Newly Discovered Trojan Source Threatens Global Software Security

Etek International Corporation warned today of a new global-scale cyber threat that can be fatal to all organizations and users if updates and security improvements are not made opportunely. The flaw has been detected by a group of researchers at the University of Cambridge who named it ‘Trojan Source’. This Trojan affects code compilers; these programs help source code developed by humans to be understood by machines.

The researchers discovered a new technique for injecting potentially malicious source code; while human reviewers see a harmless version, compilers see the invisible malicious one.

According to the researchers, almost all software compilers – from C++ to Python and Java – have a bug that, when properly exploited, allows them to be hijacked for malicious purposes in a completely invisible way. To achieve this, attackers use bidirectional control characters (also known as BiDi characters) that are maliciously injected into source code comments without noticing the developers.

In addition, the researchers discovered that most compilers and code editors do not have protocols for handling BiDi characters or signaling their presence in the comments of the source code.

Almost all source code compilers are vulnerable to a new hacking attack that injects malicious code into any software undetected by the human eye.

Remember that Unicode, a standard for forming characters and extending the repertoire of compatibility with existing symbols, defines more than 143,000 characters in 154 different languages, including other non-script-based characters as emojis.

“A Trojan Source-based attack can compromise all source code, posing “an immediate threat to both original software and supply chain compromise across industries,” said Nicholas Boucher of the University of Cambridge.

Mitigation & Remediation

Organizations must take immediate measures to reduce risk and establish robust defenses to secure their digital assets, infrastructure, and business-critical data, including applications and software.

The first recommendation to mitigate this flaw is to keep an eye on security updates from official compilers and install the appropriate patches. It is also worth continually checking the University of Cambridge’s Trojansource.codes website for more details on updates, techniques, and variants discovered.

“While we wait for patches to be released for most existing compilers on the market, we can stop the bad practice of copying and pasting source code because it can come injected with malware,” said Luis Alejandro Ruiz, Services Governance Leader, Etek International Corporation. “It´s always better to rewrite it yourself, use text editors to display Unicode, or paste the code into a hex editor first to verify it thoroughly.”

It is not enough to contain the attack; in fact, organizations must establish a clear plan on the steps to be taken with both financial obligations and regulatory compliance in mind. Finally, it is recommended to develop security policies, contingency plans, user awareness campaigns, and assessments on potential threats.

Etek has more than 25 years of experience in customized and innovative cybersecurity solutions recognized worldwide. In addition, Etek has built a foundation of knowledge and best practices through more than 15 years of experience as an MSS with more than 110 specialists, multiple certifications, and more than 300 customers in different industries. It also supports an infrastructure of more than $88 million / hour in banking transactions, more than 240,000 banking operations/hour, and 75% mobile access for 50 million people. For more information, visit www.etek.com.

Related Posts

Image by Filip Filipović from Pixabay
Why Should Your Company Implement 4th Generation Data Loss Prevention?
Image by SkyeWeste from Pixabay
Newly Discovered Trojan Source Threatens Global Software Security
Image by TheDigitalWay from Pixabay
Etek Targets Hacker Trenches For Intelligence Gathering

Leave a Reply

Cognitive Business News