Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Supply Chain. Show all posts

Ransomware Attack on Blue Yonder Disrupts Global Supply Chains

 

Blue Yonder, a leading supply chain software provider, recently experienced a ransomware attack that disrupted its private cloud services. The incident, which occurred on November 21, 2024, has affected operations for several high-profile clients, including major grocery chains in the UK and Fortune 500 companies. While the company’s Azure public cloud services remained unaffected, the breach significantly impacted its managed services environment. The attack led to immediate operational challenges for key customers. UK supermarket chains Morrisons and Sainsbury’s were among the most affected. 

Morrisons, which operates nearly 500 stores, reported delays in the flow of goods due to the outage. The retailer activated backup systems but acknowledged that its operations were still disrupted. Sainsbury’s similarly implemented contingency plans to address the situation and minimize the impact on its supply chain. In the United States, Blue Yonder serves prominent grocery retailers such as Kroger and Albertsons, though these companies have not confirmed whether their systems were directly affected. 

Other notable clients, including Procter & Gamble and Anheuser-Busch, also declined to comment on any disruptions they might have faced as a result of the attack. In response to the breach, Blue Yonder has enlisted the help of external cybersecurity firms to investigate the incident and implement stronger defenses. The company has initiated forensic protocols to safeguard its systems and prevent further breaches. While recovery efforts are reportedly making steady progress, Blue Yonder has not provided a timeline for full restoration. The company continues to emphasize its commitment to transparency and security as it works to resolve the issue. 

This attack highlights the growing risks faced by supply chain companies in an era of increasing cyber threats. Disruptions like these can have widespread consequences, affecting both businesses and consumers. A recent survey revealed that 62% of organizations experienced ransomware attacks originating from software supply chain vulnerabilities within the past year. Such findings underscore the critical importance of implementing robust cybersecurity measures to protect against similar incidents. 

As Blue Yonder continues its recovery efforts, the incident serves as a reminder of the potential vulnerabilities in supply chain operations. For affected businesses, the focus remains on mitigating disruptions and ensuring continuity, while industry stakeholders are left grappling with the broader implications of this growing threat.

Energy Sector Faces Heightened Supply Chain Risks Amid Growing Dependence on IT and Software Vendors

 

The energy industry is experiencing a sharp increase in supply chain risks, largely driven by its growing reliance on external vendors. According to a recent report, two-thirds of security breaches in this sector now originate from software and IT vendors.

The study, conducted by SecurityScorecard and KPMG, titled "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," draws attention to frequent threats, including ransomware attacks targeting traditional IT systems.

Researchers have emphasized that as the transition to cleaner energy picks up pace, and as the grid becomes more interconnected and software-reliant, vulnerabilities in the energy sector are expected to increase.

Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, stated, “The energy sector's rising dependence on third-party vendors exposes a significant vulnerability—its security is only as robust as its weakest link."

He added that this growing reliance on external vendors introduces considerable risks, urging the industry to strengthen cybersecurity defenses before a breach escalates into a national crisis.

The report highlighted that third-party risks account for nearly half of all breaches in the energy sector—significantly higher than the global average of 29%. Over 90% of organizations that experienced multiple breaches were attacked through third-party vendors.

Additionally, the report found that software and IT vendors were responsible for 67% of third-party breaches, while only a small number were linked to other energy companies. A notable portion of these incidents stemmed from the MOVEit file transfer software vulnerability, which was exploited by the Clop ransomware group last year.

The report also pointed out application security, DNS health, and network security as some of the most significant weaknesses in the sector.

The findings come at a time when the U.S. Department of Energy is convening with energy sector leaders to promote the Supply Chain Cybersecurity Principles, urging companies to focus on reducing risks posed by software and IT vendors, which represent the highest third-party threats.

As part of this effort, energy operators are encouraged to ensure new technology purchases are secure by incorporating initiatives like CISA’s "Secure by Design" and following the Department of Energy’s Supply Chain Cybersecurity Principles. The industry must also bolster security programs to defend against supply chain risks and geopolitical threats, especially from nation-state actors, and analyze ransomware attacks affecting foreign counterparts to improve resilience.

“The energy sector is a complex system undergoing a significant generational shift, heavily reliant on a stable supply chain," said Prasanna Govindankutty, KPMG's principal and cybersecurity leader for the U.S. sector.

He further explained that with rising geopolitical and technology-based threats, the industry is facing a level of risk exposure that could negatively impact both businesses and citizens. Organizations that can quantify these risks and implement mitigation strategies will be better equipped to navigate the energy transition.

Cyberattacks on Critical Infrastructure: A Growing Threat to Global Security

 

During World War II, the U.S. Army Air Forces launched two attacks on ball bearing factories in Schweinfurt, aiming to disrupt Germany’s ability to produce machinery for war. The belief was that halting production would significantly affect Germany’s capacity to manufacture various war machines.

This approach has a modern parallel in the cybersecurity world. A cyberattack on a single industry can ripple across multiple sectors. For instance, the Colonial Pipeline attack affected American Airlines operations at Charlotte Douglas Airport. Similarly, the Russian NotPetya attack against Ukraine spilled onto the internet, impacting supply chains globally.

At the 2023 S4 Conference, Josh Corman discussed the potential for cascading failures due to cyberattacks. The creation of the Cybersecurity and Infrastructure Security Agency’s National Critical Functions was driven by the need to coordinate cybersecurity efforts across various critical sectors. Corman highlighted how the healthcare sector depends on several infrastructure sectors, such as water, energy, and transportation, to provide patient care.

The question arises: what if a cyber incident affected multiple segments of the economy at once? The consequences could be devastating.

What makes this more concerning is that it's not a new issue. The SQL Slammer virus, which appeared over two decades ago, compromised an estimated one in every 1,000 computers globally. Unlike the recent CrowdStrike bug, Slammer was an intentional exploit that remained unpatched for over six months. Despite differences between the events, both show that software vulnerabilities can be exploited, regardless of intent.

Digital technology now underpins everything from cars to medical devices. However, as technology becomes more integrated into daily life, it brings new risks. Research from Claroty’s Team82 reveals that insecure code and misconfigurations exist in software that controls physical systems, posing potential threats to national security, public safety, and economic stability.

Although the CrowdStrike incident was disruptive, businesses and governments must reflect on the event to prevent larger, more severe cyber incidents in the future.

Cyber-Physical Systems: A Shifting Threat Landscape

Nearly every facility, from water treatment plants to hospitals, relies on digital systems known as cyber-physical systems (CPS) to function. These systems manage critical tasks, but they also introduce vulnerabilities. Today, billions of tiny computers are embedded in systems across all industries, offering great benefits but also exposing the soft underbelly of society to cyber threats.

The Stuxnet malware attack in 2014, which disrupted Iran's nuclear program, was the first major cyber assault on CPS. Since then, there have been several incidents, including the 2016 Russian Industroyer malware attack that disrupted part of Ukraine’s power grid, and the 2020 Iranian attempt to attack Israeli water utilities. Most recently, Chinese hackers have targeted U.S. critical infrastructure.

These incidents highlight how cybercriminals and nation states exploit vulnerabilities in critical infrastructure to understand weaknesses and the potential impact on security. China, for example, has expanded its objectives from espionage to compromising U.S. infrastructure to weaken its defense capabilities in case of a conflict.

The CrowdStrike Bug and Broader Implications

The CrowdStrike bug wasn’t a malicious attack but rather a mistake tied to a gap in quality assurance. Still, the incident serves as a reminder that our dependence on digital systems has grown significantly. Failures in cyber-physical systems—whether in oil pipelines, manufacturing plants, or hospitals—can have dangerous physical consequences.

Although attacks on CPS are relatively rare, many of these systems still rely on outdated technology, including Windows operating systems, which account for over 25% of vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog. Coupled with long periods of technological obsolescence, these vulnerabilities pose significant risks.

What would happen if a nation-state deliberately targeted CPS in critical infrastructure? The potential consequences could be far worse than the CrowdStrike bug.

Addressing the vulnerabilities in CPS will take time, but there are several steps that can be taken immediately:

  • Operationalize compensating controls: Organizations must inventory assets and implement network segmentation and secure access to protect vulnerable systems.
  • Expand secure-by-design principles: CISA has emphasized the need to focus on secure-by-design in CPS, particularly for medical devices and automation systems.
  • Adopt secure-by-demand programs: Organizations should ask the right questions of software vendors during procurement to ensure higher security standards.
Although CPS drive innovation, they also introduce new risks. A failure in one link of the global supply chain could cascade across industries, disrupting critical services. The CrowdStrike bug wasn’t a malicious attack, but it underscores the fragility of modern infrastructure and the need for vigilance to prevent future incidents

Safeguarding Your Digital Future: Navigating Cybersecurity Challenges

 

In the ever-expanding realm of technology, the omnipresence of cybercrime casts an increasingly ominous shadow. What was once relegated to the realms of imagination has become a stark reality for countless individuals and businesses worldwide. Cyber threats, evolving in sophistication and audacity, have permeated every facet of our digital existence. From cunning phishing scams impersonating trusted contacts to the debilitating effects of ransomware attacks paralyzing entire supply chains, the ramifications of cybercrime reverberate far and wide, leaving destruction and chaos in their wake. 

Perhaps one of the most alarming developments in this digital arms race is the nefarious weaponization of artificial intelligence (AI). With the advent of AI-powered attacks, malevolent actors can orchestrate campaigns of unparalleled scale and complexity. Automated processes streamline malicious activities, while the generation of deceptive content presents a formidable challenge even to the most vigilant defenders. As adversaries leverage the formidable capabilities of AI to exploit vulnerabilities and circumvent traditional security measures, the imperative for proactive cybersecurity measures becomes ever more pressing. 

In this rapidly evolving digital landscape, the adoption of robust cybersecurity measures is not merely advisable; it is indispensable. The paradigm has shifted from reactive defense mechanisms to proactive strategies aimed at cultivating a culture of awareness and preparedness. Comprehensive training and continuous education serve as the cornerstones of effective cybersecurity, empowering individuals and organizations to anticipate and counter emerging threats before they manifest. 

For businesses, the implementation of regular security training programs is essential, complemented by a nuanced understanding of AI's role in cybersecurity. By remaining abreast of the latest developments and adopting proactive measures, organizations can erect formidable barriers against malicious incursions, safeguarding their digital assets and preserving business continuity. Similarly, individuals can play a pivotal role in fortifying our collective cybersecurity posture through adherence to basic cybersecurity practices. 

From practicing stringent password hygiene to exercising discretion when sharing sensitive information online, every individual action contributes to the resilience of the digital ecosystem. However, the battle against cyber threats is not a static endeavor but an ongoing journey fraught with challenges and uncertainties. As adversaries evolve their tactics and exploit emerging technologies, so too must our defenses adapt and evolve. The pursuit of cybersecurity excellence demands perpetual vigilance, relentless innovation, and a steadfast commitment to staying one step ahead of the ever-evolving threat landscape. 

