“Next-generation” 3rd Party Attacks

In July of 2020, we discussed seeding open-source projects with compromised components. In the past six months, commercial and enterprise software developers became more disciplined in keeping developed open-source software libraries updated to reduce the risk of software-based supply chain attacks, the cybercriminals are upping their game: in recent months researchers have issued warnings both cybercrime and cyber espionage entities are over-running open-source projects to turn them into malware distribution channels.

In the past, attackers simply utilized existing vulnerabilities within well-used open-source components, with the understanding they could victimize the several organizations at once who rely on outdated code dependencies. Crime and espionage groups are now more frequently getting proactive by infiltrating open-source projects to seed them with compromised components that can modify once they are downloaded and used by unsuspecting organizations.

According to the latest 2020 State of the Software Supply Chain Report just released by Sonatype, the new paths in, referred to as “next-generation” supply chain attacks have surpassed the increase in zero-day exploits and are up 430% in the past year. This equates to a 40% rise in supply chain-based breaches.

Just like a normal business, their activities ‘upstream,’ where they can infect a single open-source component that has the potential to be distributed ‘downstream,’ where it can be strategically and covertly exploited,” explains Wayne Jackson, CEO of Sonatype.

As the report explains, attackers are leveraging the very nature of open-source software development against itself with these next-gen supply chain attacks. Open-source projects rely on contributions from volunteers, and these projects themselves frequently incorporate hundreds or even thousands of dependencies from other projects. The foundation of open-source projects is one that relies on shared trust, all of “which creates a fertile environment whereby bad actors can prey upon good people with surprising ease”.

Attackers are now starting to seek out ways to scale up their efforts to plant malicious code through automated malware that goes directly after development pipelines. The most recent sophisticated example of a next-gen software supply chain attack was discovered lurking on GitHub in May. Researchers found a piece of malware called Octopus Scanner that targeted GitHub users involved in developing NetBeans (an integrated development environment) for Java projects. The Octopus Scanner was designed to serve up backdoored code into NetBeans components within GitHub repositories without the legitimate repository owners even realizing it. Meaning that every time developers of these components release code to the public, it has already been modified by the attacker.

In the context of Open-Source Services, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems. This was explained in detail by GitHub security researcher Alvaro Muñoz, in a blog about Octopus Scanner. “The actual artefacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.”

The rise in these next-generation software supply chain attacks follows a well-worn story in the security world. Anyone who has been in the business long enough recognizes that no good deed goes unpunished. According to the report’s research, 49% of organizations are now able to remediate open-source vulnerabilities within a week of detection.

Sparity can help your organization by performing environmental assessments to and develop a security code review process before code is pushed to production. We maintain awareness of these types of threats through having spent years in code, application, and database development. In addition, we maintain awareness of threats to various business models both within the US and Asia Pacific.