Open-source tools fire up software supply chain attacks

Open-source tools fire up software supply chain attacks

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .

This week: RL released its annual report on the State of Software Supply Chain Security, and Axios had the exclusive. Also: Chris H. shares more on the new OWASP AI Exchange. 

This Week’s Top Story

Exclusive: Open-source tools fire up supply chain attacks

This week, Axios reports on the increase in software supply chain attacks based in open source code repositories, and how the barrier to perform these attacks has lowered — and will continue to do so. The kind of cyber attack thought to be only made possible by skilled threat actors, such as nation-state cyber crime groups, is now the kind of attack that can be executed by cybercriminals with basic knowledge of developing code and public platforms, such as PyPI and npm. 

These findings come from ReversingLabs’s newest report: The State of Software Supply Chain Security 2024, which gives an overview of the 2023 threat landscape, analyzes what has changed since 2022, and looks ahead to what security teams can expect in 2024. In looking at what has changed, RL researchers detected a 28% increase in the number of malicious packages uploaded across several major open source repositories between 2022 and 2023, potentially causing thousands of individual supply chain attacks. Researchers also assert that this increase is thanks to cybercriminals who have been creating hacking tools and techniques to be shared among fellow malicious actors, making it easier than ever to carry out supply chain attacks on these platforms. 

In 2023 alone, RL researchers discovered five never-before-seen techniques by malicious actors, showcasing cybercriminals’ increased malicious activity on these platforms as well as their improved skillset. ReversingLabs chief software architect and co-founder Tomislav Peričin shared his thoughts on these changes with Axios:

“It's a cat-and-mouse game, and every single time you develop the technology that can detect that type of attack, they just pivot somewhere else. To me, 2023 was the year of many, many different pivots that we saw." - Tomislav Peričin

In 2023, cybercriminals pivoted to tactics such as obfuscating or encrypting their malicious activity to evade detection, as well as delivering malicious packages that can create backdoors into an organization’s network, giving threat actors continued access that could allow them to do more harm.

In order to stay ahead of malicious actors, it’s recommended that security teams “continually audit the technologies they use,” writes Axios. Peričin also stresses that the federal government should continue to release guidance and mandates in regards to shoring up software supply chain security programs. (Axios

This Week’s Headlines

The OWASP AI Exchange: An open-source cybersecurity guide to AI components

Chris Hughes continues his analysis of the Open Worldwide Application Security Project’s (OWASP) AI Exchange in this CSO article, which is meant to be an open-source, collaborative effort that shares global AI security standards, regulations, and knowledge. The hope is that this initiative will allow practitioners to better mitigate the risk AI technology poses and boost AI cybersecurity in general. (CSO)

Software supply chain security programs: Challenges, evaluating tools, and more

For organizations implementing a software supply chain security program in 2024, be aware of the following challenges listed in this article that your team may face, along with some questions to ask as you evaluate new tools and technologies to help your organization build this program. (Fast Company)

NIST offers guidance on measuring and improving your company’s cybersecurity program

The National Institute of Standards and Technology (NIST) is offering new guidance in response to organizations looking to create cybersecurity measurement programs that can help them make data-driven, risk-based decisions to achieve their security goals. This guidance provided by NIST measures the effectiveness of organizations’ information security programs. The guidance is still in draft form, and NIST is accepting comments from the community regarding the draft until March 18, 2024. (NIST)

Opera MyFlaw bug could let hackers run any file on your Mac or Windows

Cybersecurity researchers have disclosed a now-patched security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw – owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices. (The Hacker News)

Is the Cyber Safety Review Board working? Lawmakers consider tweaks to CSRB

Congress is considering updates to the Cyber Safety Review Board, as some experts say the CSRB needs more independence and transparency, while lawmakers also eye giving subpoena powers to the investigative panel. The establishment of the review board under the Department of Homeland Security was a part of the May 2021 executive order on securing the nation’s cybersecurity, and was created to investigate major cyber incidents. (Federal News Network)

Resource Roundup

New Report | The State of Software Supply Chain Security 2024

ReversingLabs has released its annual report on the state of software supply chain security. Learn top trends and get key takeaways to equip your development and AppSec teams. [Read Now]

Webinar | The State of Software Supply Chain Security 2024

Derek Fisher, Author and Executive Director of Product Security at JP Morgan Chase and Matt Rose, Field CISO at ReversingLabs will discuss key insights from ReversingLabs’s recent report to help organizations prepare their software supply chain security programs for the coming year and beyond. [Register Now]

Blog | A (partial) history of software supply chain attacks

The SunBurst hack of SolarWinds put supply chain attacks on everyone’s radar. But these attacks aren’t new. Here’s an abbreviated history of key supply chain attacks and compromises. [Read Now]

To view or add a comment, sign in

More articles by ReversingLabs

Insights from the community

Others also viewed

Explore topics