The spectrum of cybercrime looms large in our digital age, presenting an existential threat to individuals, businesses, and society at large. By embracing the principles of proactive cybersecurity, fostering a culture of vigilance, and leveraging the latest technological advancements, we can navigate the treacherous waters of the digital domain with confidence and resilience. Together, let us rise to the challenge and secure a safer, more resilient future for all.

The Silent Flaw: How a 6-Year-Old BMC Vulnerability Went Unnoticed


A six-year-old vulnerability has recently come to light, affecting Intel and Lenovo servers. Let’s delve into the details of this silent flaw and its implications. 

About vulnerability

The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.

The Culprit: Lighttpd Web Server

The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.

Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.

The Impact

BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for firmware updates, remote management, restarting, and monitoring of the device.

Binary discovered that AMI neglected to implement the Lighttpd patch from 2019 until 2023, which resulted in the deployment of numerous devices that were susceptible to the remotely exploitable flaw throughout this time.

The vulnerability allows attackers to exfiltrate process memory addresses, a critical piece of information. Armed with this data, malicious actors can bypass security mechanisms like Address Space Layout Randomization (ASLR). In essence, the flaw undermines the very protection mechanisms designed to prevent unauthorized access.

Supply Chain Fallout

The story takes an unexpected twist as we trace the flaw’s journey through the supply chain. The maintainers of Lighttpd patched the vulnerability silently in August 2018 (version 1.4.51), without assigning a tracking ID (CVE). Unfortunately, this stealthy fix allowed the flaw to persist in the wild.

The Vendors and Their Devices

Several vendors unwittingly shipped devices with this vulnerability, including Intel, Lenovo, and Supermicro. Let’s explore the impact of each:

Intel

The vulnerability affects the M70KLP series firmware (latest version).

Internal identifier: BRLY-2024-002.

Approximately 2000+ Intel server models remain vulnerable.

Lenovo

Lenovo’s BMC firmware (latest version) harbors the same flaw.

Impacted server models: HX3710, HX3710-F, and HX2710-E.

Internal identifier: BRLY-2024-003.

Supermicro

While not explicitly mentioned, Supermicro devices are likely affected due to their reliance on Lighttpd. The flaw underscores the need for thorough security assessments across the board.

The Hackable Hardware

The oversight in communication between vendors, maintainers, and end-users has resulted in the shipment of hackable hardware. These devices unwittingly expose sensitive information, jeopardizing the security of data centers, cloud services, and critical infrastructure.

The Urgent Call to Action

As the flaw’s existence becomes public knowledge, vendors must act swiftly:

Patch and Update: Vendors should release patches addressing the vulnerability promptly.

Security Audits: Rigorous security audits are essential to identify and rectify hidden flaws.

Transparency: Clear communication channels between maintainers, vendors, and end-users are crucial.

Russian Hackers Breach Microsoft's Security: What You Need to Know

 


In a recent set of events, reports have surfaced of a significant cyberattack on Microsoft, allegedly orchestrated by Russian hackers. This breach, attributed to a group known as Midnight Blizzard or Nobelium, has raised serious concerns among cybersecurity experts and the public alike.

The attack targeted Microsoft's source code repositories, exposing sensitive company information and communications with partners across various sectors, including government, defence, and business. While Microsoft assures that no customer-facing systems were compromised, the breach has far-reaching implications for national and international security.

Cybersecurity experts warn of the potential for increased zero-day vulnerabilities, which are undiscovered security flaws that can be exploited by hackers. Access to source code provides attackers with a "master key" to infiltrate systems, posing a significant threat to organisations and users worldwide.

The severity of the breach has prompted strong reactions from industry professionals. Ariel Parnes, COO of Mitiga, describes the incident as "severe," emphasising the critical importance of source code security in the digital age. Shawn Waldman, CEO of Secure Cyber Defense, condemns the attack as a "worst-case scenario," highlighting the broader implications for national security.

The compromised data includes emails of senior leadership, confidential communications with partners, and cryptographic secrets such as passwords and authentication keys. Larry Whiteside Jr., a cybersecurity expert, warns of potential compliance complications for Microsoft users and partners, as regulators scrutinise the breach's impact on data protection laws.

As the fallout from the breach unfolds, there are growing concerns about the emergence of zero-day vulnerabilities and the need for proactive defence measures. Experts stress the importance of threat hunting and incident response planning to mitigate the risks posed by sophisticated cyber threats.

The incident underscores the ongoing battle in the global cyber warfare landscape, where even tech giants like Microsoft are not immune to attacks. With cybercriminals increasingly targeting supply chains, the need for enhanced security measures has never been more urgent.

The breach of Microsoft's systems serves as a wake-up call for individuals and organisations alike. It highlights the ever-present threat of cyberattacks in an increasingly interconnected world and underscores the need for enhanced cybersecurity measures. By staying vigilant and proactive, establishments can mitigate the risks posed by cyber threats and protect their digital assets from exploitation.

As the field of cybersecurity keeps changing and developing, stakeholders must work together to address the underlying threats and ensure the protection of critical infrastructure and data. This recent breach of Microsoft's security by Russian hackers has raised serious concerns about the vulnerability of digital systems and the need for robust cybersecurity measures.


China State-Sponsored Spies Hack Site and Target User Systems in Asia


Chinese threat actors strike again

Users of a Tibetan language translation app and website visitors to a Buddhist festival were compromised by a focused watering-hole malware connected to a Chinese threat group.

