Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Supply Chain. Show all posts
Vulnerabilities and Exploits
BMC Flaw Silent Flaw Supply Chain Vulnerabilities and Exploits

The Silent Flaw: How a 6-Year-Old BMC Vulnerability Went Unnoticed


A six-year-old vulnerability has recently come to light, affecting Intel and Lenovo servers. Let’s delve into the details of this silent flaw and its implications. 

About vulnerability

The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.

The Culprit: Lighttpd Web Server

The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.

Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.

The Impact

BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for firmware updates, remote management, restarting, and monitoring of the device.

Binary discovered that AMI neglected to implement the Lighttpd patch from 2019 until 2023, which resulted in the deployment of numerous devices that were susceptible to the remotely exploitable flaw throughout this time.

The vulnerability allows attackers to exfiltrate process memory addresses, a critical piece of information. Armed with this data, malicious actors can bypass security mechanisms like Address Space Layout Randomization (ASLR). In essence, the flaw undermines the very protection mechanisms designed to prevent unauthorized access.

Supply Chain Fallout

The story takes an unexpected twist as we trace the flaw’s journey through the supply chain. The maintainers of Lighttpd patched the vulnerability silently in August 2018 (version 1.4.51), without assigning a tracking ID (CVE). Unfortunately, this stealthy fix allowed the flaw to persist in the wild.

The Vendors and Their Devices

Several vendors unwittingly shipped devices with this vulnerability, including Intel, Lenovo, and Supermicro. Let’s explore the impact of each:

Intel

The vulnerability affects the M70KLP series firmware (latest version).

Internal identifier: BRLY-2024-002.

Approximately 2000+ Intel server models remain vulnerable.

Lenovo

Lenovo’s BMC firmware (latest version) harbors the same flaw.

Impacted server models: HX3710, HX3710-F, and HX2710-E.

Internal identifier: BRLY-2024-003.

Supermicro

While not explicitly mentioned, Supermicro devices are likely affected due to their reliance on Lighttpd. The flaw underscores the need for thorough security assessments across the board.

The Hackable Hardware

The oversight in communication between vendors, maintainers, and end-users has resulted in the shipment of hackable hardware. These devices unwittingly expose sensitive information, jeopardizing the security of data centers, cloud services, and critical infrastructure.

The Urgent Call to Action

As the flaw’s existence becomes public knowledge, vendors must act swiftly:

Patch and Update: Vendors should release patches addressing the vulnerability promptly.

Security Audits: Rigorous security audits are essential to identify and rectify hidden flaws.

Transparency: Clear communication channels between maintainers, vendors, and end-users are crucial.

Read more »
Supply Chain
Community breach Cyber Crime Emails Hacking Microsoft Midnight Blizzard Supply Chain

Russian Hackers Breach Microsoft's Security: What You Need to Know

 


In a recent set of events, reports have surfaced of a significant cyberattack on Microsoft, allegedly orchestrated by Russian hackers. This breach, attributed to a group known as Midnight Blizzard or Nobelium, has raised serious concerns among cybersecurity experts and the public alike.

The attack targeted Microsoft's source code repositories, exposing sensitive company information and communications with partners across various sectors, including government, defence, and business. While Microsoft assures that no customer-facing systems were compromised, the breach has far-reaching implications for national and international security.

Cybersecurity experts warn of the potential for increased zero-day vulnerabilities, which are undiscovered security flaws that can be exploited by hackers. Access to source code provides attackers with a "master key" to infiltrate systems, posing a significant threat to organisations and users worldwide.

The severity of the breach has prompted strong reactions from industry professionals. Ariel Parnes, COO of Mitiga, describes the incident as "severe," emphasising the critical importance of source code security in the digital age. Shawn Waldman, CEO of Secure Cyber Defense, condemns the attack as a "worst-case scenario," highlighting the broader implications for national security.

The compromised data includes emails of senior leadership, confidential communications with partners, and cryptographic secrets such as passwords and authentication keys. Larry Whiteside Jr., a cybersecurity expert, warns of potential compliance complications for Microsoft users and partners, as regulators scrutinise the breach's impact on data protection laws.

As the fallout from the breach unfolds, there are growing concerns about the emergence of zero-day vulnerabilities and the need for proactive defence measures. Experts stress the importance of threat hunting and incident response planning to mitigate the risks posed by sophisticated cyber threats.

The incident underscores the ongoing battle in the global cyber warfare landscape, where even tech giants like Microsoft are not immune to attacks. With cybercriminals increasingly targeting supply chains, the need for enhanced security measures has never been more urgent.

The breach of Microsoft's systems serves as a wake-up call for individuals and organisations alike. It highlights the ever-present threat of cyberattacks in an increasingly interconnected world and underscores the need for enhanced cybersecurity measures. By staying vigilant and proactive, establishments can mitigate the risks posed by cyber threats and protect their digital assets from exploitation.

