China's rift with the West extends to software
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News. Each week, Chainmail brings you the latest software supply chain security headlines, curated by the team at ReversingLabs . This week: how the brewing Cold War 2.0 between China and the U.S. is reaching into the software supply chain. Also: ESET warns of the Tick APT group’s supply chain compromise of a data loss prevention firm.?
This Week’s Top Story
Increasingly, China’s supply chain risk extends to code
As tension between the U.S. and China rise, software has become another front in a Cold War reboot between West and East,? Masaharu Ban reports over at Nikkei Asia . Concerns over cyberattacks and industrial espionage are fueling reluctance among developers in the U.S., Japan and elsewhere to incorporate- and rely on software components created in China.
Ban profiles the Tokyo-based secondhand online marketplace Mercari, where “several staffers are tasked with keeping its app clear of unsanctioned software components, responding to alerts by an automated tracking system whenever potential issues are detected.”
"We are seeing more software with ties to China, leading to a decoupling in software development," Hidekazu Kamino, a member of Mercari's intellectual property team is quoted as saying. Mercari’s app relies on 15,000 software components, but the company increasingly sees its ability to provide a stable service hinging on it avoiding using software from China, which is considered "problematic" by the Japanese government.
Chinese users made up 10% of the more than 100 million developers on GitHub, the world's largest code hosting platform, in 2021, the largest contributors after those in the U.S., which accounted for 19%.
The U.S. is leading the charge. It has taken steps to limit China’s access to advanced processors and ban the use of Chinese based hardware and software like telecommunications equipment manufactured by Huawei, ZTE and other Chinese manufacturers. The federal government is weighing whether to ban the TikTok video sharing application.?
China, meanwhile, is moving to free itself from reliance on Western firms and technology. The country adopted a five-year "national informatization" plan released in 2021, Ban writes. That calls for encouraging the establishment of "open-source communities" and alternatives to Western platforms. One example: Gitee, a GitHub like code hosting platform backed by the Chinese government. It doubled its developer base in two years to 8 million in 2021.
News Roundup
Here are the stories we’re paying attention to…
The security firm ESET wrote about the discovery of a sophisticated software supply chain compromise in which an advanced threat group known as Tick gained access to the network of an East Asian software developer company that makes data loss prevention (DLP) software. The attackers deployed persistent malware and replaced installers of a legitimate application known as Q-dir with trojanized copies that, when executed, dropped an open-source VBScript backdoor named ReVBShell alongside the legitimate Q-Dir application. This led to the execution of malicious code in networks of two of the compromised company’s customers. The attackers also compromised update servers, which delivered malicious updates on two occasions to machines inside the network of the DLP company.? The company’s customers include government and military entities, ESET noted. ( ESET )
Checkpoint reported this week that the company’s CloudGuard Spectralops team detected a malicious phishing account on PyPI, the official repository of software packages for the Python programming language. The malicious packages disguised themselves as async-io related helpers, but were actually downloading and executing obfuscated code as part of their installation process, and were probably stealing PII. The attacker published several versions of the package with slight modifications to evade detection. The malicious packages have since been removed by PyPI. ( Checkpoint Systems )
领英推荐
For years, industry leaders promoted the notion of “shifting left” as a call to marry application security with application development: Embedding secure development tools and practices into the continuous integration/continuous delivery (CI/CD) process. But times are changing and the industry is beginning to understand that while shifting left is necessary, it is not sufficient to secure software supply chains, writes ReversingLabs Chief Software Architect Tomislav Peri?in on DevOps.com.?
As Tanya Janca, founder and CEO of WeHackPurple said recently, “Don’t shift left; shift everywhere!” Threats to the software supply chain not only happen during development but also throughout the entire software release process, requiring a more holistic approach to securing software supply chains, Peri?in argues. ( DevOps.com )
GitHub recently upgraded the internal version of Git they use to produce repository archives. Unfortunately that change broke a large number of Bazel projects, a widely used, free, open source tool for building and testing software. The incident - just the latest in which Bazel has broken - underscores dependency availability risks: the Git upgrade caused a change in archives’ SHA-256 sums, even though the extracted contents are the same. It highlights the need for GitHub to clarify in documentation whether users should or should not depend on stable archive SHA-256 sums. ( DevOps.com )
In this article, we examine the rising trend of cyber attacks directed at the software supply chain, as well as recent regulatory advancements and best practice frameworks that have arisen in response to this growing danger. We will also shed light on the need for a fresh strategy to secure your software supply chain, one that surpasses current application security measures. We will illustrate why current investments in application security offer some protection, but do not completely mitigate your cyber security risks in this area. Finally, we will outline what is necessary to complement them for full protection. ( Scribe - E2E Software Supply Chain Security )
Organizations need to understand that not all SBOM offerings from vendors are alike. The ideal SBOM solution delivers critical, real-time visibility into an organization’s software environments to manage risk. Key capabilities include understanding every software component at runtime, addressing any vulnerabilities or misconfigurations found, taking quick action to mitigate supply chain risk, and optimizing investments in third-party tools. ( CIO Online )
The Biden administration proposed federal IT spending totaling $74.4 billion in fiscal 2024, which is an almost $9 billion increase over the requested funding for fiscal 2023, in a bid to strengthen federal cybersecurity and digital service delivery, FedScoop reports. Cybersecurity-related efforts, particularly zero-trust security implementation, post-quantum cryptography, and software supply chain security, will account for $12.7 billion of the requested funding, most of which will be allocated to the DHS and the Cybersecurity and Infrastructure Security Agency. (SC Magazine)
Resource Round Up
Download this new eBook to learn learn why traditional application security testing tools alone leave your organization exposed to supply chain attacks — and how software supply chain security tools represent an evolution of traditional application security tools, ensuring end-to-end software security.?
Secrets hardcoded or exposed in software release packages or containers are a challenge all development teams face – and a boon for cybercriminals with automated means to find them to gain access for supply chain attacks.?Learn which secure software development best practices to put in place today to stop attacks from happening tomorrow.?