According to recent data from ESET, the so-called Evasive Panda hacking team's cyber-operations campaign started in September 2023 or earlier and impacted systems in Taiwan, Hong Kong, Taiwan, Australia, and the United States.

During the campaign, the attackers gained access to the websites of three different businesses: a development company that provides translations into Tibetan; an organization based in India that promotes Tibetan Buddhism; and the news website Tibetpost, which unintentionally contained dangerous applications. Specific global geographic visitors to the sites were infected with droppers and backdoors, which included Nightdoor, a relatively new backdoor application, and the group's favourite MgBot.

Adversary in the middle attacks

According to ESET researcher Anh Ho, who uncovered the attack, the organization used an astonishing range of attack vectors in the campaign, including phishing emails, watering holes, and adversary-in-the-middle (AitM) attacks via software updates that took advantage of development servers.

"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," according to him. "Nightdoor is quite complex, which is technically significant, but in my opinion, Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."

A relatively small unit called Evasive Panda is usually assigned to surveillance missions in Asia and Africa, mostly targeting individuals and organizations. As reported by SentinelOne, the organization is linked to attacks on telecom companies in 2023 under the code name Operation Tainted Love. According to Microsoft, it is also related to the attribution group Granite Typhoon, née Gallium. Symantec refers to it as Daggerfly as well, and Google Mandiant reports that it shares similarities with a group of cybercriminals and spies known as

Supply chain and watering holes compromises

The group, which has been active since 2012, is well-known for its supply chain attacks and for using stolen code-signing credentials and program upgrades in 2023 to infect users' PCs in China and Africa.

The organization commandeered a website for the Tibetan Buddhist Monlam festival in this most recent campaign, according to ESET's published analysis, to provide a backdoor or downloader tool that downloaded malicious payloads from a compromised Tibetan news site.

The hackers utilized Trojanized programs to infect Mac OS and Windows machines and also compromised a vendor of Tibetan translation software to further target consumers.

Cyber espionage links

Evasive Panda has created MgBot, a proprietary malware framework with a modular architecture that can download other components, run code, and steal data. MgBot modules can download further capabilities and spy on victims who have been hacked, among other things.

Using the MgBot downloader to deliver final payloads, Evasive Panda targeted users in India and Hong Kong in 2020, according to Malwarebytes, which connected the organization to earlier assaults in 2014 and 2018.

The organization released Nightdoor in 2020 as a backdoor that can be used to issue commands, upload data, and build a reverse shell by communicating with a command-and-control server.


Hugging Face's AI Supply Chain Escapes Near Breach by Hackers

 

A recent report from VentureBeat reveals that HuggingFace, a prominent AI leader specializing in pre-trained models and datasets, narrowly escaped a potential devastating cyberattack on its supply chain. The incident underscores existing vulnerabilities in the rapidly expanding field of generative AI.

Lasso Security researchers conducted a security audit on GitHub and HuggingFace repositories, uncovering more than 1,600 compromised API tokens. These tokens, if exploited, could have granted threat actors the ability to launch an attack with full access, allowing them to manipulate widely-used AI models utilized by millions of downstream applications.

The seriousness of the situation was emphasized by the Lasso research team, stating, "With control over an organization boasting millions of downloads, we now possess the capability to manipulate existing models, potentially turning them into malicious entities."

HuggingFace, known for its open-source Transformers library hosting over 500,000 models, has become a high-value target due to its widespread use in natural language processing, computer vision, and other AI tasks. The potential impact of compromising HuggingFace's data and models could extend across various industries implementing AI.

The focus of Lasso's audit centered on API tokens, acting as keys for accessing proprietary models and sensitive data. The researchers identified numerous exposed tokens, some providing write access or full admin privileges over private assets. With control over these tokens, attackers could have compromised or stolen AI models and supporting data.

This discovery aligns with three emerging risk areas outlined in OWASP's new Top 10 list for AI security: supply chain attacks, data poisoning, and model theft. As AI continues to integrate into business and government functions, ensuring security throughout the entire supply chain—from data to models to applications—becomes crucial.

Lasso Security recommends that companies like HuggingFace implement automatic scans for exposed API tokens, enforce access controls, and discourage the use of hardcoded tokens in public repositories. Treating individual tokens as identities and securing them through multifactor authentication and zero-trust principles is also advised.

The incident highlights the necessity for continual monitoring to validate security measures for all users of generative AI. Simply being vigilant may not be sufficient to thwart determined efforts by attackers. Robust authentication and implementing least privilege controls, even at the API token level, are essential precautions for maintaining security in the evolving landscape of AI technology.

Cyberattack Could Lead to a Shortage of Christmas Goods in Australia

 

A cyberattack over the weekend partially closed four major Australian ports, raising concerns about cascading effects. 

Forty percent of the freight that enters the country is handled by DP World Australia, which discovered a security breach on Friday and immediately turned off its internet connection. 

This meant that throughout the weekend, the company's port operations in Sydney, Melbourne, Brisbane, and Fremantle were shut down. 

The company could not estimate how long it would take to recuperate from the cyberattack, but experts believe it could take weeks, prompting price hikes and rising inflationary pressure. 

According to AMP chief economist Shane Oliver, a lengthy disruption in the operations of UAE-owned DP World could have a ripple effect on the overall economy and help trigger another interest rate hike. 

He stated that the attack on DP World, as well as its inability to move goods in or out of its ports, constituted a supply shock, and that a prolonged closure could push up commodity prices, forcing the Reserve Bank to consider another interest rate hike at its December meeting.

