First, let’s look at the current state of securing the supply chain processes and software.
It is easy at first glance, if this is not the industry you are involved in, to think of this area of commerce as being of the most concern to manufacturers, moving goods ‘down the line’ as they leave their chief location. But of course, in our world, with consumers wanting goods faster and faster, it is getting more difficult to secure not only goods in transit (depending on sensitivity and scarcity of those products), but also the information, the data, the proprietary secrets and security of credentials, from a software, data, physical and operational standpoint.
Fears of Supply Chain Attack are Growing/What is Going on in 2023?
Almost two years after word of the SolarWinds hack first spread, software supply chain attacks show no sign of abating.
In the commercial sector, attacks that leverage malicious, open-source modules continue to multiply. Enterprises saw an exponential increase in supply chain attacks starting in 2020, and a slower, but still steady rise in 2022. The popular open-source repository nm., for example, saw close to 7,000 malicious package uploads from January to October of 2022 — a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40% increase over the malicious packages discovered in 2021. (quote: Reversing labs)
The Python Package Index (PyPi) was also flooded with tainted open-source modules designed to mine cryptocurrency and plant malware, among other things. These attacks were consistent with what researchers observed in 2021, when attackers commonly used techniques such as dependency confusion and typosquatting. As in previous years,
high-profile organizations including Samsung and Toyota found themselves embarrassed by secrets exposed through open-source repositories that were maintained internally or by third-party contractors.
In this article, Saturn Partners, Inc. offers recommendations to prevent supply chain compromises. These include increased scrutiny of open-source risks and better coordination between development teams and security operations centers (SOCs) to bridge the gaps in both the monitoring and detection of supply chain threats and attacks.
What Constitutes a Software Supply Chain Attack?
Since we at The Saturn Partners, Inc. consider this area the ‘hot button’ in the supply chain security world, whether examining data or electronic assets at rest or in transit… we cut to the chase here as to some of most recent processes and descriptions of it:
A software supply chain attack is an attempt to exploit a weakness at a given stage in the software supply chain — the sequence of steps leading to the creation of a piece of software (a.k.a “software artifact”). Supply chain attacks try to access and manipulate source code, build processes, or update mechanisms of legitimate applications to an end: planting malware; stealing data; sowing disruption; and so on. Note that software supply chain attacks aren’t the same as attacks on software. For example, attempts to exploit software vulnerabilities for malicious purposes (privilege escalation, installing malware, etc.) are not software supply chain attacks because they target the finished software artifact, not the supply chain.
Much of the recent history of cyber threats, attacks, and compromises centers on the exploitation of software vulnerabilities, such as the notorious “Eternal Blue” exploit of the MS17-010 vulnerability in Microsoft’s Server Message Block that powered the explosive WannaCry and NotPetya malware infections.
Or it hinges on the placement of designed-malicious wares — like ransomware…
— on high-value endpoints and networks, often because of successful phishing and social engineering attacks on privileged users.
But that history of exploits and malicious attachments is ceding ground as malicious actors adapt their methods and strategies to find new avenues into sensitive private- and public-sector environments.
With an increasing reliance on open-source packages, the attacks on open-source repositories have become a matter of hunting where the fish are… so to speak, while also sidestepping many of the security and detection tools that have been deployed to protect more traditional targets.
Malicious open-source packages are the (rare) exception rather than the rule. Unfortunately, it takes just one malicious package to cause a major supply chain disruption. And attackers’ efforts to impersonate popular packages on these platforms means that coming across a malicious module may be easier than you might think.