Software Supply Chain Attacks

As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.

Called “Supply chain Levels for Software Artifacts” (SLSA, and pronounced “salsa”), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and mitigate threats that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain.

Stack Overflow Teams

Google said SLSA is inspired by the company’s own internal enforcement mechanism called Binary Authorization for Borg, a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized.

“In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus,” said Kim Lewandowski of Google Open Source Security Team and Mark Lodato of the Binary Authorization for Borg Team.

code dependencies

“In its final form, SLSA will differ from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform.”

The SLSA framework promises end-to-end software supply chain integrity and is designed to be both incremental and actionable. It comprises four different levels of progressive software security sophistication, with SLSA 4 offering a high degree of confidence that the software has not been improperly tinkered.

  • SLSA 1 — Requires that the build process be fully scripted/automated and generate provenance
  • SLSA 2 — Requires using version control and a hosted build service that generates authenticated provenance
  • SLSA 3 — Requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance
  • SLSA 4 — Requires a two-person review of all changes and a hermetic, reproducible build process

“Higher SLSA levels require stronger security controls for the build platform, making it more difficult to compromise and gain persistence,” Lewandowski and Lodato noted.

While SLA 4 represents the ideal end state, the lower levels provide incremental integrity guarantees, at the same time making it difficult for malicious actors to stay concealed in a breached developer environment for extended periods of time.

Enterprise Password Management

Along with the announcement, Google has shared additional details about the Source and Build requirements that need to be satisfied, and is also calling on the industry to standardize the system and define a threat model that details specific threats SLSA hopes to address in the long term.

“Achieving the highest level of SLSA for most projects may be difficult, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open source ecosystem,” the company said.

It’s natural to get complacent with the status quo when things seem to be working. The familiar is comfortable, and even if something better comes along, it brings with it many unknowns.

In cybersecurity, this tendency is countered by the fast pace of innovation and how quickly technology becomes obsolete, often overnight.

This combination usually results in one of two things – organizations make less than ideal choices about the software and tools they’re adding, or security leaders simply cannot stay abreast of new developments and opt to stay put with their existing stack.

The problem is that once you let one update pass you by, you’re suddenly miles behind. A new eBook from XDR provider Cynet (download here) offers insights into factors that are clear signs organizations need to upgrade their detection and response tools to stay with the times.

The eBook highlights several factors and questions that companies can ask themselves to determine whether they are okay with the level of security they have, or if they should upgrade their detection and response capabilities.

Looking for signs

There’s a variety of reasons why an organization’s detection and response tools might need a refresh, ranging from the critical to the less obvious.

One of the first signs, however, is clear for most organizations – the number of alerts they must sift through daily.

Today’s security stacks produce thousands of alerts daily, forcing many teams to pick and choose which they can investigate and for how long. As a result, critical alerts are prioritized, but they only make up a small percentage of the total amount.

Ideally, an organization should explore every alert – even the false positives. The inability to cope with alerts, or simply reduce the number of alerts, is a clear indicator that organizations should upgrade their security stack.

The eBook also takes aim at security stacks and tools that require dozens of add-ons and extensions to operate adequately.

For many organizations, installing and setting up a new EDR includes the process of finding the extensions that offer the tools necessary. Even worse, in some cases, add-ons are required simply to provide baseline services. On the other hand, the eBook argues, XDRs come set up out of the box to provide all the tools and features necessary to offer full functionality.

Some of the other signs you might need a new detection and response tool include:

  • If only one person knows how to operate and manage an organization’s EDR. Large security stacks have steep learning curves, and most organizations don’t have the skills or resources to devote to training a whole team. So, a single person gets appointed to manage and orchestrate the security strategy. This is problematic for several reasons and is a key indicator a simplified tool such as an XDR can help.
  • If your existing EDR suddenly claims to have upgraded to XDR, without any notable changes. A side effect of a rapidly evolving industry is that every vendor wants to hop on the next big thing – in this case, XDR. Therefore, many vendors will claim to offer XDR or “XDR-like” capabilities without actually offering a noticeable improvement or even added functionality.
  • If you look longingly at deception technology, but can’t afford it. Some tools are still not quite necessities, but they’re valuable assets to have. The problem, as is the case with deception technology, is that it’s costly and complicated to set up. On the other hand, a solution that has it included natively offers significant benefits.