“It goes to the nature of the supply shock here, and this could have an impact on the prices, and inflation rate, of goods, which has been coming down. If this stops that, or it pushes up prices, then the Reserve Bank could be looking at it at their December meeting,” Oliver noted. 

However, senior Westpac economist Justin Smirk stated that the Reserve Bank is beginning to consider disruptive incidents such as cyberattacks on supply chain infrastructure. 

The founder of the data breach tracker Have I Been Pwned and cybersecurity researcher Troy Hunt warned that disruptions to Australian consumers could last for weeks and have an impact on Christmas delivery. 

Hunt told this masthead, "If you look back to COVID, look at the sheer number of things that got disrupted just because bits and pieces couldn't get delivered." "It depends on the actions taken here as well; have the internal systems of [DP World] been destroyed?" 

He cited preliminary research from cybersecurity veteran Kevin Beaumont, who discovered that DP World was most likely the victim of a ransomware attack enabled by a vulnerability in Citrix NetScaler software. 

According to Hunt, ransomware groups are now far more professional than they used to be, with websites listing every victim and a countdown timer indicating how much longer they had to pay. 

“There’s … a financial motive for this sort of stuff,” Hunt noted. “Of course, we’ve seen this in Australia recently with the Medibank situation, we’re seeing this more and more. If you have a spin through some of the dark web ransomware websites, it’s just stunning the number of organisations that are listed on there.”

Data Theft Alert: Malicious Python Packages Exposed – Stay Secure

 


Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded. 

Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign. 

There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection. 

The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone. 

Crypto and Data Theft 


As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers. 

This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly. 

Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems. 

In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker. 

Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts. 

An Analysis of The Attack's Evolution 


There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers. The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages. 

However, in August, a researcher noted that many packages now have multi-layer encryption. There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report. 

There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August. 

There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub. 

To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.

Open Source Software has Advantages, but Supply Chain Risks Should not be Overlooked

 

While app development is faster and easier, security remains a concern. In an era of continuous integration and deployment, DevOps, and daily software updates, open-source components are becoming increasingly important in the software development scene.

In a report released last year, silicon design automation firm Synopsys discovered that 97 percent of codebases in 2021 contained open source and that open source software (OSS) was present in 100 percent of audited codebases in four of 17 industries studied - computer hardware and chips, cybersecurity, energy, and clean tech, and the Internet of Things (IoT). The other verticals had at least 93 percent open source. It can contribute to increased efficiency, cost savings, and developer productivity.

"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.

However, the increasing use of open-source packages in application development opens the door for threat groups to use the software supply chain as a backdoor to a plethora of targets that rely on it.

Due to the widespread use of OSS packaging in development, many enterprises have no idea what is in their software. With so many different hands involved, it's difficult to know what's going on in the software supply chain. According to a VMware report from last year, concerns about OSS included the need to rely on a community to patch vulnerabilities, as well as the security risks that entails.

Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.

According to Badhwar, 95 percent of all vulnerabilities are found in "transitive dependencies," which are open source code packages that are pulled into projects rather than being chosen by developers.

"This is a huge arena, yet it's been largely overlooked," he warned.

Growing awareness of the threat

The use of open source software is not a new trend. According to Brian Fox, co-founder and CTO of software supply chain management vendor Sonatype and a member of the OpenSSF (Open Source Security Foundation) governing board, developers have been doing it for a dozen years or more.

According to Fox, developers assemble the source components and add business logic. As a result, open source becomes the software's foundation.

What has changed in recent years is the general awareness of it, not just among well-intentioned developers who are creating software from these disparate parts.

"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."

This was highlighted by the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the company's software system and inserted malicious code. Customers who downloaded and installed the code unknowingly during the update process were then compromised. Similar attacks followed, notably against Kaseya and Log4j.

Obtaining the image using Log4j

According to Fox, the Java-based logging tool is an example of the massive risk consolidation that comes with the widespread use of popular software components.

"It's a simple component way down [in the software] and it was so popular you can basically stipulate it exists in every Java application – and you would be right 99.99 percent of the time," he said. "As an attacker … you're going to focus on those types of things. If you can figure out how to exploit it, it makes it possible to 'spray and pray' across the internet – as opposed to in the '90s, when you had to sit down and figure out how to break each bespoke web application because they all had custom code."

Enterprises have "effectively outsourced 90 percent of your development to people you don't know and can't trust. When I put it that way, it sounds scary, but that's what's been happening for ten years. We're just now grappling with the implications of it."

Log4j also brought to light another issue in the software supply chain, awakening many to how reliant they are on OSS. Despite this, an estimated 29 percent of Log4j downloads are still of the vulnerable versions.

According to Sonatype analysis, the majority of the time a company uses a vulnerable version of any component, a fixed version of the component is available - but they don't use it. This indicates a need for more education. according to Fox. "96 percent of the problem is people keep taking the tainted food off the shelf instead of taking a cleaned-up one."

Concentrating on the repositories

Another OSS-related threat is the injection of malware into package repositories such as GitHub, Python Package Index (PyPI), and NPM. Cybercriminals are using dependency confusion and other techniques to create malicious versions of popular code in order to trick developers into including the code in their software.

They may use an underscore instead of a dash in their code to confuse developers into selecting the incorrect component.

"The challenge with this is that the attack happens as soon as the developer downloads that component and these downloads happen by the tools," Fox said. "It's not like they're literally going to a browser and downloading it like the old days, but they're putting it into their tool and it happens behind the scenes and it might execute this malware.

"The sophistication of the attacks is low and these malware components don't even often pretend to be a legitimate components. They don't compile. They're not going to run the test. All they do is deliver the payload. It's like a smash-and-grab."

Defenses are being strengthened.

Despite the security risks associated with OSS, there are benefits to using it. According to Fox, it is more visible and transparent than commercial software. He cited the response to the Log4j vulnerabilities: the Log4j team produced a fix in a matter of days, which commercial organizations were unlikely to be able to do.

Mike Parkin, the senior technical engineer at Vulcan Cyber, agreed that having more eyes on the code through open source can help mitigate cyber threats, but it also makes it easier for potential attackers.

That said, "historically the tradeoff has usually favored the open source developers," Parkin told The Register.

The SolarWinds attack highlighted the importance of software supply chain security. Building on US President Biden's 2021 Cybersecurity Executive Order, the White House ordered [PDF] federal agencies in September 2022 to follow NIST guidelines when using third-party software, including self-attestation and software bills of materials (SBOMs) by software vendors.

Vendors are working on a variety of initiatives to strengthen the security of the software supply chain. These include the rise of multi-vendor frameworks such as the Open Software Supply Chain Attack Reference, tools such as the Vulnerability Exploitability Exchange (VEX), and other cybersecurity vendor products.

Still, Sonatype's Fox would like to see other steps taken, such as requiring software manufacturers to recall defective software components. They are currently designed to create an SBOM. Fox compared it to car manufacturers only having to provide buyers with a list of vehicle parts, which can then be stuffed into a glove box and forgotten about, with no obligation to recall the vehicle if any of those parts are faulty.

"What we really need is something to basically mandate that they can do a recall, because that implies that they know all the parts and where they ship them and which versions of the applications have which open source dependencies, but it also means they're actually managing it and looking out for that," he said. "That drives you towards that proper behavior."

Fox wishes to concentrate on the actual maintenance of the OSS packages. Governments are moving in that direction, he said, noting that the EU's Cyber Resilience Act mentions the need for recalls, albeit without using the exact words. According to Fox, the Biden administration may be warming up to the idea.

He is also considering component-level firewalls, which work similarly to packet-level firewalls in that they can inspect network traffic and block malicious traffic before an attack can begin. Similarly, a component-level firewall could prevent malicious code from infiltrating the software.

"If you don't even know what's in your software to start with, you probably have no visibility into what's going on with the malware, which is almost a worse problem because it's not just the vulnerability that's latent, waiting for somebody to exploit," he said. "It's causing harm the moment you touch it. Not enough people are really getting their head around that part of the problem either."

The Nexus Firewall, which Fox said was inspired by credit card fraud protection, was built into Sonatype's platform. The firewall recognizes normal behavior and can detect abnormal behavior using artificial intelligence and machine learning techniques. More than 108,000 malicious attack attempts were detected by the firewall in 2022.

"So many organizations don't even know that this is a problem," he said. "It's where the game is happening right now and the attackers are kind of having a field day, unfortunately."

It is necessary to have both SBOM and firewall-like capabilities.

"Yes, you need to know where all those parts are, so when the next Log4j happens, you can remediate it immediately and not have to start triaging thousands of applications," Fox argued. "But that's not going to stop these malicious attacks. You also need to be perfect protecting the factory."


How Does Modern Software Work?

 


It is encouraging to see a thriving community within the cybersecurity industry clamoring to share experiences as conference season approaches. As a result of the call-for-speakers process, attendees can get a pretty clear idea of what's on the minds of the entire ecosystem of cybersecurity professionals across the globe. 

This year's "RSAC 2023 Call for Submissions Trends Report" examined several noteworthy trends related to open source, one of which was open source's ubiquity and decreasing resemblance to silos, a trend that has been observed in previous research about the RSAC 2023 call for submissions. There are both benefits and risks associated with the changes in modern software. 

Software Writing: Is It Still a Thing? 

There is no doubt that cybersecurity professionals spend much of their time discussing software and how it's assembled, tested, deployed, and patched to protect against malicious attacks. 

A company's software has a profound effect on its success, regardless of its size or sector. As scale and complexity have increased over time, teams and practices have evolved to meet these challenges. In light of this, Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security, says this has led to more assembly than the writing of software in the modern day. She is also a member of the program committee for the RSA Conference. This is not just a matter of opinion, it is a fact. According to estimates made by industry experts, 70% to almost 100% of all software across the industry contains open-source components. These are codes that can be directly attacked in small and large attacks. It creates a huge, shifting attack surface that everyone should be keeping an eye on, as well as an area of focus for everyone to work on. 

While you are designing and assembling code, you are bound to discover a lot of dependencies that you will have to deal with - both transitive and widespread. A team integrating the code will also need to better understand the process used to run, test and maintain it. This will enable them to bring these dependencies to the table more effectively. These dependencies extend much deeper than the actual code itself. 

 Are there any Software Developers Left? 

Even though cybersecurity professionals spend a lot of time talking about software, it comes as no surprise that they spend a lot of time discussing how it is assembled, tested, deployed, and patched. Each business, regardless of its size or sector, has been impacted by software to some extent or another. The growth of scale and complexity has led to the evolution of teams and practices as well. Therefore, DevSecOps and endpoint security are constantly being integrated as a result, and Jennifer Czaplewski, a senior director at Target and a member of the program committee for the RSA Conference, says "Modern software is being assembled more than it is being written." This is not an opinion but a fact. As much as 70% to nearly 100% of all software across the industry contains open source components - code that is targeted directly in attacks of all sizes - estimates suggest this is a huge, shifting attack surface that requires all companies' supply chains to be vigilant. This creates an area of focus for every industry.