As the field of cybersecurity keeps changing and developing, stakeholders must work together to address the underlying threats and ensure the protection of critical infrastructure and data. This recent breach of Microsoft's security by Russian hackers has raised serious concerns about the vulnerability of digital systems and the need for robust cybersecurity measures.


Read more »
Supply Chain
Cyber Attacks Evasive Panda MgBot State Sponsored Hackers Supply Chain

China State-Sponsored Spies Hack Site and Target User Systems in Asia


Chinese threat actors strike again

Users of a Tibetan language translation app and website visitors to a Buddhist festival were compromised by a focused watering-hole malware connected to a Chinese threat group.

According to recent data from ESET, the so-called Evasive Panda hacking team's cyber-operations campaign started in September 2023 or earlier and impacted systems in Taiwan, Hong Kong, Taiwan, Australia, and the United States.

During the campaign, the attackers gained access to the websites of three different businesses: a development company that provides translations into Tibetan; an organization based in India that promotes Tibetan Buddhism; and the news website Tibetpost, which unintentionally contained dangerous applications. Specific global geographic visitors to the sites were infected with droppers and backdoors, which included Nightdoor, a relatively new backdoor application, and the group's favourite MgBot.

Adversary in the middle attacks

According to ESET researcher Anh Ho, who uncovered the attack, the organization used an astonishing range of attack vectors in the campaign, including phishing emails, watering holes, and adversary-in-the-middle (AitM) attacks via software updates that took advantage of development servers.

"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," according to him. "Nightdoor is quite complex, which is technically significant, but in my opinion, Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."

A relatively small unit called Evasive Panda is usually assigned to surveillance missions in Asia and Africa, mostly targeting individuals and organizations. As reported by SentinelOne, the organization is linked to attacks on telecom companies in 2023 under the code name Operation Tainted Love. According to Microsoft, it is also related to the attribution group Granite Typhoon, née Gallium. Symantec refers to it as Daggerfly as well, and Google Mandiant reports that it shares similarities with a group of cybercriminals and spies known as

Supply chain and watering holes compromises

The group, which has been active since 2012, is well-known for its supply chain attacks and for using stolen code-signing credentials and program upgrades in 2023 to infect users' PCs in China and Africa.

The organization commandeered a website for the Tibetan Buddhist Monlam festival in this most recent campaign, according to ESET's published analysis, to provide a backdoor or downloader tool that downloaded malicious payloads from a compromised Tibetan news site.

The hackers utilized Trojanized programs to infect Mac OS and Windows machines and also compromised a vendor of Tibetan translation software to further target consumers.

Cyber espionage links

Evasive Panda has created MgBot, a proprietary malware framework with a modular architecture that can download other components, run code, and steal data. MgBot modules can download further capabilities and spy on victims who have been hacked, among other things.

Using the MgBot downloader to deliver final payloads, Evasive Panda targeted users in India and Hong Kong in 2020, according to Malwarebytes, which connected the organization to earlier assaults in 2014 and 2018.

The organization released Nightdoor in 2020 as a backdoor that can be used to issue commands, upload data, and build a reverse shell by communicating with a command-and-control server.


Read more »
Supply Chain Attack
Artifcial Intelligence Cyber Hackers Data Breach Hacking Supply Chain Supply Chain Assaults Supply Chain Attack

Hugging Face's AI Supply Chain Escapes Near Breach by Hackers

 

A recent report from VentureBeat reveals that HuggingFace, a prominent AI leader specializing in pre-trained models and datasets, narrowly escaped a potential devastating cyberattack on its supply chain. The incident underscores existing vulnerabilities in the rapidly expanding field of generative AI.

Lasso Security researchers conducted a security audit on GitHub and HuggingFace repositories, uncovering more than 1,600 compromised API tokens. These tokens, if exploited, could have granted threat actors the ability to launch an attack with full access, allowing them to manipulate widely-used AI models utilized by millions of downstream applications.

The seriousness of the situation was emphasized by the Lasso research team, stating, "With control over an organization boasting millions of downloads, we now possess the capability to manipulate existing models, potentially turning them into malicious entities."

HuggingFace, known for its open-source Transformers library hosting over 500,000 models, has become a high-value target due to its widespread use in natural language processing, computer vision, and other AI tasks. The potential impact of compromising HuggingFace's data and models could extend across various industries implementing AI.

The focus of Lasso's audit centered on API tokens, acting as keys for accessing proprietary models and sensitive data. The researchers identified numerous exposed tokens, some providing write access or full admin privileges over private assets. With control over these tokens, attackers could have compromised or stolen AI models and supporting data.

This discovery aligns with three emerging risk areas outlined in OWASP's new Top 10 list for AI security: supply chain attacks, data poisoning, and model theft. As AI continues to integrate into business and government functions, ensuring security throughout the entire supply chain—from data to models to applications—becomes crucial.

Lasso Security recommends that companies like HuggingFace implement automatic scans for exposed API tokens, enforce access controls, and discourage the use of hardcoded tokens in public repositories. Treating individual tokens as identities and securing them through multifactor authentication and zero-trust principles is also advised.

The incident highlights the necessity for continual monitoring to validate security measures for all users of generative AI. Simply being vigilant may not be sufficient to thwart determined efforts by attackers. Robust authentication and implementing least privilege controls, even at the API token level, are essential precautions for maintaining security in the evolving landscape of AI technology.
Read more »
Supply Chain
Australia Christmas Goods Cyber Attacks Shipping Company Supply Chain

Cyberattack Could Lead to a Shortage of Christmas Goods in Australia

 

A cyberattack over the weekend partially closed four major Australian ports, raising concerns about cascading effects. 

Forty percent of the freight that enters the country is handled by DP World Australia, which discovered a security breach on Friday and immediately turned off its internet connection. 

This meant that throughout the weekend, the company's port operations in Sydney, Melbourne, Brisbane, and Fremantle were shut down. 

The company could not estimate how long it would take to recuperate from the cyberattack, but experts believe it could take weeks, prompting price hikes and rising inflationary pressure. 

According to AMP chief economist Shane Oliver, a lengthy disruption in the operations of UAE-owned DP World could have a ripple effect on the overall economy and help trigger another interest rate hike. 

He stated that the attack on DP World, as well as its inability to move goods in or out of its ports, constituted a supply shock, and that a prolonged closure could push up commodity prices, forcing the Reserve Bank to consider another interest rate hike at its December meeting.

“It goes to the nature of the supply shock here, and this could have an impact on the prices, and inflation rate, of goods, which has been coming down. If this stops that, or it pushes up prices, then the Reserve Bank could be looking at it at their December meeting,” Oliver noted. 

However, senior Westpac economist Justin Smirk stated that the Reserve Bank is beginning to consider disruptive incidents such as cyberattacks on supply chain infrastructure. 

The founder of the data breach tracker Have I Been Pwned and cybersecurity researcher Troy Hunt warned that disruptions to Australian consumers could last for weeks and have an impact on Christmas delivery. 

Hunt told this masthead, "If you look back to COVID, look at the sheer number of things that got disrupted just because bits and pieces couldn't get delivered." "It depends on the actions taken here as well; have the internal systems of [DP World] been destroyed?" 

He cited preliminary research from cybersecurity veteran Kevin Beaumont, who discovered that DP World was most likely the victim of a ransomware attack enabled by a vulnerability in Citrix NetScaler software. 

According to Hunt, ransomware groups are now far more professional than they used to be, with websites listing every victim and a countdown timer indicating how much longer they had to pay. 

“There’s … a financial motive for this sort of stuff,” Hunt noted. “Of course, we’ve seen this in Australia recently with the Medibank situation, we’re seeing this more and more. If you have a spin through some of the dark web ransomware websites, it’s just stunning the number of organisations that are listed on there.”
Read more »
Telegram
cryptocurrency Cyberattacks Cybersecurity Data Theft Google python Software Supply Chain Telegram

Data Theft Alert: Malicious Python Packages Exposed – Stay Secure

 


Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded. 

Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign. 

There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection. 

The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone. 

Crypto and Data Theft 


As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers. 

This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly. 

Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems. 

In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker. 

Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts. 

An Analysis of The Attack's Evolution 


There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers. The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages. 

However, in August, a researcher noted that many packages now have multi-layer encryption. There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report. 

There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August. 

There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub. 

To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.
Read more »
Supply Chain
Cyber Security Data Open Source Safety Supply Chain

Open Source Software has Advantages, but Supply Chain Risks Should not be Overlooked

 

While app development is faster and easier, security remains a concern. In an era of continuous integration and deployment, DevOps, and daily software updates, open-source components are becoming increasingly important in the software development scene.

In a report released last year, silicon design automation firm Synopsys discovered that 97 percent of codebases in 2021 contained open source and that open source software (OSS) was present in 100 percent of audited codebases in four of 17 industries studied - computer hardware and chips, cybersecurity, energy, and clean tech, and the Internet of Things (IoT). The other verticals had at least 93 percent open source. It can contribute to increased efficiency, cost savings, and developer productivity.

"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.

However, the increasing use of open-source packages in application development opens the door for threat groups to use the software supply chain as a backdoor to a plethora of targets that rely on it.

Due to the widespread use of OSS packaging in development, many enterprises have no idea what is in their software. With so many different hands involved, it's difficult to know what's going on in the software supply chain. According to a VMware report from last year, concerns about OSS included the need to rely on a community to patch vulnerabilities, as well as the security risks that entails.

Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.

According to Badhwar, 95 percent of all vulnerabilities are found in "transitive dependencies," which are open source code packages that are pulled into projects rather than being chosen by developers.

"This is a huge arena, yet it's been largely overlooked," he warned.

Growing awareness of the threat

The use of open source software is not a new trend. According to Brian Fox, co-founder and CTO of software supply chain management vendor Sonatype and a member of the OpenSSF (Open Source Security Foundation) governing board, developers have been doing it for a dozen years or more.

According to Fox, developers assemble the source components and add business logic. As a result, open source becomes the software's foundation.

What has changed in recent years is the general awareness of it, not just among well-intentioned developers who are creating software from these disparate parts.

"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."

This was highlighted by the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the company's software system and inserted malicious code. Customers who downloaded and installed the code unknowingly during the update process were then compromised. Similar attacks followed, notably against Kaseya and Log4j.

Obtaining the image using Log4j

According to Fox, the Java-based logging tool is an example of the massive risk consolidation that comes with the widespread use of popular software components.

"It's a simple component way down [in the software] and it was so popular you can basically stipulate it exists in every Java application – and you would be right 99.99 percent of the time," he said. "As an attacker … you're going to focus on those types of things. If you can figure out how to exploit it, it makes it possible to 'spray and pray' across the internet – as opposed to in the '90s, when you had to sit down and figure out how to break each bespoke web application because they all had custom code."

Enterprises have "effectively outsourced 90 percent of your development to people you don't know and can't trust. When I put it that way, it sounds scary, but that's what's been happening for ten years. We're just now grappling with the implications of it."

Log4j also brought to light another issue in the software supply chain, awakening many to how reliant they are on OSS. Despite this, an estimated 29 percent of Log4j downloads are still of the vulnerable versions.

According to Sonatype analysis, the majority of the time a company uses a vulnerable version of any component, a fixed version of the component is available - but they don't use it. This indicates a need for more education. according to Fox. "96 percent of the problem is people keep taking the tainted food off the shelf instead of taking a cleaned-up one."

Concentrating on the repositories

Another OSS-related threat is the injection of malware into package repositories such as GitHub, Python Package Index (PyPI), and NPM. Cybercriminals are using dependency confusion and other techniques to create malicious versions of popular code in order to trick developers into including the code in their software.

They may use an underscore instead of a dash in their code to confuse developers into selecting the incorrect component.

"The challenge with this is that the attack happens as soon as the developer downloads that component and these downloads happen by the tools," Fox said. "It's not like they're literally going to a browser and downloading it like the old days, but they're putting it into their tool and it happens behind the scenes and it might execute this malware.

"The sophistication of the attacks is low and these malware components don't even often pretend to be a legitimate components. They don't compile. They're not going to run the test. All they do is deliver the payload. It's like a smash-and-grab."

Defenses are being strengthened.

Despite the security risks associated with OSS, there are benefits to using it. According to Fox, it is more visible and transparent than commercial software. He cited the response to the Log4j vulnerabilities: the Log4j team produced a fix in a matter of days, which commercial organizations were unlikely to be able to do.

Mike Parkin, the senior technical engineer at Vulcan Cyber, agreed that having more eyes on the code through open source can help mitigate cyber threats, but it also makes it easier for potential attackers.

That said, "historically the tradeoff has usually favored the open source developers," Parkin told The Register.

The SolarWinds attack highlighted the importance of software supply chain security. Building on US President Biden's 2021 Cybersecurity Executive Order, the White House ordered [PDF] federal agencies in September 2022 to follow NIST guidelines when using third-party software, including self-attestation and software bills of materials (SBOMs) by software vendors.

Vendors are working on a variety of initiatives to strengthen the security of the software supply chain. These include the rise of multi-vendor frameworks such as the Open Software Supply Chain Attack Reference, tools such as the Vulnerability Exploitability Exchange (VEX), and other cybersecurity vendor products.

Still, Sonatype's Fox would like to see other steps taken, such as requiring software manufacturers to recall defective software components. They are currently designed to create an SBOM. Fox compared it to car manufacturers only having to provide buyers with a list of vehicle parts, which can then be stuffed into a glove box and forgotten about, with no obligation to recall the vehicle if any of those parts are faulty.

"What we really need is something to basically mandate that they can do a recall, because that implies that they know all the parts and where they ship them and which versions of the applications have which open source dependencies, but it also means they're actually managing it and looking out for that," he said. "That drives you towards that proper behavior."

Fox wishes to concentrate on the actual maintenance of the OSS packages. Governments are moving in that direction, he said, noting that the EU's Cyber Resilience Act mentions the need for recalls, albeit without using the exact words. According to Fox, the Biden administration may be warming up to the idea.

He is also considering component-level firewalls, which work similarly to packet-level firewalls in that they can inspect network traffic and block malicious traffic before an attack can begin. Similarly, a component-level firewall could prevent malicious code from infiltrating the software.

"If you don't even know what's in your software to start with, you probably have no visibility into what's going on with the malware, which is almost a worse problem because it's not just the vulnerability that's latent, waiting for somebody to exploit," he said. "It's causing harm the moment you touch it. Not enough people are really getting their head around that part of the problem either."

The Nexus Firewall, which Fox said was inspired by credit card fraud protection, was built into Sonatype's platform. The firewall recognizes normal behavior and can detect abnormal behavior using artificial intelligence and machine learning techniques. More than 108,000 malicious attack attempts were detected by the firewall in 2022.

"So many organizations don't even know that this is a problem," he said. "It's where the game is happening right now and the attackers are kind of having a field day, unfortunately."

It is necessary to have both SBOM and firewall-like capabilities.

"Yes, you need to know where all those parts are, so when the next Log4j happens, you can remediate it immediately and not have to start triaging thousands of applications," Fox argued. "But that's not going to stop these malicious attacks. You also need to be perfect protecting the factory."


Read more »
Supply Chain
CISD Cyber Security Cyberattacks CyberCrime SBOM Software Supply Chain

How Does Modern Software Work?

 


It is encouraging to see a thriving community within the cybersecurity industry clamoring to share experiences as conference season approaches. As a result of the call-for-speakers process, attendees can get a pretty clear idea of what's on the minds of the entire ecosystem of cybersecurity professionals across the globe. 

This year's "RSAC 2023 Call for Submissions Trends Report" examined several noteworthy trends related to open source, one of which was open source's ubiquity and decreasing resemblance to silos, a trend that has been observed in previous research about the RSAC 2023 call for submissions. There are both benefits and risks associated with the changes in modern software. 

Software Writing: Is It Still a Thing? 

There is no doubt that cybersecurity professionals spend much of their time discussing software and how it's assembled, tested, deployed, and patched to protect against malicious attacks. 

A company's software has a profound effect on its success, regardless of its size or sector. As scale and complexity have increased over time, teams and practices have evolved to meet these challenges. In light of this, Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security, says this has led to more assembly than the writing of software in the modern day. She is also a member of the program committee for the RSA Conference. This is not just a matter of opinion, it is a fact. According to estimates made by industry experts, 70% to almost 100% of all software across the industry contains open-source components. These are codes that can be directly attacked in small and large attacks. It creates a huge, shifting attack surface that everyone should be keeping an eye on, as well as an area of focus for everyone to work on. 

While you are designing and assembling code, you are bound to discover a lot of dependencies that you will have to deal with - both transitive and widespread. A team integrating the code will also need to better understand the process used to run, test and maintain it. This will enable them to bring these dependencies to the table more effectively. These dependencies extend much deeper than the actual code itself. 

 Are there any Software Developers Left? 

Even though cybersecurity professionals spend a lot of time talking about software, it comes as no surprise that they spend a lot of time discussing how it is assembled, tested, deployed, and patched. Each business, regardless of its size or sector, has been impacted by software to some extent or another. The growth of scale and complexity has led to the evolution of teams and practices as well. Therefore, DevSecOps and endpoint security are constantly being integrated as a result, and Jennifer Czaplewski, a senior director at Target and a member of the program committee for the RSA Conference, says "Modern software is being assembled more than it is being written." This is not an opinion but a fact. As much as 70% to nearly 100% of all software across the industry contains open source components - code that is targeted directly in attacks of all sizes - estimates suggest this is a huge, shifting attack surface that requires all companies' supply chains to be vigilant. This creates an area of focus for every industry.

Code assembly creates a wide range of dependencies that are natural artifacts that arise as a result of the assembly process. The team that is incorporating it also needs to understand the processes used to run, test, and maintain the code. This is because they are deeper than the actual code. 

There is no escaping today's reality - almost every organization today relies unavoidably on open-source software to run its operations, which has led to an increase in the demand for better methods of assessing risks, cataloging usage, tracking impacts, and making informed decisions about the integration of open source components into software stacks before, during, and after they have been integrated. 

Components of Success and Building Trust 

As a technology issue, open source isn't the only issue that concerns open source. Alternatively, there may be a problem with the process. There could also be an issue with the people involved. As you might expect, it touches everything, including top-level executives, heads of information security departments (CISDs), policymakers, and developers. It is vital to establish trust across each of these groups by building transparency, collaboration, and communication between them. It is apparent that the software bill of materials (SBOM) has become one of the primary elements for building trust and has become popular after the May 2021 executive order from President Biden. 

In recent years, people have been able to observe tangible and quantifiable results as a result of the implementation of this solution. These results include how well assets are managed, how quickly vulnerabilities are addressed, and how strongly software life cycle management is improved. DBOM (data) and HBOM (hardware) seem to have gained traction, which has led to the creation of additional BOMs, such as PBOM (pipeline) and CBOM (cybersecurity), with SBOM generating additional BOMs. Many are hopeful that the BOM movement will be able to lead to a uniform and systematic way to think about and approach problem-solving in the future, but only time will tell whether the benefits outweigh the heavy responsibility placed on developers. 

Several policies and collaborations have been put into place to encourage the practices that have led to the success of open-source software, including the Securing Open Source Software Act, the Supply Chain Levels for Software Artifacts (SLSA) framework, as well as the NIST Secure Software Development Framework (SSDF). A common goal, namely to ensure that software supply chains are secure by default, has enabled the entire community to work together. 

There is an overt focus on the downside of open-source code, including potential manipulation, attacks, and exploitation of it. This is leading to increased efforts to mitigate associated risks, both through the development process, analytical reports, and even technology, to mitigate those risks. There is a great deal of effort being put into preventing malicious components from being ingested into the body in the first place. 

As a result of this introspection and personal learning around software development, the software development life cycle (SDLC), and the supply chain generally, there have been a lot of benefits to the community at this moment in time. Indeed, open source can greatly impact the success of ... open source! The continuous integration/continuous delivery pipeline (CI/CD) that developers are accustomed to using relies heavily on open-source tools to integrate critical security controls during development. OpenSSF scorecards and the OpenSSF Secure Supply Chain Framework are both examples of promising initiatives that will help teams in assembling software by providing resources such as automated scoring and consumption-focused frameworks that protect developers against real-world threats related to OSS supply chains. Just two examples of promising activities that will assist teams in assembling software include the Secure Supply Chain (SSC) Framework. 

Bringing our Strengths Together Makes us Stronger 

Even though open-source software continues to change the game of software, it has already changed it. There has been an impact on the way software is developed all over the world due to it. In addition, it has expedited product development time. A reduction in development costs and stimulation of innovation have been two of the benefits. 

While it can be argued that the updated system has contributed to security in the long run, work needs to be done. To make the world safer, we must work together as a village by sharing ideas and best practices throughout our communities. This will enable us to build a more secure world.   
Read more »
Third Party Vendors
Cyber Security Supply Chain supply chain attacks supply chain security Third Party Vendors

What Choices Ought to Influence the Supply Chain in 2023?

 

Due to the increase in cybercrime, many businesses are infected by viruses and malware that are distributed to them by vendors and business partners. 

There has not been a definite plan of action that addresses this as of yet. However, new third-party risk assessment techniques, products, and services are now available to find security "weak spots" in the supply chain of your business. 

Threats by supply chain vendors 

BlueVoyant, a cybersecurity provider, reported in 2021 that 98% of organizations surveyed had been impacted by a supply chain security breach. In a global survey of 1,000 chief information officers conducted in 2022, 82% of respondents said their organizations were vulnerable to cyberattacks targeting their supply chains. 

There are multiple reasons for these statistics and concerns. The following stand out:

  • The enormous size of corporate supply chains can include up to 100,000 suppliers for a single business 
  • Different cybersecurity standards are required in different countries 
  • Supplier unpreparedness, lack of knowledge, and lack of resources for sound cybersecurity practices 
  • Lack of understanding of supplier security in areas like purchasing, which frequently issue requests for proposals from suppliers without mentioning the security requirements for conducting business with the company. 

Best practices for supply chain security 

While cybersecurity frameworks provide an excellent overview of general supply chain security requirements, they do not provide a detailed plan for implementation. 

What organizations require is a guide for a multifaceted approach to supply chain security — but no single playbook can meet the needs of every organization. Instead, as organizations develop their own security approaches, leaders should follow supply chain security best practices: 

Become familiar with your data 

It may seem obvious, but it cannot be overstated: you must understand your own data, that is, what type of data your organization stores and how sensitive that data is. Use discovery and classification tools to find databases and files in your organization that contain sensitive data, such as customer data, financial information, health records, etc. 

Conduct a risk assessment of supply chain security 

Simply comprehending your data is insufficient. You must also understand your supply chain thoroughly in order to identify potential security risks and take preventative measures. 

Begin by gathering data on your third-party partners. What security safeguards do they have in place? Consider each partner's level of vulnerability, breadth and depth of data access, and the impact on your organization if their security is compromised. 

Next, evaluate the software and hardware products that your company employs. What are their weaknesses? Also, don't overlook compliance. Examine your organization's current security governance and consider where it may need to pivot. 

Create an incident response plan 

Attacks will occur, and your system will be compromised, no matter how thoroughly you prepare your organization's supply chain security. As a result, supply chain security best practices include more than just prevention — they also include preparation. 

An incident response plan should be a key component of your supply chain security app. This plan should outline everyone's responsibilities as well as all procedures to be followed in the event of a security incident. Make specific plans for data breaches, system shutdowns, and other security interruptions. And don't just write these procedures down. Test them, practice them, and make sure they're ready to go. 

Conclusion 

Because the supply chain is so fragile, maintaining solid supply chain security is a dangerous game. While eliminating all threats is impossible, adhering to best practices in supply chain security will position your organization to anticipate and mitigate their effects.
Read more »
Vulnerabilities and Exploits
FCEB OpenSSL Supply Chain VMware Vulnerabilities and Exploits

Concerns About Supply Chain Risks Need Strategies

 


It is common for the security industry to get disturbed when new vulnerabilities are discovered in software. Two new vulnerabilities were reported in OpenSSL in late October and early November 2022, which overwhelmed news feeds. This never-ending vulnerability cycle begins with the discovery and disclosure of vulnerabilities. The impact of a cyber-attack is felt acutely by those who work on the front lines of information technology, as the need for remediation is harsh. 

To filter some of the noise from new vulnerabilities, consider the impact on supply chains and take the necessary steps to secure their assets, security leaders must maintain an effective cybersecurity strategy. 

Supply Chain Attacks Aren't Going Away 

There have been several severe vulnerabilities in Log4j, Spring Framework, and OpenSSL components in the last year which have caused us to lose significant amounts of data. As long as implementations are misconfigured or rely on known vulnerable dependencies, it is also certain those older vulnerabilities will be exploited in the future. It was learned in November 2022 that a state-sponsored Iranian operation had been mounted against the Federal Civilian Executive Branch (FCEB), which was attributed to an attack campaign launched against it by the Iranian regime. In this case, a United States federal entity ran VMware Horizon infrastructure. This infrastructure contained the Log4Shell vulnerability, which was the initial attack vector. This vulnerability allowed an attacker to gain access to the network. There was a series of attacks on FCEB. This attack chain included lateral movements, credential compromises, system compromises, network persistence, endpoint protection bypasses, and crypto-jacking in the course of a single attack. 

After security incidents involving vulnerable packages like OpenSSL or Log4j, organizations are likely to wonder why they are consuming open-source software at all. According to a recent report, supply chain attacks continue to be on the rise because suppliers and partners are reusing components. 

Instead of building systems from scratch, the team of strategic planners for cybersecurity at Sysdig repurposes existing code. As a result, engineering effort will be reduced, operational scalability will be achieved, and delivery will be fast. In general, open-source software (OSS) has a high reputation for reliability due to the public scrutiny it receives due to its open-source nature. Software is, of course, a constantly changing field, and problems can arise as a result of coding errors or dependency problems. Moreover, the improvement of testing and exploitation techniques also enables the discovery of new issues over time. 

Supply Chain Vulnerabilities: How to Address Them

To secure the modern design of an organization, it must have the appropriate tools and processes in place. In this rapidly changing environment, traditional approaches based on vulnerability management or point-in-time assessments cannot be relied upon alone. Even though these approaches may still be permitted by regulations, they perpetuate the division between "secure" and "compliance." Most organizations aim to reach some level of maturity in DevOps. There are several characteristics of DevOps practices that are common to both continuous and automated processes. Processes related to security should not be different from other processes. The security strategist must ensure that they maintain a steady focus on security throughout the phases of development, testing, and deployment, and during runtime. 

Continuously scan code in CI/CD: In addition to following the best security practices (e.g., shift left), you need to recognize that you will not be able to scan all the code and nested code. Several factors can limit the success of shift-left approaches scanner effectiveness, correlation of scanner output, automation of release decisions, and scanner completion within the release timeframes. Using the right tool can help you prioritize the risks associated with your findings. Your architecture may not be able to exploit all found vulnerabilities, and some vulnerabilities may not be exploitable in the first place. 

Continuous scanning during delivery: it is essential to prevent component compromises and environment drifts from happening. The digital supply chain, which is the process by which applications, infrastructure, and workloads are sourced from registries, and repositories, and booted up from them, need to be scanned in case something has been compromised along the way. 

Continually scan at runtime: To protect against cyber threats, most organizations are looking to continually scan at runtime, and security monitoring is the backbone of their efforts. As part of your system architecture, you need mechanisms to collect, correlate, and interpret telemetric data from all types of systems, including cloud environments, containers, and Kubernetes deployments. Insights collected during the runtime should feed back into the earlier stages of the build and delivery process. In the context of identity and services, there is an interaction between them.

Secure strategy and cybersecurity preparedness are essential in the wake of the latest OpenSSL vulnerability and Log4Shell. CVE-IDs are merely identifiers of vulnerability issues that are known to exist in publicly available software or hardware. Many vulnerabilities remain unreported, particularly those rooted in undocumented code or those resulting from environmental misconfiguration or homegrown code. Modern designs are based on distributed and diverse technologies, and cybersecurity strategies must take this into consideration. The technology you need to manage vulnerabilities requires a modern tool that uses runtime insights so that engineering teams can prioritize remediation tasks based on the information they have. Additionally, for you to avoid sudden attacks, you need to have the ability to detect and respond to threats across a wide range of environments.
Read more »
Supply Chain Platform
Cyber Data Cyber Security Data Safety data security Microsoft Supply Chain Supply Chain Platform

Microsoft Announces the Microsoft Supply Chain Platform

 

Software as a Service (SaaS) applications from Microsoft that combine artificial intelligence, collaboration, low-code, security, and supply chain management have been launched as the Microsoft Supply Chain Platform.

Dynamics 365, Microsoft Teams, Power BI, Power Automate, Power Apps, Azure Machine Learning,
Azure Synapse Analytics, Azure IoT, the Microsoft Intelligent Data Platform, Azure Active Directory,
Defender for IoT and Microsoft Security Services for Enterprise are among the Microsoft
applications and platforms in this group.
 
Microsoft's PowerApps low-code development platform is intended to let users create a connected supply chain. It enables supply chain information, supply and demand insights, performance tracking, supplier management, real-time collaboration, and demand management to lessen risk.

