In July of 2020, we discussed seeding open-source projects with compromised components.  In the past six months, commercial and enterprise software developers became more disciplined in keeping developed open-source software libraries updated to reduce the risk of software-based supply chain attacks, the cybercriminals are upping their game: in recent months researchers have issued warnings both cybercrime and cyber espionage entities are over-running open-source projects to turn them into malware distribution channels.

In the past, attackers simply utilized existing vulnerabilities within well-used open-source components, with the understanding they could victimize the several organizations at once who rely on outdated code dependencies. Crime and espionage groups are now more frequently getting proactive by infiltrating open-source projects to seed them with compromised components that can modify once they are downloaded and used by unsuspecting organizations.

According to the latest 2020 State of the Software Supply Chain Report just released by Sonatype, the new paths in, referred to as “next-generation” supply chain attacks have surpassed the increase in zero-day exploits and are up 430% in the past year.  This equates to a 40% rise in supply chain-based breaches.

Just like a normal business, their activities ‘upstream,’ where they can infect a single open-source component that has the potential to be distributed ‘downstream,’ where it can be strategically and covertly exploited,” explains Wayne Jackson, CEO of Sonatype.

which creates a fertile environment whereby bad actors can prey upon good people with surprising ease

As the report explains, attackers are leveraging the very nature of open-source software development against itself with these next-gen supply chain attacks. Open-source projects rely on contributions from volunteers, and these projects themselves frequently incorporate hundreds or even thousands of dependencies from other projects. The foundation of open-source projects is one that relies on shared trust, all of “which creates a fertile environment whereby bad actors can prey upon good people with surprising ease”.

“Next-generation” 3rd Party Attacks

Attackers are now starting to seek out ways to scale up their efforts to plant malicious code through automated malware that goes directly after development pipelines. The most recent sophisticated example of a next-gen software supply chain attack was discovered lurking on GitHub in May. Researchers found a piece of malware called Octopus Scanner that targeted GitHub users involved in developing NetBeans (an integrated development environment) for Java projects. The Octopus Scanner was designed to serve up backdoored code into NetBeans components within GitHub repositories without the legitimate repository owners even realizing it. Meaning that every time developers of these components release code to the public, it has already been modified by the attacker.

Software supply chain attacks follows a well-worn story in the security world

In the context of Open-Source Services, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems. This was explained in detail by GitHub security researcher Alvaro Muñoz, in a blog about Octopus Scanner. “The actual artefacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.”

The rise in these next-generation software supply chain attacks follows a well-worn story in the security world. Anyone who has been in the business long enough recognizes that no good deed goes unpunished. According to the report’s research, 49% of organizations are now able to remediate open-source vulnerabilities within a week of detection.

Sparity can help your organization by performing environmental assessments to and develop a security code review process before code is pushed to production.  We maintain awareness of these types of threats through having spent years in code, application, and database development.  In addition, we maintain awareness of threats to various business models both within the US and Asia Pacific.

Related Posts

Top 10 Application Security Best Practices

The unprecedented growth experienced by the application development industry has put forth millions of mobile .....

Log 4j’ Fatal Security loophole…Most Internet Servers are at Risk

A critical security vulnerability found in software widely used in most Internet server has raise...

Digital Revolution Contributing to A Rise in Cybersecurity Threats

Cybersecurity is umbrella term, that encompass methods and practices, used to protect a critical .….

Is fiscal planning for 2021 already disrupted?

Take a brief look at general examples of how you or your third-party relationship …

Cybersecurity and Internet of Things (IoT) – Is it 1984 Yet?

Always connected devices are everywhere & large component of lives, commonly people think digital ….

“Next-generation” 3rd Party Attacks

In the past attacker simply utilize existing vulnerability with well- used open- source components …

Business Email Compromise (BEC): Old wine in new bottle

Despite a 25-year history, Business Email Compromise (BEC), remains a highly utilized and attack. ….

Charity Phishing

Cybercriminals love the holidays from social media platforms phishing has turned to digital social …

Explaining Cybersecurity to the C Level

Defining a new requirement placed on organization by the pandemic response may leave a completely ..