The trouble with focusing more attention on one type of cyberattack is that it encourages more cybercriminals to try their hand at it. In recent months, the integrity of software supply chains in the wake of a series of high-profile security breaches has become a major cause of concern. The hope is that the adoption of best DevSecOps practices will ensure that fewer vulnerabilities will find their way into software deployed in production environments.
In fact, the White House has just released a memo that requires federal agencies to comply with software supply chain guidance from the Office of Management and Budget (OMB). That guidance builds on an executive order the Biden administration issued requiring agencies to review the security of their software supply chains.
The primary method to embed malware within software under development is to compromise the credentials of a member of the application development team. Microsoft, for example, has issued a warning that details how a cybercriminal gang known as ZINC uses LinkedIn to establish initial contact with software developers looking for a new jobs. It then encourages those developers to switch the communication medium to the WhatsApp messaging service through which malicious payloads are installed on a developer’s system.
The Microsoft warning also notes ZINC is specifically targeting open source open-source software such as PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. Should developers include these components within the applications they are building, there is a good chance malware embedded in these software packages by ZINC will be activated at a later date. ZINC has been identified as a sub-group of the North Korean Lazarus hacking crew, and the danger posed by this attack should not be underestimated.
Of course, no one knows for sure where that malware may wind up, and therein lies the challenge security professionals will increasingly face. The pace at which the processes being used to build software will be hardened is exceeding slow. It takes a long time to change the culture of application developers that tend to prize speed of delivery over security. Realizing this, more cybercriminals than ever are now targeting software supply chains simply because they now know just how vulnerable they are.
The good news is the executives that hire developers are starting to prioritize security over speed. A survey of 600 C-suite executives conducted by CloudBees, a provider of a platform for building and deploying applications, finds more than three-quarters of respondents say it is more important to be secure and compliant than fast and compliant. The bad news is that 88% of those executives believe their organization’s software supply chain is secure or very secure.
Unfortunately, it’s probable software security will get worse before it eventually starts to get better. As a result, cybersecurity teams should prepare for the worse. As the Log4j Shell vulnerability has already clearly demonstrated, finding all the instances of a software component that has a vulnerability can take months. A rapid security incident management response team has never been more crucial because, as always, any time a vulnerability is discovered it’s a race against time before it is exploited.
By Mike Vizard
This article originally appeared on Journey Notes, the Barracuda blog.
Back