Have we learned anything from SolarWinds supply chain attacks?

From frameworks to new federal offices, it's time to get busy

The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done?

In a matter of days this week, at least four disparate efforts to shore up supply chain security were declared, an example of how front-of-mind such risks have become and a push from vendors and developers to reduce them.

The threat is growing. Gartner expects that by 2025, 45 percent of organizations globally will have experienced a software supply chain attack, a three-fold jump from 2021. It's not a surprise, according to Neatsun Ziv, CEO of startup Ox Security that's building an open MITRE ATT&CK-like framework for enterprises to check software supply chains.

"These kinds of attacks become super, super lucrative just because the [hits] that you could get from a single weapon is not proportional to anything else you see in the industry," Ziv told The Register.

As with the SolarWinds attack, a miscreant can inject malicious code into a piece of software before the compromised software is sent out to customers and compromises those systems. Organizations seem to be slow in catching up to this.

More recently, attackers have targeted code repositories like GitHub and PyPI and companies like CI/CD platform provider CircleCI, an incident that expanded the definition of a supply chain attack, according to Matt Rose, field CISO for cybersecurity vendor ReversingLabs.

"What the CircleCI incident illustrates is that organizations have to not only be concerned about malware being injected into a compiled object or deliverable, but also of the tooling used to build them," Rose wrote in a blog post. "That's why the CircleCI hack is an eye opener to a lot of organizations out there."

One framework for them all

The OSC&R (Open Software Supply Chain Attack Reference) was launched this week, founded by Ziv – former vice president of cybersecurity at Check Point – and other security pros with background at such places as Google, Microsoft, GitLab, and Fortinet.

The idea is to give enterprises a common framework for evaluating and measuring the risk to their supply chains, something that has traditionally been done with intuition and experience. OSC&R will give organizations a common language and tools for understanding the attack tactics and defenses, prioritize threats, and track threat group behavior.

It will be updated as new tactics crop up, will help with red-team penetration exercises, and will take contributions from other vendors. The group took concepts for ransomware and endpoints used in MITRE ATT&CK and applied them to the supply chain.

"The challenge was that there was no framework to get us from a basic understanding to our ability to check our environment if we are susceptible to the supply chain attacks," Ziv said.

The framework touches on nine key areas – such as container and open-source security, secrets hygiene, and CI/CD posture – and outlines the techniques used by attackers in such areas as initial access, persistence, privilege escalation, and defense evasion. It will grow in both features and contributors, he said.

The OpenVEX spec

In the same spirit, supply chain security vendor Chainguard is heading up a group that includes HPE, VMware, and The Linux Foundation to jumpstart the adoption of the Visibility Exploitability eXchange (VEX), a tool for addressing vulnerabilities in enterprise software. It's supported by agencies like the US National Telecommunications and Information Administration (NTIA) and Cybersecurity Infrastructure Security Agency (CISA). 

Enter the OpenVEX specification and reference toolchain

"Up until today, VEX has been a concept the industry has invested time debating and building minimum requirements around," Chainguard founder and CEO Dan Lorenc wrote. "With the release of OpenVEX, organizations can now put VEX into practice."

OpenVEX will work as a companion to software bill of materials, which help with transparency but can create "noise" in the industry, Lorenc wrote. With OpenVEX, suppliers can more precisely describe how exploitable the products are and help end users filter out false positives.

Chainguard has put OpenVEX in some of its products, including its Wolfi container-specific Linux distribution and Images secure-by-default container base images.

For its part, cybersecurity vendor Checkmarx is building onto the supply chain security offering it released in March 2022 with a threat intelligence tool to focuses on the supply chain. It includes information such as identifying malicious packages by the type of attack – like typosquatting or dependency confusion -- analysis of the operators behind the attack, how the packages operate, and the historical data behind them.

"This intel is all about tracking purpose-built, malicious packages that often contain ransomware, cryptomining code, remote code execution, and other common types of malware," wrote Stephen Gates, principal content marketing manager for Checkmarx.

CISA on the move

CISA reportedly is creating an office to address supply chain security and work with the public and private sectors to put federal policies in place. According to a report in the Federal News Network, Shon Lyublanovits is leading the initiative. She heads the project management office for cyber supply chain risk management (C-SCRM), which is part of CISA's cybersecurity division.

The issues the office will address range from counterfeit components to open-source software vulnerabilities.

It's the latest step for CISA, which has had a focus on supply chain security since creating a task force for IT and communications technology task for in 2018.

Varun Badhwar, co-founder and CEO at supply chain security vendor Endor Labs, applauded CISA's decision to create the office, telling The Register that establishing "a new capability at such a high level stands out as a milestone."

However, it's important to understand the complexities of the problem, Badhwar said. There are open-source components through the software lifecycle and organizations need to first secure the open-source software they use. Enterprises and agencies use an average of more than 40,000 open-source software packages downloaded by developers, and each of those can bring in another 77 dependencies.

"This causes a massive, ungoverned sprawl that increases the supply chain attack surface across multiple dimensions," he said, adding that Endor Labs has found that 95 percent of open source vulnerabilities are found in the transitive dependencies. ®

Send us news

T-Mobile US exposes some customer data – but don't call it a breach

PLUS: Trojan hidden in PoC; cyber insurance surge; pig butchering's new cuts; and the week's critical vulns

Security researchers believe mass exploitation attempts against WS_FTP have begun

Early signs emerge after Progress Software said there were no active attempts last week

Red Hat bins Bugzilla for RHEL issue tracking, jumps on Jira

Just in time to get Atlassian’s latest cross-team collab bits

GNU turns 40: Stallman's baby still not ready for prime time, but hey, there's cake

It turned the software industry upside down regardless

MOVEit breach delivers bundle of 3.4 million baby records

Progress Software vulnerability ID'd in enormous burglary at Ontario's BORN

Mozilla's midlife crisis has taken it from web pioneer to Google's weird neighbor

Can the sleeping fox ever wake up?

Rusty revenant Servo returns to render once more

Mozilla gave it the boot, but the Linux Foundation Europe gave it the kiss of life instead

Sysadmin and spouse admit to part in 'massive' pirated Avaya licenses scam

Could spend 20 years in prison after selling $88M in ADI software keys

California governor vetoes bill requiring human drivers in robo trucks

Route 404: Human driver requirement not found

Cisco spends $28B on data cruncher Splunk in cybersecurity push

$157/share cash deal is the largest acquisition in networking titan's history

55-inch Jamboard and app ecosystem tossed into the Google graveyard

Now have a look at these third-party alternatives from our partners, says Chocolate Factory

Epic cut: Fortnite games maker culls 16% of staff

That partial victory against Apple is seeming more pyrrhic by the day