements or open-source selections and maintain an accurate software inventory are foundation elements to reducing the risk of supply chain attacks succeeding.”

In the aftermath of XZ, organizations are paying more attention to software supply chain security, but awareness alone isn’t enough. To effectively protect against future attacks, businesses must adopt proactive strategies that ensure third-party integrations are secure from the outset and remain secure over time. Here are some actionable steps organizations can take:

1. Perform Rigorous Vendor Risk Assessments

Before integrating third-party software, it’s essential to thoroughly vet your vendors. This includes reviewing their security policies, incident response plans, and historical vulnerability disclosures. Organizations should ask tough questions about the security practices in place to ensure that their vendors are managing their own supply chains responsibly. One important aspect of that is to make vendor security a highly rated evaluation criteria for all software procurements or selection of open-source software.

2. Enforce Strong Security Contracts and SLAs

Security should be baked into every contract and Service Level Agreement (SLA) with a third-party vendor. Organizations must define clear expectations for security standards, patch management timelines, and incident reporting requirements. This ensures that both parties are aligned on the importance of supply chain security.

3. Maintain an Accurate Software Inventory

Securing your software supply chain begins with knowing exactly what software you are using. An up-to-date, accurate inventory allows organizations to track and manage all software assets, including third-party and open source components. This visibility is essential for identifying potential vulnerabilities, ensuring timely updates, and proactively addressing security risks throughout the software lifecycle.

4. Implement Real-Time Monitoring and Threat Intelligence

It’s no longer enough to perform periodic checks on third-party components. Organizations must employ real-time monitoring and threat intelligence solutions that provide continuous visibility into their software supply chains. By keeping tabs on third-party software at all times, companies can identify emerging vulnerabilities and act swiftly to mitigate risks.

5. Adopt a Zero-Trust Approach to Third-Party Access

Third-party software should never be blindly trusted. Organizations should implement Zero-Trust principles to minimize the risk of an attack spreading across their infrastructure. This means enforcing least-privilege access for all third-party applications and continuously verifying every action taken by these systems.

6. Strengthen API Security

As mobile apps and SaaS tools become more integral to business operations, securing APIs is critical to protecting sensitive data and preventing supply chain attacks. Best practices include encrypting API traffic, limiting API key access, and continuously monitoring API usage to detect suspicious behavior.

Learning from XZ: Moving from Reactive to Proactive

In the post-XZ era, it’s clear that waiting for an attack to happen is no longer an option. While the XZ backdoor attack was a wake-up call, it also underscored the importance of moving from a reactive security posture to a proactive one. Organizations must take control of their supply chains and apply continuous security measures, ensuring that third-party software is secure from the moment it’s integrated.

A key takeaway from XZ is that simply relying on third-party vendors to secure their own products is not enough. Organizations must take ownership of their entire software stack, regardless of whether it was developed in-house or by an external partner. By implementing strong third-party risk management practices and adopting real-time monitoring solutions, companies can reduce the likelihood of future incidents and ensure that their business operations remain resilient in the face of evolving cyber threats.

The Path Forward: Strengthening Supply Chain Security

As software supply chains grow in complexity, the risks of third-party integrations will only increase. However, by applying the right tools and strategies, organizations can protect themselves against the next XZ. Strengthening the security of third-party software requires a holistic approach that includes thorough risk assessments, continuous monitoring, and proactive vendor management.

By learning from the XZ backdoor attack and focusing on securing their third-party integrations, organizations can reduce their attack surface and ensure that their software remains resilient against future threats.

About the Author

Michelle Buckner is an Information Security Professional specializing in Web Application and Network Security Risk Management with a strong focus on data privacy and compliance. A CISSP and CISM, she has worked at companies like Cisco, Symantec, and several startups. Michelle’s passion for Open Source and privacy began with her work on early Linux integration projects at Sendmail and continues today as a regular writer for Open Source publications like opensource.net. She writes about cybersecurity best practices, privacy concerns, and the evolving landscape of technology and security.

Michelle can be reached on LinkedIn https://www.linkedin.com/in/michellebuckner/.