Threat actors are increasingly targeting mission-critical organizations in both ransomware attacks and novel software supply chain attacks. Whether by exploiting known vulnerabilities or taking advantage of other weaknesses in the ecosystem, the UK government is following the lead of the US presidential executive order on improving the nation's cybersecurity and stepping up their involvement to safeguard the digital economy.
Evolving cyber threats across the technology landscape
Security issues driving the new policies across the US and UK:
- Last year's SolarWinds supply-chain attack allowed threat actors to push a trojanized Orion update downstream to over 18,000 company customers, where they targeted high-profile government and private organizations for further attacks.
- The recent ransomware cyber attack on the Colonial Pipeline left 17 U.S. states and the District of Columbia (DC) with fuel shortages, leading to a national emergency.
- Attacks on massively popular software ecosystems like GitHub, where open-source projects are manufactured and distributed, has been abused for mining cryptocurrency and distributing malware.
- Targeting of essential organizations like Ireland's Health Services (HSE) and the Irish Department of Health were slapped with a $20 million ransom demand this week. HSE had to shut down all of their IT systems, causing disruptions for patients.
- The Codecov supply-chain attack:
- Reportedly impacted hundreds of client networks that were breached by Codecov attackers. In an IPO-related filing this week with the SEC, Monday.com disclosed that Codecov attackers had gained access to some of its source code.
- Last week, US cybersecurity firm Rapid7 had also revealed that some of their source code repositories and credentials were accessed by Codecov attackers.
In light of these ongoing successful exploits in the wild by threat actors who now attack critical assets, governments around the world are stepping up their involvement when it comes to ensuring the security of digital supply chains.
U.S. executive order passed after too many breaches occurred too fast
Over the last year, more and more businesses have started relying entirely on cyber systems to support a remote workforce, increase automation, and move their operations almost entirely online. This means that any attacks on digital goods and services are effectively becoming disruptions to the global economy.
As such, this week, The Homeland Security Committee introduced seven bipartisan bills in the House, five of which are focused strictly on strengthening cybersecurity, including a "Pipeline Security Act," and "Cybersecurity Vulnerability Remediation Act."
President Biden also signed an executive order into law last week. Specifically, one of the requirements of the Executive Order is that it focuses on developing guidelines to help organizations audit and rate critical software to prevent tampering in supply-chain attacks.
By targeting a software vendor, or a Managed Services Provider (MSP), attackers can cascade their malicious attacks downstream to hundreds of clients of the vendor. This happened when the GandCrab cybercrime gang hacked an MSP by exploiting a years-old vulnerability that may have locked thousands of their customers out with a ransomware attack.
More than ever, the need to vet software and secure services prior to their consumption on a wider scale is now being pushed by legislative action. This is expected to have tangible consequences for software vendors beyond government contractors.
"In today's world, too many organizations don't have a full picture of what's inside their software. Most aren't even looking," explains Sonatype's CMO Matt Howard.
"The fact is that fewer than 50% of companies today produce a full picture of what's inside their application, or a software bill of materials (SBOM) as a standard practice in software development. At the same time, breaches tied to open source software components used in applications impact 1 in 5 organizations annually."
U.K. government now hearing experts on protecting against supply-chain attacks
Following efforts by the Whitehouse, the U.K. government has now announced that it seeks advice on defending against digital supply-chain attacks from organizations that either consume IT services, or MSPs that provide software and services.
Yesterday, the Department for Digital, Culture, Media, and Sport (DCMS) opened up a survey that will run for almost two months to invite thoughts from industry experts and tech organizations on stepping up supply-chain security across the UK.
The initiative is a part of the nationwide "cyber resilience" efforts set forth by the UK's National Cyber Security Strategy to safeguard businesses and organizations that increasingly rely on technology from cyber-attacks, and to strengthen digital supply-chain security.
"There is a long history of outsourcing of critical services. We have seen attacks such as 'CloudHopper' where organisations were compromised through their managed service provider," says Matt Warman, UK's Minister of Digital Infrastructure.
"It's essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk."
Depending on the feedback received over time, the UK government will evaluate supply-chain risks, review policies, and implement new guidelines and frameworks to strengthen specific areas of digital supply-chain security. It could also mean the introduction of new, country-wide legislation for software firms and IT service providers. These groups would have to adhere to specific instructions when delivering digital products and services.
How can Sonatype help?
As pioneers of open source security, Sonatype has time and time again remained on top of novel supply-chain attacks. This includes being aware of dependency confusion early on and detecting malware polluting various open source software (OSS) repositories, as we provide tangible solutions to the software supply chain security problem.
As such, we don't have one but multiple solutions - many of them offered at no cost, to help developers and organizations globally safeguard their digital supply-chains.
-
Sonatype adds vulnerability scanning to Maven Central to protect the Java OSS community
Just last week, we introduced new capabilities in Maven Central that Java, Scala, and Android software developers benefit from additional open source security scanning at no cost.
Any developer or organization publishing their project to the Maven Central repository for wider distribution can now rest easy knowing they are not distributing code that contains known vulnerabilities.
Maven Central is home to over 6.7 million unique software packages making it one of the largest Java ecosystems, especially after the demise of Bintray and JCenter. This inertia means that newly implemented security checks in place before distribution can help safeguard the wider software supply-chain from known bugs and vulnerable dependencies.
"Starting this week, we will be scanning all staged repositories on Open Source Software Repository Hosting (OSSRH) automatically as you're publishing things to Central," says Sonatype CTO and co-founder Brian Fox.
"You should start seeing reports via email providing details on security issues in your dependencies for things released through OSSRH," explains Fox in last week's announcement. -
Free Sonatype Vulnerability Scanner spots out security violations and licensing issues
Those interested in generating an SBOM for their applications can take advantage of the free Sonatype Vulnerability Scanner, which will highlight any known security vulnerabilities lurking in your applications. It will also help with software asset management and compliance.
The scanner will also call out any licensing issues in your application, such as a mislabeled or untracked component within application components. -
Open source malware and malicious dependency confusion packages
Finally, for those looking for enterprise solutions, the Sonatype Intelligence that powers Release Integrity, our automated malware detection system has been the force behind discovering novel malware packages targeting the OSS community over the last year.
This includes the fake "Browserify" package, which was an evasive malware targeting macOS/Linux developers and Discord brandjacking malware. It also covers thousands of dependency confusion copycats flooding OSS repositories, some of which were in fact malicious and targeting major tech firms.
With policies that developers can take advantage of to block a wide variety of issues, Sonatype Repository Firewall prevents suspicious components and dependency confusion candidates from entering their development builds.
Sonatype wants your organization to be fast, smart, and safe while using the software supply chain to grow and innovate. As these regulatory requirements continue to evolve, we will maintain our services and products.
Sonatype will continue to try and keep companies and organizations safe from these and future attacks through developer-centric tools and services.
The above examples merely demonstrate the real-world solutions we have been delivering for years to keep developers and the OSS community protected from supply-chain threats.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma