Bad actors will attack vulnerabilities in open-source vendors to compromise global supply chain that utilize third-party code.
By Kevin Kirkwood, Deputy CISO at LogRhythm
A supply chain is only as good as its weakest link. Break a link and you have broken the pipeline. Companies will fall or will be heavily damaged by that break. There was a time when that damage had to be done physically, but that is no longer true as the Maersk shipping line quickly learned after the NotPetya virus attack. Ships were backed up outside of harbors for a very long time while the company rebuilt systems after the attack.
Every organization’s attack surface extends far beyond its own facilities, and even though it may not be visible to security teams directly, it still needs to receive the same level of cybersecurity attention. The expanding global market exposes supply chains to higher financial and reputational risks for businesses. It’s recognized that organizations cannot operate without these connections, but it’s also important to realize that these are risks that need to be controlled.
The pipeline for any product has many points of potential weaknesses and every aspect of the pipeline must be protected. The pipeline is a network and includes third-party companies’ hardware, software, managed services, and systems that work to achieve one business objective. At the same time, supply chain networks have changed into more adaptable, digital, and interconnected components due to the demand for more resilience, transparency, and speed.
Bad actors have taken advantage of the reach possible in a software supply chain by finding ways to insert malicious code in core systems. The notable SolarWinds attack that shook the industry two years ago showed how a software supply chain breach can impact over 18,000 companies. The attacker uploaded a malicious DLL file after obtaining access to the SolarWinds build system and distributed it to its customers. The infected file enabled remote access and went unnoticed for more than six months.
There is a supply chain that many companies haven’t considered, until recently. That supply chain is the software supply chain. Like most products, software is built using pieces of code, libraries and even complete systems. This pipeline is sourced by software companies that want a head start when they develop their products. That source is readily available in online code sites known as Open-Source repositories (e.g. GitHub or Maven).
Open-source software may be the chain’s weakest security link, which is particularly concerning when considering that 85% of applications are made up of open-source components. According to one report, “next-generation” software supply chain attacks have increased by 650% over the previous year as threat actors move upstream in the chain to penetrate open-source software. Due to the ease in which these attacks can be scaled, cybercriminals are able to spread malware across the supply chain and cause the greatest amount of damage. Additionally, web browser plug-ins in web stores (like Chromium) and open-source content management systems create new opportunities to negatively impact supply chain attacks. For instance, in one supply chain attack, backdoors were discovered in dozens of legitimate WordPress plug-ins.
That said, open-source software is both a gold mine and Pandora’s Box. Software developers will not be shying away from the use of open-source, and this vector must be considered as part of the strategy to secure your organization and ensure that the third-party suppliers are doing their own due diligence with their security.
If vulnerabilities are found in the unmaintained open-source components, the company and end users could be put in danger. While difficult, many of these disasters can be averted through the implementation of a vulnerability scanning practice using source code analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST) tools. Finding and fixing known vulnerabilities helps, but it won’t guarantee that your company is completely safe, but it is a start.
Organizations need to be on high alert for supply chain attacks if they use open-source software. In recent years, hackers have become more strategic when it comes to exploiting open-source software and code and 2023 will be no different. Bad actors will seek to examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.
In 2023, we will see bad actors attack vulnerabilities in low-hanging, open-source vendors with the intention of compromising the global supply chain that utilizes third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins. Without a robust scanning program and a ‘curated zone’ for source code and plugins, companies will continue to be at risk.
Kevin Kirkwood leads the internal practice of security for LogRhythm. His teams include governance, risk and compliance (GRC), application security (AppSec), security operations center (SOC), and physical security. This concentration in security practice, tools, and operations enables the team and him to ensure that they provide a safe foundation to build the security platforms of the future while protecting employees, systems, and ultimately clients who will use their products.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solution provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.