Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Software Supply Chain. Show all posts

From Vulnerabilities to Vigilance: Addressing Software Supply Chain Attacks

 


Cybersecurity experts have long been concerned about the possibility of supply chain attacks mainly due to the chain reaction that can be triggered by just one attack on one supplier, which can lead to a compromise of the entire supply chain. 

Approximately 62% of the attacks carried out by attackers are done using malware as an attack technique. Cybersecurity professionals are probably better aware of malware than the average person who is not familiar with it. Malware is known worldwide due to the success of the program, which has thus made it a universal and ever-evolving threat to computer systems, networks, and organizations. 

It is estimated that around 150,000 new variants of malware were discovered in 2019 by experts. It is estimated that by 2020, this number will have increased to 270,000. Security teams need to stay up-to-date on the latest ways to prevent malware attacks within their organizations because the threat posed by malware grows every year.  

In the wake of the global pandemic, which disrupted many traditional business methods, the workforce became more dispersed. It relocated far from the traditional secure enterprise environments in which they would normally conduct business. 

As a result of a large and increasingly vulnerable attack surface that hackers have taken advantage of during this period of upheaval, they have launched a record number of software supply chain and ransomware attacks to take advantage of the opportunity. As a result of several recent attacks on supply chain companies (SolarWinds and Kaseya; Colonial Pipeline, NBA, and Kia Motors for ransomware), these companies have suffered significantly. 

It is estimated that the number of supply chain attacks will increase by four in 2021 in comparison to what it was in 2020, according to the European Union Agency for Cybersecurity (ENISA). According to research conducted by ENISA, 66% of attacks target the code of the target to steal information. 

What is a supply chain attack?

Supply chains are all the resources put together in a system that allows a product to be designed, manufactured, and distributed. A cybersecurity supply chain consists of hardware, software, and distribution mechanisms that can store and distribute data on a cloud or local system. 

Attacks targeting supply chains are a method of infiltrating a company's infrastructure, especially through third-party suppliers who can access sensitive data, which is becoming an increasingly common type of cyberattack. 

People mainly target software developers, service providers and technology providers. As a result of the above attacks, malicious actors have gained access to source code, development processes, or update mechanisms, to distribute malware to legitimate programs to spread their malicious code.  

A supply chain attack is one of the most effective methods of introducing malicious software into a target organization, especially if the business is large. A supplier or manufacturer's relationship with a customer is shaky, which is why supply chain attacks often rely on the trust between them and their customers.

 It is difficult to envisage how a cyberattack on a software supply chain would work but in general, it is a cyberattack that targets the software and service providers within the digital supply chain of an organization. 

These attacks are primarily designed to breach the security of target organizations by exploiting vulnerabilities or suppliers' systems to gain access to the data within them. An attack in this manner may damage an organization's reputation, as the attacker may be able to access sensitive data and resources, disrupt operations, or damage an organization's operations. 

Attackers exploit a wide variety of vulnerabilities during supply chain incidents, and exploitation methods that attackers use during these attacks come in a wide variety of forms. Trying to protect your business from supply chain threats is becoming increasingly difficult since supply chains can vary greatly from one industry to the next, and you must understand the most common attack paths you may identify and then deploy a multifaceted defence to combat them. 

Supply chain exploits are a serious problem because they have a variety of causes, including a range of vulnerabilities. In the first place, there does not appear to be any unified governance model that can consolidate all stakeholders in one place: developers, end users, customers, and senior management. 

It is common for software supply chain attacks to be caused by a weakness in one of the pipelines, services, applications, or software components that form the backbone of the software supply chain. Attacks targeting supply chains are unique in the sense that they typically begin with vulnerabilities found in third-party software, as opposed to your company's applications or resources that are vulnerable. 

Cyber threats are constantly evolving, so it is important to keep up to date. A policymaking system that can support policymakers and practitioners in gathering up-to-date and accurate information about the current threat landscape is essential, both for policymakers and practitioners. 

ENISA Threat Landscape is published annually in response to the need to provide a comprehensive overview of the threat landscapes around the world. According to these reports, based on publically available information, threats provide an independent evaluation of threats, threats agents, trends, and attack vectors as over the last nine months. 

To interact with the broad range of stakeholders, ENISA established an Ad-Hoc Working Group on Cyber Threat Landscapes to receive advice on methods for drawing cyber threat landscapes, including ENISA's annual Threat Landscape, and to design, update, and review the approach required to do so.  

Among the range fifth-generation, the agency analyses are artificial intelligence and fifth-generation networks, which are recent threats landscapes that the agency has been investigating. This report is aimed at identifying the nature of supply chain attacks that are taking place and to examine the possible countermeasures which can be taken to counter them. ENISA published this report in 2012 (and updated it in 2015) which looks at the possible countermeasures to these attacks.

The PoweRAT Malware Attacks PyPI Users

 

The software supply chain security company Phylum has discovered a malicious assault using the PoweRAT backdoor and an information thief that targets users of the Python Package Index (PyPI). The campaign was initially discovered on December 22, 2022, when PyroLogin, a malicious Python programme made to retrieve code from a remote server and silently execute it, was discovered.

The EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles packages all had code that was comparable to PyroLogin, and they were all released to PyPI between December 28 and December 31.

The infection chain starts with a setup.py file, which means that the malware is automatically deployed if the malicious packages are installed using Pip. The infection chain involves the execution of numerous scripts and the exploitation of legitimate operating system features.

The execution process was examined by Phylum, who found attempts to avoid static analysis and the usage of obfuscation. While the malicious code is being performed in the background, a message indicating that "dependencies" are being installed is displayed in order to avoid raising the suspicion of the victims.

The infection chain also involves the setup of numerous potentially harmful programs, the placement of malicious code into the Windows starting folder for persistence, and libraries that let the attackers manipulate, monitor, and record mouse and keyboard input.

Once the virus is installed on the victim's computer, it gives the attackers access to sensitive data such as browser cookies and passwords, digital currency wallets, Discord tokens, and Telegram data. A ZIP archive containing the collected data is exfiltrated.

Additionally, the malware tries to download and install Cloudflare. This Cloudflare command-line tunnel client enables attackers to access a Flask app on the victim's machine without changing the firewall, on the victim's computer.

Using the Flask app as a command-and-control (C&C) client, the attackers can run shell commands, download and execute remote files, and even execute arbitrary Python code in addition to extracting information like usernames, IP addresses, and machine specifics.

The malware, which combines the capabilities of an information thief and a remote access trojan (RAT), also has a feature that sends an ongoing stream of screenshots of the victim's screen to the attackers, enabling them to cause mouse clicks and button presses. Phylum named the malware PoweRAT instead of Xrat "because of its early reliance on PowerShell in the attack chain."

Phylum concludes, "This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot! Even if the attacker fails to establish persistence or fails to get the remote desktop utility working, the stealer portion will still ship off whatever it found.” 

GitLab: Security and Governance Solutions Enhanced to Secure Software Supply Chain

 

GitLab has confirmed new security and compliance features and a number of enhancements in its platform to aid organizations to secure their software supply chain. 

A Global DevSecOps Survey by GitLab in 2022 found that security was amongst the highest priority investment areas for an organization, with 57% of security experts’ surveys indicating that their organizations have already shifted security left or plan to this year. 

GitLab has increased its focus on governance to help teams identify risks by offering visibility into their projects' dependencies, security findings, and user activities with increasing regulatory and compliance needs for the organization. 

The new enhancements on the other hand provide developers with tools that could scan any vulnerability and deploy controls in order to secure applications. Additionally, the developers have access to secure coding guidance involved in the GitLab platform. 

The new capabilities include security policy management, compliance management, events auditing, and vulnerability management. A dependency management capability to help developers track vulnerabilities in dependencies they are using will be available at a later date. Organizations will be able to automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production, says Gitlab. 

These capabilities, along with a broad range of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, aids the organization to acquire security and compliance of their software supply chain constantly, without giving in on speed and agility. 

In regards to the recent enhancement in the security and compliance features, VP of Product at GitLab David DeSanto says, “To stay competitive and propel digital transformation, organizations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought.” 

“Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organization’s software supply chain”, he continued.

NSA and CISA Share Tips to Secure the Software Supply Chain

Recently, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published a 64 long pages document in which the institutions gave tips on securing the software supply chain. 

The guidelines are framed by the Enduring Security Framework (ESF)—a public-private partnership that works on intelligence-driven, shared cybersecurity challenges and addresses threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers. 

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said. 

State-sponsored cyberattacks like the SolarWinds supply-chain attack and FireEye which led to exploitation of several US federal agencies, and took advantage of software vulnerabilities like Log4j brought the Enduring Security Framework into the course. 

Following the cyber threats, US President Biden signed an executive order in May 2021 to advance the country's mechanism against cyberattacks. Additionally, the Biden cabinet released a new Federal strategy against cyber threats in January, pushing its government to adopt a "zero trust" security model. Later, NSA and Microsoft recommended this approach in February 2021 for large enterprises and critical networks. 

“The developer holds a critical responsibility to the security of our software. As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer,” reads NSA’s statement. 

Following are some of the mitigation tips that have been recommended in the report: 

• Generate architecture and design documents
• Create threat models of the software product
• Gather a trained, qualified, and trustworthy development team
• Define and implement security test plans
• Establish product support and vulnerability handling policies and procedures
• Define release criteria and evaluate the product against it
• Document and publish the security procedures and processes for each software release
• Assess the developers’ capabilities and understanding of the secure development process and assign training

Furthermore, the report recommends that the supplier and developer management team should set policies and security-focused principles that ensure the growth and protection of the company’s infrastructure against cybercrimes.