According to ReversingLabs, software supply chain threats are anticipated to rise in severity and frequency in 2023. The study discovered that dangerous open-source module-based attacks have multiplied in the commercial industry.
Urgent measures are needed to protect the software supply chain
There’s been a significant surge in supply chain attacks since 2020, following a slow but constant increase in 2022. In 2023, there will be a further surge in cyberattacks on the software supply chain.
Organizations will witness a change in how security professionals tackle cyber defense. This is backed up by a recent ReversingLabs research that evaluated the effects of software supply chain challenges after the SolarWinds incident.
With this rising trend of searching for and abusing software supply chain vulnerabilities, security teams have stepped up their efforts as the government works out specific standards for protecting the software supply chain under the Enduring Security Framework (ESF), a public-private collaboration, and new legislation named the Securing Open Source Software Act of 2022.
Supply Chain Security Trends in the Past 12 Months
Software supply chain attacks have increased frequently over the past year, which isn’t surprising given that open-source software repositories have been a preferred target for cybercriminals.
Attacks on well-known repositories, notably PyPI and npn, have increased by 289% over the past four years, according to ReversingLabs’ 2022 NVD Analysis. The result came in the report on supply chain security that ReversingLabs released on Monday.
Our analysis of supply chain attacks like IconBurst and Material Tailwind shows that malicious actors are increasingly trying to leverage trust in open-source software to plant malicious code within organizations. Why? Because they don’t want to reinvent the wheelTomislav Pericin, ReversingLabs’ Co-founder
From January to October 2022, npn saw approximately 7,000 harmful package uploads, almost a 100x spike over the 75 dangerous packages detected in 2020, and an overall rise of 40% in packages detected in 2021.
Malicious npn packages accounted for 66.7% of all harmful packages identified by ReversingLabs.
Another attack reported by Reversing Labs in August used dozens of npn packages with JavaScript that had been obfuscated. The malware packages were intended to steal information from users of the programs or sites where they were deployed.
The increasing supply chain attacks call for more security around open-source repositories
The PyPi, or Python Package Index, was also swamped by corrupted open-source packages intended, among other things, to spread malware and mine cryptocurrencies.
The threats were identical to what researchers found in 2021 when hackers frequently employed typosquatting techniques and dependency confusion.
Malicious activity had increased by over 18,000% since 2020 when only eight dangerous packages were found, and many peaks were detected during the summer of 2022. The attacks have undoubtedly directed more attention to software supply chain security.
High-profile organizations, including Toyota Motor Co. and Samsung Electronics Co. Ltd., were humiliated by details leaked through open-source repositories by third-party contractors or maintained internally.
Security Must be Enhanced
The study advises software developers to consider open-source risks and improve security operations centers (SOCs) and communication between development teams to close the gaps in monitoring and detecting supply chain attacks and threats.
According to the report, the breaches have brought increased attention to the security of the software supply chain.
New federal instructions for enhancing supply chain security were released over the past year under the May 2021 Executive Order on enhancing the Nation’s Cybersecurity issued by the Biden Administration.
Npn and PyPi have seen a multi-fold increase in harmful package uploads in the previous two years.
The report concludes that software developers with federal contracts must undergo tight security requirements to adhere to the standards. The higher challenges include attesting to the security of their code and, in other cases, submitting material software bills that offer a roadmap for tracing the supply chain risks.
If evidence from the previous three years is any indicator, breaches in software supply chains will become more frequent and severe in 2023, as they did in the last three years.
ReversingLabs also stated that this would increase pressure on development organizations and businesses, combined with new rules and guidelines to reduce supply chain risk.