Code assembly creates a wide range of dependencies that are natural artifacts that arise as a result of the assembly process. The team that is incorporating it also needs to understand the processes used to run, test, and maintain the code. This is because they are deeper than the actual code. 

There is no escaping today's reality - almost every organization today relies unavoidably on open-source software to run its operations, which has led to an increase in the demand for better methods of assessing risks, cataloging usage, tracking impacts, and making informed decisions about the integration of open source components into software stacks before, during, and after they have been integrated. 

Components of Success and Building Trust 

As a technology issue, open source isn't the only issue that concerns open source. Alternatively, there may be a problem with the process. There could also be an issue with the people involved. As you might expect, it touches everything, including top-level executives, heads of information security departments (CISDs), policymakers, and developers. It is vital to establish trust across each of these groups by building transparency, collaboration, and communication between them. It is apparent that the software bill of materials (SBOM) has become one of the primary elements for building trust and has become popular after the May 2021 executive order from President Biden. 

In recent years, people have been able to observe tangible and quantifiable results as a result of the implementation of this solution. These results include how well assets are managed, how quickly vulnerabilities are addressed, and how strongly software life cycle management is improved. DBOM (data) and HBOM (hardware) seem to have gained traction, which has led to the creation of additional BOMs, such as PBOM (pipeline) and CBOM (cybersecurity), with SBOM generating additional BOMs. Many are hopeful that the BOM movement will be able to lead to a uniform and systematic way to think about and approach problem-solving in the future, but only time will tell whether the benefits outweigh the heavy responsibility placed on developers. 

Several policies and collaborations have been put into place to encourage the practices that have led to the success of open-source software, including the Securing Open Source Software Act, the Supply Chain Levels for Software Artifacts (SLSA) framework, as well as the NIST Secure Software Development Framework (SSDF). A common goal, namely to ensure that software supply chains are secure by default, has enabled the entire community to work together. 

There is an overt focus on the downside of open-source code, including potential manipulation, attacks, and exploitation of it. This is leading to increased efforts to mitigate associated risks, both through the development process, analytical reports, and even technology, to mitigate those risks. There is a great deal of effort being put into preventing malicious components from being ingested into the body in the first place. 

As a result of this introspection and personal learning around software development, the software development life cycle (SDLC), and the supply chain generally, there have been a lot of benefits to the community at this moment in time. Indeed, open source can greatly impact the success of ... open source! The continuous integration/continuous delivery pipeline (CI/CD) that developers are accustomed to using relies heavily on open-source tools to integrate critical security controls during development. OpenSSF scorecards and the OpenSSF Secure Supply Chain Framework are both examples of promising initiatives that will help teams in assembling software by providing resources such as automated scoring and consumption-focused frameworks that protect developers against real-world threats related to OSS supply chains. Just two examples of promising activities that will assist teams in assembling software include the Secure Supply Chain (SSC) Framework. 

Bringing our Strengths Together Makes us Stronger 

Even though open-source software continues to change the game of software, it has already changed it. There has been an impact on the way software is developed all over the world due to it. In addition, it has expedited product development time. A reduction in development costs and stimulation of innovation have been two of the benefits. 

While it can be argued that the updated system has contributed to security in the long run, work needs to be done. To make the world safer, we must work together as a village by sharing ideas and best practices throughout our communities. This will enable us to build a more secure world.   

What Choices Ought to Influence the Supply Chain in 2023?

 

Due to the increase in cybercrime, many businesses are infected by viruses and malware that are distributed to them by vendors and business partners. 

There has not been a definite plan of action that addresses this as of yet. However, new third-party risk assessment techniques, products, and services are now available to find security "weak spots" in the supply chain of your business. 

Threats by supply chain vendors 

BlueVoyant, a cybersecurity provider, reported in 2021 that 98% of organizations surveyed had been impacted by a supply chain security breach. In a global survey of 1,000 chief information officers conducted in 2022, 82% of respondents said their organizations were vulnerable to cyberattacks targeting their supply chains. 

There are multiple reasons for these statistics and concerns. The following stand out:

  • The enormous size of corporate supply chains can include up to 100,000 suppliers for a single business 
  • Different cybersecurity standards are required in different countries 
  • Supplier unpreparedness, lack of knowledge, and lack of resources for sound cybersecurity practices 
  • Lack of understanding of supplier security in areas like purchasing, which frequently issue requests for proposals from suppliers without mentioning the security requirements for conducting business with the company. 

Best practices for supply chain security 

While cybersecurity frameworks provide an excellent overview of general supply chain security requirements, they do not provide a detailed plan for implementation. 

What organizations require is a guide for a multifaceted approach to supply chain security — but no single playbook can meet the needs of every organization. Instead, as organizations develop their own security approaches, leaders should follow supply chain security best practices: 

Become familiar with your data 

It may seem obvious, but it cannot be overstated: you must understand your own data, that is, what type of data your organization stores and how sensitive that data is. Use discovery and classification tools to find databases and files in your organization that contain sensitive data, such as customer data, financial information, health records, etc. 

Conduct a risk assessment of supply chain security 

Simply comprehending your data is insufficient. You must also understand your supply chain thoroughly in order to identify potential security risks and take preventative measures. 

Begin by gathering data on your third-party partners. What security safeguards do they have in place? Consider each partner's level of vulnerability, breadth and depth of data access, and the impact on your organization if their security is compromised. 

Next, evaluate the software and hardware products that your company employs. What are their weaknesses? Also, don't overlook compliance. Examine your organization's current security governance and consider where it may need to pivot. 

Create an incident response plan 

Attacks will occur, and your system will be compromised, no matter how thoroughly you prepare your organization's supply chain security. As a result, supply chain security best practices include more than just prevention — they also include preparation. 

An incident response plan should be a key component of your supply chain security app. This plan should outline everyone's responsibilities as well as all procedures to be followed in the event of a security incident. Make specific plans for data breaches, system shutdowns, and other security interruptions. And don't just write these procedures down. Test them, practice them, and make sure they're ready to go. 

Conclusion 

Because the supply chain is so fragile, maintaining solid supply chain security is a dangerous game. While eliminating all threats is impossible, adhering to best practices in supply chain security will position your organization to anticipate and mitigate their effects.

Concerns About Supply Chain Risks Need Strategies

 


It is common for the security industry to get disturbed when new vulnerabilities are discovered in software. Two new vulnerabilities were reported in OpenSSL in late October and early November 2022, which overwhelmed news feeds. This never-ending vulnerability cycle begins with the discovery and disclosure of vulnerabilities. The impact of a cyber-attack is felt acutely by those who work on the front lines of information technology, as the need for remediation is harsh. 

To filter some of the noise from new vulnerabilities, consider the impact on supply chains and take the necessary steps to secure their assets, security leaders must maintain an effective cybersecurity strategy. 

Supply Chain Attacks Aren't Going Away 

There have been several severe vulnerabilities in Log4j, Spring Framework, and OpenSSL components in the last year which have caused us to lose significant amounts of data. As long as implementations are misconfigured or rely on known vulnerable dependencies, it is also certain those older vulnerabilities will be exploited in the future. It was learned in November 2022 that a state-sponsored Iranian operation had been mounted against the Federal Civilian Executive Branch (FCEB), which was attributed to an attack campaign launched against it by the Iranian regime. In this case, a United States federal entity ran VMware Horizon infrastructure. This infrastructure contained the Log4Shell vulnerability, which was the initial attack vector. This vulnerability allowed an attacker to gain access to the network. There was a series of attacks on FCEB. This attack chain included lateral movements, credential compromises, system compromises, network persistence, endpoint protection bypasses, and crypto-jacking in the course of a single attack. 

After security incidents involving vulnerable packages like OpenSSL or Log4j, organizations are likely to wonder why they are consuming open-source software at all. According to a recent report, supply chain attacks continue to be on the rise because suppliers and partners are reusing components. 

Instead of building systems from scratch, the team of strategic planners for cybersecurity at Sysdig repurposes existing code. As a result, engineering effort will be reduced, operational scalability will be achieved, and delivery will be fast. In general, open-source software (OSS) has a high reputation for reliability due to the public scrutiny it receives due to its open-source nature. Software is, of course, a constantly changing field, and problems can arise as a result of coding errors or dependency problems. Moreover, the improvement of testing and exploitation techniques also enables the discovery of new issues over time. 

Supply Chain Vulnerabilities: How to Address Them

To secure the modern design of an organization, it must have the appropriate tools and processes in place. In this rapidly changing environment, traditional approaches based on vulnerability management or point-in-time assessments cannot be relied upon alone. Even though these approaches may still be permitted by regulations, they perpetuate the division between "secure" and "compliance." Most organizations aim to reach some level of maturity in DevOps. There are several characteristics of DevOps practices that are common to both continuous and automated processes. Processes related to security should not be different from other processes. The security strategist must ensure that they maintain a steady focus on security throughout the phases of development, testing, and deployment, and during runtime. 

Continuously scan code in CI/CD: In addition to following the best security practices (e.g., shift left), you need to recognize that you will not be able to scan all the code and nested code. Several factors can limit the success of shift-left approaches scanner effectiveness, correlation of scanner output, automation of release decisions, and scanner completion within the release timeframes. Using the right tool can help you prioritize the risks associated with your findings. Your architecture may not be able to exploit all found vulnerabilities, and some vulnerabilities may not be exploitable in the first place. 

Continuous scanning during delivery: it is essential to prevent component compromises and environment drifts from happening. The digital supply chain, which is the process by which applications, infrastructure, and workloads are sourced from registries, and repositories, and booted up from them, need to be scanned in case something has been compromised along the way. 

Continually scan at runtime: To protect against cyber threats, most organizations are looking to continually scan at runtime, and security monitoring is the backbone of their efforts. As part of your system architecture, you need mechanisms to collect, correlate, and interpret telemetric data from all types of systems, including cloud environments, containers, and Kubernetes deployments. Insights collected during the runtime should feed back into the earlier stages of the build and delivery process. In the context of identity and services, there is an interaction between them.

Secure strategy and cybersecurity preparedness are essential in the wake of the latest OpenSSL vulnerability and Log4Shell. CVE-IDs are merely identifiers of vulnerability issues that are known to exist in publicly available software or hardware. Many vulnerabilities remain unreported, particularly those rooted in undocumented code or those resulting from environmental misconfiguration or homegrown code. Modern designs are based on distributed and diverse technologies, and cybersecurity strategies must take this into consideration. The technology you need to manage vulnerabilities requires a modern tool that uses runtime insights so that engineering teams can prioritize remediation tasks based on the information they have. Additionally, for you to avoid sudden attacks, you need to have the ability to detect and respond to threats across a wide range of environments.