123ArticleOnline Logo
Welcome to 123ArticleOnline.com!
ALL >> Technology,-Gadget-and-Science >> View Article

Next-generation” 3rd Party Attacks

Profile Picture
By Author: sparity
Total Articles: 73
Comment this article
Facebook ShareTwitter ShareGoogle+ ShareTwitter Share

Next-generation” 3rd Party Attacks

Introduction

In July of 2020, we discussed seeding open-source projects with compromised components. In the past six months, commercial and enterprise software developers became more disciplined in keeping developed open-source software libraries updated to reduce the risk of software-based supply chain attacks, the cybercriminals are upping their game: in recent months researchers have issued warnings both cybercrime and cyber espionage entities are over-running open-source projects to turn them into malware distribution channels.

In the past, attackers simply utilized existing vulnerabilities within well-used open-source components, with the understanding they could victimize the several organizations at once who rely on outdated code dependencies. Crime and espionage groups are now more frequently getting proactive by infiltrating open-source projects to seed them with compromised components that can modify once they are downloaded and used by unsuspecting organizations.

According to the latest 2020 State of the Software Supply Chain Report just released ...
... by Sonatype, the new paths in, referred to as “next-generation” supply chain attacks have surpassed the increase in zero-day exploits and are up 430% in the past year. This equates to a 40% rise in supply chain-based breaches.

Just like a normal business, their activities ‘upstream,’ where they can infect a single open-source component that has the potential to be distributed ‘downstream,’ where it can be strategically and covertly exploited,” explains Wayne Jackson, CEO of Sonatype.

which creates a fertile environment whereby bad actors can prey upon good people with surprising ease

As the report explains, attackers are leveraging the very nature of open-source software development against itself with these next-gen supply chain attacks. Open-source projects rely on contributions from volunteers, and these projects themselves frequently incorporate hundreds or even thousands of dependencies from other projects. The foundation of open-source projects is one that relies on shared trust, all of “which creates a fertile environment whereby bad actors can prey upon good people with surprising ease”.

Attackers are now starting to seek out ways to scale up their efforts to plant malicious code through automated malware that goes directly after development pipelines. The most recent sophisticated example of a next-gen software supply chain attack was discovered lurking on GitHub in May. Researchers found a piece of malware called Octopus Scanner that targeted GitHub users involved in developing NetBeans (an integrated development environment) for Java projects. The Octopus Scanner was designed to serve up backdoored code into NetBeans components within GitHub repositories without the legitimate repository owners even realizing it. Meaning that every time developers of these components release code to the public, it has already been modified by the attacker.

Software supply chain attacks follows a well-worn story in the security world

In the context of Open-Source Services, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems. This was explained in detail by GitHub security researcher Alvaro Muñoz, in a blog about Octopus Scanner. “The actual artefacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.”

The rise in these next-generation software supply chain attacks follows a well-worn story in the security world. Anyone who has been in the business long enough recognizes that no good deed goes unpunished. According to the report’s research, 49% of organizations are now able to remediate open-source vulnerabilities within a week of detection.

Sparity can help your organization by performing environmental assessments to and develop a security code review process before code is pushed to production. We maintain awareness of these types of threats through having spent years in code, application, and database development. In addition, we maintain awareness of threats to various business models both within the US and Asia Pacific.

More About the Author

Sparity is globally recognized software development company & IT service provider, offering next-gen technology consulting & digital services

Total Views: 173Word Count: 637See All articles From Author

Add Comment

Technology, Gadget and Science Articles

1. Comprehensive Fire Safety Solutions In Uae: Trusted Expertise By Global Alarms
Author: Global Alarms Safety & Security Equipment LLC

2. The Future Of Customer Browsing: A Guide To Co-browsing Solutions
Author: Jesvira

3. The Role Of Virtual Reality Consulting In Accelerating Digital Transformation
Author: omie84

4. Netflix Clone Script For Custom Video Streaming Platforms By Netflix Clone Script:
Author: Zybertron

5. Create A Capable Food Delivery App With The Top Development Organization
Author: Elite_m_commerce

6. How To Buy Textnow Accounts Safely And Securely: A Comprehensive Guide
Author: Bulk Account Buy

7. Improve Customer Communication Through A Dedicated Virtual Call Answering Service!
Author: Eliza Garran

8. Turning Raw Data Into Actionable Insights With The Art Of Visualization
Author: Digiprima

9. Mastering Sharepoint Migration
Author: Xanthe Clay

10. An Rise Digital Engagement By Developing Progressive Web Apps
Author: Elite_m_commerce

11. How To Build An Astrology App Like Astrotalk
Author: Deorwine Infotech

12. Maximise Your Online Presence With Odoo Website Builder
Author: Alex Forsyth

13. Track Market Trends With Zapkey Real Estate Data Scraping
Author: Devil Brown

14. Native Vs Hybrid Apps: Making The Right Choice For Your Mobile App Development
Author: calistabennet

15. Only 41 Percent Of Businesses Have Programs In Place To Hire More Women In Tech, According To Isaca Research
Author: Madhulina

Login To Account
Login Email:
Password:
Forgot Password?
New User?
Sign Up Newsletter
Email Address: