Tag Archive for: supplychain

Zero-day, supply-chain attacks drove data breach high for 2023


“The complexity of modern software supply chains adds to this challenge, as it can hide potential security flaws and make comprehensive vetting difficult,” Neal adds.

Number of data breaches rise, but fewer victims

While the number of data breaches was up, the ITRC found a decline in the number of victims affected by the compromises, to 353,027,892, a 16% decline from 425,212,090 in 2022. That decline is part of a longer trend. “If you go back to 2018, which was the high point for victim count, we’re down 84%,” Lee says. “Identity thieves have changed their tactics. They’re more targeted, both in what they’re attacking and the information that they’re seeking.”

“Attackers today who want personal identifying information are more able to target the right systems,” Bach says. “If you’re more precise about the systems that you target, there’s going to be less collateral damage. That’s how we can see the number of attacks go up while the number of affected individuals goes down.”

“The breaches we’re seeing affect organizations more directly than individuals,” adds Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company. “Many companies have stepped up their data privacy efforts due to GDPR and CCPA, but they are so focused on this aspect of data protection that they overlook the rest of their infrastructure.”

Supply-chain and zero-day attacks will continue to rise

The ITRC also reported that nearly 11% of all publicly traded companies were compromised in 2023 and that while most industries saw modest increases, healthcare, financial services, and transportation reported more than double the number of compromises compared to 2022.

For the coming year, Lee expects breach numbers to continue to trend upwards. “I don’t see any reason for it to go down,” he says. “With the increase in supply-chain and zero-day attacks, I believe we’re going to see another year of increases.”

Source…

ChatGPT Hallucinations Open Developers to Supply-Chain Malware Attacks


Attackers can exploit ChatGPT’s penchant for returning false information to spread malicious code packages, researchers have found. This poses a significant risk for the software supply chain, as it can allow malicious code and trojans to slide into legitimate applications and code repositories like npm, PyPI, GitHub and others. 

By leveraging so-called “AI package hallucinations,” threat actors can create ChatGPT-recommended, yet malicious, code packages that a developer could inadvertently download when using the chatbot, building them into software that then is used widely, researchers from Vulcan Cyber’s Voyager18 research team revealed in a blog post published today. 

In artificial intelligence, a hallucination is a plausible response by the AI that’s insufficient, biased, or flat-out not true. They arise because ChatGPT (and other large language models or LLMs that are the basis for generative AI platforms) answer questions posed to them based on the sources, links, blogs, and statistics available to them in the vast expanse of the Internet, which are not always the most solid training data. 

Due to this extensive training and exposure to vast amounts of textual data, LLMs like ChatGPT can generate “plausible but fictional information, extrapolating beyond their training and potentially producing responses that seem plausible but are not necessarily accurate,” lead researcher Bar Lanyado of Voyager18 wrote in the blog post, also telling Dark Reading, “it’s a phenomenon that’s been observed before and seems to be a result of the way large language models work.”

He explained in the post that in the developer world, AIs also will also generate questionable fixes to CVEs and offer links to coding libraries that don’t exist — and the latter presents an opportunity for exploitation. In that attack scenario, attackers might ask ChatGPT for coding help for common tasks; and ChatGPT might offer a recommendation for an unpublished or non-existent package. Attackers can then publish their own malicious version of the suggested package, the researchers said, and wait for ChatGPT to give legitimate developers the same recommendation for it.

How to Exploit an…

Source…

SolarWinds: The Untold Story of the Boldest Supply-Chain Hack


But they had been at it only 24 hours when they found the passage they’d been looking for: a single file that appeared to be responsible for the rogue traffic. Carmakal believes it was December 11 when they found it.

The file was a .dll, or dynamic-link library—code components shared by other programs. This .dll was large, containing about 46,000 lines of code that performed more than 4,000 legitimate actions, and—as they found after analyzing it for an hour—one illegitimate one.

The main job of the .dll was to tell SolarWinds about a customer’s Orion usage. But the hackers had embedded malicious code that made it transmit intelligence about the victim’s network to their command server instead. Ballenthin dubbed the rogue code “Sunburst”—a play on SolarWinds. They were ecstatic about the discovery. But now they had to figure out how the intruders had snuck it into the Orion .dll.

This was far from trivial. The Orion .dll file was signed with a SolarWinds digital certificate, which was supposed to verify that the file was legitimate company code. One possibility was that the attackers had stolen the digital certificate, created a corrupt version of the Orion file, signed the file to make it look authentic, then installed the corrupt .dll on Mandiant’s server. Or, more alarmingly, they might have breached SolarWinds’ network and altered the legitimate Orion .dll source code before SolarWinds compiled it—converting the code into software—and signed it. The second scenario seemed so far-fetched that the Mandiant crew didn’t really consider it—until an investigator downloaded an Orion software update from the SolarWinds website. The backdoor was in it.

The implication was staggering. The Orion software suite had about 33,000 customers, some of whom had started receiving the hacked software update in March. That meant some customers might have been compromised for eight months already. The Mandiant team was facing a textbook example of a software-supply-chain attack—the nefarious alteration of trusted software at its source. In a single stroke, attackers can infect thousands, potentially millions, of machines.

In 2017 hackers had sabotaged a software supply…

Source…

3CX hack highlights risk of cascading software supply-chain compromises


At the end of March, an international VoIP software company called 3CX with over 600,000 business customers suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code. New evidence suggests the attackers, believed to be North Korean state-sponsored hackers, gained access to the company’s network and systems as a result of a different software supply-chain attack involving a third-party application for futures trading.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” incident responders from cybersecurity firm Mandiant, who was contracted to investigate the incident, said in a report Thursday. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

The North Korean connection to the 3CX attack

The 3CX hack involved attackers compromising the company’s internal software build servers for Windows and macOS because of lateral movement activity through the company’s network. As a result, they were able to inject malicious libraries into versions of the 3CX Desktop App for Windows and macOS and have them be signed with the developer’s certificate during the build process. The trojanized versions were then delivered as part of the update process.

Windows versions 18.12.407 and 18.12.416 that were shipped in Update 7 were impacted, as well as macOS versions 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 and 18.12.416 included in Update 7.

The trojanized Windows version deployed an intermediate malware downloader that Mandiant named SUDDENICON that reaches out to a GitHub repository to obtain command-and-control (C2) addresses hidden inside icon files. The downloader then contacts the C2 server and deploys an information stealer dubbed ICONICSTEALER that collects application configuration data as well as browser history.

Researchers from Kaspersky Lab reported that in some cases the attackers deployed an additional backdoor program on some 3CX victims. This backdoor is known as…

Source…