Secure by Demand: Key takeaways for enterprise software buyers
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .
This week: CISA releases Secure by Demand, the counterpart to its initial software supply chain security initiative, Secure by Design. Also: Chinese threat actor Evasive Panda compromises an ISP to deploy malicious software updates.
This Week’s Top Story
Secure by Demand: Key takeaways for enterprise software buyers
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took a major step forward as it continues to define federal software supply chain security policy. This major step, “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem,” serves as the official counterpart to the CISA’s landmark Secure by Design guidance (PDF), released in April 2023.
Secure by Design was one of the first federal initiatives aiming to shift the burden of software supply chain attacks away from the end user and onto those who create, ship, and maintain software products. Subsequently, CISA’s release of the Secure by Design Pledge just a few months ago further encouraged software producers to take steps to ensure they are following secure software development and maintaining practices.
But what was missing from Secure by Design’s message was a key piece of software supply chain security: the enterprise buyer. Commercial software risk remains one of the most under-addressed cybersecurity risks facing enterprises today. It was found in the 2024 Verizon Data Breach Investigations Report (DBIR) that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches Verizon documented – a 68% jump from the 2023 DBIR. This is why security and risk leaders are inclined to check the security measures of the software products their enterprises are consuming – something that Secure by Demand embodies.
Secure by Demand aims to empower enterprise buyers with a set of checks that can be demanded of a software producer before, during, and after procurement. These checks are presented as a list of questions that enterprise buyers can ask the software producer they wish to work with, including:
These checks serve as an important start in ensuring that software supply chain security is upheld from all ends of the software supply chain. By holding software producers accountable for these security principles, enterprise buyers now hold the power in the software market to sway more companies to prioritize these secure software practices. This will also greatly benefit the enterprise buyer, because the risks posed to their company by commercial software use will be minimized.
Charlie Jones , director of product management for software supply chain security at ReversingLabs, emphasized that accountability for software supply chain risk will only grow for both software producers and enterprise buyers:
"For enterprise buyers of software, visibility into their supply chain is no longer optional. Emerging regulation demands that organization's demonstrate control over business-critical software, regardless of whether it was built or bought." –Charlie Jones
This Week’s Headlines
China-linked hackers compromise ISP to deploy malicious software updates
China-linked threat actor and cyber espionage group Evasive Panda (aka Bronze Highland, Daggerfly, and StormBamboo) compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023. This latest campaign highlights a new level of sophistication not seen before with this group. According to a report from Volexity: "StormBamboo is a highly skilled and aggressive threat actor who compromises third-parties (in this case, an ISP) to breach intended targets."
Evasive Panda has been active for over a decade, leveraging backdoors such as MgBot (aka POCOSTICK) and Nightdoor (aka NetMM and Suzafk) to harvest sensitive information, in addition to a recent campaign that utilized a macOS malware strain called MACMA. (The Hacker News)
Recommended by LinkedIn
North Korean hackers exploit VPN update flaw to install malware
South Korea's National Cyber Security Center (NCSC) warns that North Korean-backed threat actors Kimsuky (APT43) and Andariel (APT45), which have been previously linked to the Lazarus group, hijacked flaws in a VPN's software update to deploy malware and breach networks impacting South Korean construction companies, public institutions, and local governments. In the first case highlighted in the advisory, Kimsuky compromised the website of a South Korean construction trade organization to disseminate malware to visitors by requesting them to download trojanized software. In the second case, Andariel exploited a vulnerability in a domestic VPN software's communication protocol to push out fake software updates that install the DoraRAT malware, a lightweight remote access trojan (RAT) with minimal functionality that allows it to operate more stealthily. (Bleeping Computer)
A leaked GitHub access token could have led to a catastrophic supply chain attack
Researchers at JFrog discovered a leaked GitHub access token with administrator access to the centralized PyPI repository and the Python Software Foundation’s GitHub repository, which they believe could have had disastrous consequences if not rapidly revoked. The leaked token could have been used in a variety of different supply chain attacks, and the potential damage a cyber criminal could have inflicted would have been severe. The token was found in a compiled Python file inside a Docker container, and researchers believe that the incident was likely an accident caused by human error. (ITPro)
North Korean hackers Moonstone Sleet push malicious JS packages to npm registry
The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns. The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both libraries did not attract any downloads and were shortly pulled after a brief period of time. Security researchers attributed the incident to Moonstone Sleet by sensing clear overlap between this incident and the threat actor’s prior malicious campaigns. (The Hacker News)
‘Cybercriminals are preying on Windows users’: Software subject of CISA, cybersecurity warnings
CISA added a vulnerability in Microsoft's Windows 10 software to a list of exploited security weak spots. The agency said that "Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution," in a listing added to the agency's Known Exploited Vulnerability Catalog this past Monday. The listing advises users to stop using the software or utilize a patch through Windows. CISA said that it did not know if the vulnerability, CVE-2018-0824, had been used in a ransomware campaign, but Cisco Talos reports that a Chinese hacking group utilized the vulnerability in an attack on a Taiwanese government research center, saying the center was "likely compromised." (USA Today)
Open source software: Ways for CISOs to quell the fear
There’s lots of love for open source software from developers, CFOs and IT teams alike. Yet, for CISOs, open source is more likely in many cases to inspire fear than love, since these libraries have been the target for major software supply chain security threats in recent years. This is due to open source projects lacking the extensive security oversight that major commercial vendors provide for closed software. However, when organizations leverage open source in a deliberate, responsible way, they can take full advantage of the benefits that open source offers while minimizing the security risks. This CIO article offers guidance on achieving a best-of-all-possible-worlds approach to incorporating open source into enterprise software supply chains. (CIO)
Looking for more insights on software supply chain security? Head to the RL Blog.
Resource Round-up
Webinar I Black Hat 2024 Recap
Not everything that happens in Vegas has to stay in Vegas. From Black Hat to DEFCON - there is a lot to unpack from one of the biggest weeks in cybersecurity! We are excited to invite macOS security expert and Black Hat speaker Patrick Wardle to discuss this year’s events – including what’s changed since last year, the latest trends, and top takeaways. [Register Here]
White Paper I Closing the Software Supply Chain Security Gap
Software supply chain security strategies rooted in technologies like SAST, DAST, and SCA solely focus on vulnerabilities, while commercial software risk assessments rely on surface-level pentests, questionnaires and SBOMs. This white paper dives into the technical nuances of complex binary analysis and how it enables software producers and buyers to flag embedded software supply chain threats of all kinds. [Download Here]
Webinar I Don’t Stop at the SBOM: How to Take Your Software Supply Chain Security to the Next Level
To effectively manage software supply chain risk, security and risk professionals need to go beyond the SBOM and adopt a more comprehensive software risk assessment - one that not only inventories software components, but also provides in-depth analysis and context. Sign up for this session to learn more. [Register Here]
Looking for more great conversations to watch? See RL’s on-demand webinar library.