Etek International Corporation warned today of a new global-scale cyber threat that can be fatal to all organizations and users if updates and security improvements are not made opportunely. The flaw has been detected by a group of researchers at the University of Cambridge who named it “Trojan Source.” This Trojan affects code compilers; these programs help source code developed by humans to be understood by machines.
The researchers discovered a new technique for injecting potentially malicious source code; while human reviewers see a harmless version, compilers see the invisible malicious one.
Almost all source code compilers are vulnerable to a new hacking attack that injects malicious code into any software undetected by the human eye.
According to the researchers, almost all software compilers – from C++ to Python and Java – have a bug that, when properly exploited, allows them to be hijacked for malicious purposes in a completely invisible way. To achieve this, attackers use bidirectional control characters (also known as BiDi characters) that are maliciously injected into source code comments without noticing the developers.
In addition, the researchers discovered that most compilers and code editors do not have protocols for handling BiDi characters or signaling their presence in the comments of the source code.
Remember that Unicode, a standard for forming characters and extending the repertoire of compatibility with existing symbols, defines more than 143,000 characters in 154 different languages, including other non-script-based characters as emojis.
“A Trojan Source-based attack can compromise all source code, posing “an immediate threat to both original software and supply chain compromise across industries,” said Nicholas Boucher of the University of Cambridge.
Mitigation & Remediation
Organizations must take immediate measures to reduce risk and establish robust defenses to secure their digital assets, infrastructure, and business-critical data, including applications and software.
The first recommendation to mitigate this flaw is to keep an eye on security updates from official compilers and install the appropriate patches. It is also worth continually checking the University of Cambridge’s Trojansource.codes website for more details on updates, techniques, and variants discovered.
“While we wait for patches to be released for most existing compilers on the market, we can stop the bad practice of copying and pasting source code because it can come injected with malware,” said Luis Alejandro Ruiz, Services Governance Leader, Etek International Corporation. “It´s always better to rewrite it yourself, use text editors to display Unicode, or paste the code into a hex editor first to verify it thoroughly.”
It is not enough to contain the attack; in fact, organizations must establish a clear plan on the steps to be taken with both financial obligations and regulatory compliance in mind. Finally, it is recommended to develop security policies, contingency plans, user awareness campaigns, and assessments on potential threats.