Additionally, it addresses order tracking and traceability, pricing management, warehouse
management, and inventory optimization. According to Microsoft, businesses are suffering from an overabundance of petabytes of data that are dispersed among legacy systems, enterprise resource planning (ERP) software, and custom solutions, giving them a fragmented view of their supply chain.

The Microsoft Supply Chain Center preview has also been released by Microsoft. It promises to track global events that may impact a customer's supply chain, coordinate actions across a supply chain, and use AI to lessen supply and demand mismatches. According to Microsoft, this constitutes the foundation of the supply chain platform.

"Although supply chain disruption is not new, its complexity and the rate of change are outpacing organizations' ability to address issues at a global scale. Many solutions today are narrowly focused on supply chain execution and management and are not ready to support this new reality," said Charles Lamanna, corporate vice president, of Microsoft Business Applications and Platform, in a press release.

"Businesses are dealing with petabytes of data spread across legacy systems, ERP, supply chain management and point solutions, resulting in a fragmented view of the supply chain," Lamanna stated. 

"Supply chain agility and resilience are directly tied to how well organizations connect and orchestrate their data across all relevant systems. The Microsoft Supply Chain Platform and Supply Chain Center enable organizations to make the most of their existing investments to gain insights and act quickly." 

Even though it wants to serve as a platform for the entire supply chain, it will continue to collaborate with businesses like Accenture, Avanade, EY, KPMG, PwC, and TCS. Data from standalone supply chain systems, SAP and Oracle ERP systems, Dynamics 365, and other systems will be fed into the Microsoft Supply Chain Center.

Data ingestion for supply chain visibility is made possible via the Supply Chain Center's Data Manager capability. FedEx, FourKites, Overhaul, and C.H. Robinson are some of the partners in the preview launch. The supply and demand insights module, the order management module, the built-in Teams connection, and partner modules within the center are just a few of the prebuilt modules that the Supply Chain Center provides to solve supply chain disruptions.

According to Microsoft, the data remains consistent regardless of the module used because the center runs on a Dataverse common data service environment, eliminating the need to check which reports have the most recent data.

Read more »
Vulnerabilities and Exploits
Bugs Code Data data security Flaws GitHub Safety Security Supply Chain Vulnerabilities and Exploits

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.
Read more »
Supply Chain
Application attackers Cyber Attacks Data Safety Security Software Supply Chain

Feds, npm Issue Supply Chain Security Alert to Avoid Another SolarWinds

 

The lessons learned from the SolarWinds software supply chain attack were turned into tangible guidance this week when the United States Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practises framework for developers to prevent future supply chain attacks.

In addition to the recommendations from the US government, developers received npm Best Practices from the Open Source Security Foundation in order to establish supply chain security open-source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."

Meanwhile, OpenSSF announced that the npm code repository has grown to encompass 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, praise the industry's proactive framework, but Burch adds that it is now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation to implement software bills of materials (SBOMs).

Burch  concluded, "What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security." 
Read more »
Vulnerabilities and Exploits
Bug Bounty Google Supply Chain Vulnerabilities and Exploits

Google Aims to Expand Bug Bounties to its Open Source Projects



What is OSS VRP Initiative

Google is planning to give out cash rewards for information on vulnerabilities found in any of its open source projects as a part of an undergoing attempt to strengthen the security of its open source code. The latest Open Source Software Vulnerability Rewards Program (OSS VRP), which adds to Google's Vulnerability Rewards Program, was declared in a blog post recently. 

According to DarkReading "Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021."

Google pays if you find the bug

Google is willing to pay experts up to $31,337 for giving details on vulnerabilities in open source software programs-specifically those administered by Google- that affect the firm's services and software. 

Google's aim is to protect its own software supply chain, but since many non-Google developers use the company's open source software- like Go programming language and Angular Web framework- the initiative assures to promote securing the wider open source ecosystem too. 

Initially, Google will emphasize critical and most widely used projects, Francis Perron says, who's an open source technical program manager at Google. He wants to provide a high-quality bug-hunting experience, so Google picked projects with enough maturity in their response and processes to test this program. 

The project aims to secure the software supply chain

Widening the scope will happen after Google compiles enough internal data and assures that it can scale up without ruining the projects and experts. Protecting the software supply chain is now a crucial thing for technology firms and policymakers. 

Earlier this year, the Biden administration met with open source organizations and technology firms to explore new ways to promote secure coding, finding more bugs, and speed patching of open source projects. 

In 2021, Google pledged to invest $10 Billion over five years, the favorite effort by the OpenSSF, bringing a cybersecurity advisory group and supporting its Invisible Security zero trust initiative. 

Google is proud to both support and is a part of the open-source software community. Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP, said Google. 

Read more »
Threat actors
attacks Cyber Attacks Cyber Criminals Extortion Safety Supply Chain threat Threat actors

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.
Read more »
Subscribe to: Posts (Atom)