Attacks on Software Supply Chains To Increase in Severity in 2023: Report
Software supply chain attacks are expected to increase in both frequency and severity in 2023, ReversingLabs said.
Cyberattacks on the software supply chain will continue to rise in 2023. Correspondingly, organizations will see a shift in how security teams approach cyber defense. This is according to a recent report from ReversingLabs, which assessed the impact of software supply chain incidents since the SolarWinds one.
The impact of the 2020 SUNBURST attack (through SolarWinds Orion) was widespread and profound. Suddenly, software supply chains became cybercriminal playgrounds to carry out lucrative cyberattacks, cyberespionage, or simply make a statement.
In response to this emerging trend of looking for and exploiting software supply chain weaknesses, security teams have also upped their game as the government irons out specific guidelines for securing the software supply chain under Enduring Security Framework (ESF), a public-private undertaking, and new legislation dubbed Securing Open Source Software Act of 2022.
“These [software supply chain] attacks feed on practices and behaviors that are ubiquitous,” ReversingLabs noted in The State of Software Supply Chain Security 2022-23 report.
“Among them: a heavy reliance on centralized, cloud-based infrastructure; fast-moving DevOps practices that have greatly increased the cadence of software releases, in part through heavy use of third-party commercial off-the-shelf and open source modules to speed development; and an increased reliance on centralized auto-update mechanisms to facilitate the rapid release cycles of modern, cloud-based applications and services.”
Key software supply chain security trends observed in the past 12 months:
Trust in open-source software implanted with malicious code is proving to be a drawback for organizational security. For instance, attacks on npm and PyPI repositories have surged by 289% in the last four years.
Malicious packages have become a malignant presence in open-source repositories, especially npm, which was found with as many as 7,000 malicious packages between January and October 2022. This is 100x more than the number in 2020 and 40% higher than in 2021.
Malicious Packages in NPM and PyPI | Source: ReversingLabs
npm repositories are the choice of cybercriminals to propagate malicious code and infect downstream organizations. ReversingLabs said this is because npm repositories host more than 3.1 million projects, against 407,000 on PyPi and 173,000 on RubyGems.
Specifically, typosquatting scams, i.e., a technique wherein malicious actors post a package whose name resembles that of popular libraries, have increased.
Protestware poses yet another risk to the software supply chain. Protestware emerged in 2022, wherein “maintainers of legitimate applications decide to weaponize their software in service of some larger cause (be it personal or political).”
Manipulation of npm libraries colors.js and faker.js (printed ‘‘LIBERTY ‘LIBERTY LIBERTY’ followed by a sequence of gibberish non-ASCII characters instead of the desired output), and the open-source library node.ipc are some of the examples of protestware.
See More: Top Tips for Consumers and Businesses to Stay Safe Online this Holiday Season
Meanwhile, organizations can unintentionally leave sensitive information in repositories. “It is only recently that we have seen malicious attackers turning their attention to the software supply chain as they began to recognize source code as an abundant source of unintentionally embedded secrets which can be used to further attacks,” ReversingLabs security analyst Charlie Jones noted.
Some of the organization “embarrassed” by the presence of sensitive information such as source code, credentials, access tokens, etc., embedded in repositories maintained either by themselves or third-parties on open-source platforms include the U.S. Department of Veterans Affairs, Toyota, CarbonTV, and more.
Number of Leaked Credentials for Projects hosted PyPi | Source: ReversingLabs
Additionally, organizations are found to be relying on vulnerable software dependencies. However, the increase in the discovery of open-source vulnerabilities such as Log4Shell, Text4Shell, Spring4Shell, Python, and OpenSSL indicates threat actors consistently trying to find new avenues for exploitation.
The good news is that organizations are wary of the issue at hand. A survey RversingLabs conducted revealed the following:
- 98% of respondents said third-party software, open source software, and software tampering are risks to organizations
- 66% of respondents said ‘exploitable software vulnerabilities pose a risk
- 63% of respondents said that threats and malware hidden in open source repositories that can lead to SUNBURST and CodeCov-esque incidents are a risk
- 51% of respondents said the inability to detect software tampering is a security risk
- 40% of respondents also highlighted vulnerabilities in CI/CD toolchains to be a concern
As such, security teams are expected to counter supply chain attacks with:
- The introduction of new features to identify malicious packages
- More integration with package scanning platforms
- IP range locks
- Supply chain security automation
- Open-source program offices
- Adherence to open-source security under the Securing Open Source Software Act of 2022
“If data from the past three years is any indication, attacks on software supply chains will increase in both frequency and severity in 2023, as they have in each of the last three years. That, along with new regulations and guidance intended to address supply chain risk, will put new pressure on development organizations and enterprises,” ReversingLabs concluded.
“Going forward, ReversingLabs researchers anticipate a shift in both security thinking and investment. Expect to see increased scrutiny of both internal and shared code for evidence of secrets such as access credentials for cloud-based services like AWS and Azure; SSH, SSL and PGP keys, and assorted other access tokens and API keys.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON SOFTWARE SUPPLY CHAIN THREATS