You can learn more about indicators of whether you need a new detection and response tool here.

Six previously “under-attacked” vertical industries saw a surge in data breaches last year due to COVID-19 related disruptions and other factors, new data shows.

Though no industry is immune from cyberattacks, a few have traditionally been less affected by them than others. A new study shows that may no longer be the case.

An analysis that Kroll conducted of data breach notifications in 2020 showed a sharp increase in attacks against organizations in what it identified as six traditionally “under-attacked” industries– food and beverage, utilities, construction, entertainment, agriculture, and recreation.

Attacks against organizations across these industries jumped by an average of 545% compared to 2019. When Kroll broke the data down by industry, it found some sectors experienced significantly higher breach increases than others. For example, data-breach notifications in the food and beverage industry shot up 1,300% in 2020 while that within the construction sector increased 800%.

Kroll also observed a 400% jump in breach notifications within the utility sector including electric utility companies, water companies, and utilities infrastructure. Already, as of April 2021, the number of breaches in this sector has surpassed all of 2020 by 25%. Because Kroll’s report only considered incidents that led to breach notifications, it does not include incidents involving operation technology (OT) and industrial control system (ICS) environments.

At the other end of the spectrum, breach notifications in the entertainment industry showed a 33% increase over the previous year.

The increased number of breaches within the six industries—a pattern that has continued in the first quarater of 2021—came against the backdrop of an overall surge in the volume of data-breach notifications last year due to shifts in work environments caused by the global COVID-19 pandemic.

Kroll’s data showed a 140% increase in data breach notifications from 2019 to 2020 across all verticals. That number represented one of the highest year-over-year jumps in breach notifications that Kroll has observed, says Brian Lapidus, global practice leader for Kroll’s identity theft and breach notification practice.

Cybercriminals continued to hammer away at organizations in usually heavily targeted industries such as financial services, healthcare, and education. In volume, the raw number of breaches within each of these sectors continued to heavily outnumber breach disclosures in the six traditionally under-attacked sectors. For example, the average number of breaches within the most heavily attacked sectors in 2020 was 104, compared to an average of 12 breaches in the historically less-targeted sectors.

Even so, the increase in breaches within the food and beverage, utilities, construction, entertainment, agriculture, and recreations sectors showed that data breaches have become broader and deeper, Kroll said in its breach report this week. It’s a trend that organizations can expect will continue at least through the post-COVID-19 recovery period, Lapidus says.

“Based on the data in our findings, we expect the trend to continue for the rest of the year” he says. “[But] as employees return to offices later in the year and in 2022, with more security systems and monitoring in place, the trend should reverse and with additional security spends, it should go down further.”

Multiple Driving Factors

Kroll’s study showed that the increased breach-notification volumes in sectors that were less prone to such incidents in the past was tied to four trends: the shift to remote work triggered by the pandemic; the growth of the ransomware industry; an increase in supply chain vulnerabilities; and stricter data privacy regulations.

Kroll, like numerous other vendors, found an increase in COVID-19 themed spear-phishing attacks targeting remote employees as well as more malicious activity targeting VPNs, Microsoft 365, and other platforms supporting remote workers. In sectors like food and beverage, many businesses increased direct-to-consumer digital transactions because of the pandemic, resulting in greater exposure to attacks targeting credit and debit card data.

Supply chain issues, such as leaky file transfer repositories, email platforms, and attacks on fundraising platforms were another factor. Lapidus says Kroll is unable to share specific examples of supply chain-related incidents that the company has handled. “We have seen a rise in the impact of all types of supply chain attacks,” he says. “Exploit against security vulnerabilities for these six industries have grown rapidly via cybercrime groups.”

Similarly, ransomware attacks have impacted organizations in the six sectors just like they have impacted entities in almost every other sector. A greater awareness of breach notification obligations under privacy regulations such as the California Consumer Privacy Act was the fourth factor that contributed to a higher number of breaches being disclosed in the six industries last year.

Lapidus says these latest vertical industry breach victims spent less on cybersecurity and had less mature security processes compared to more heavily targeted sectors such as financial services and healthcare. But the disruptions caused by the pandemic is driving change.

“We are seeing increased attention toward cybersecurity in these less traditionally targeted industries, which is a very positive trend,” he says.

The initial focus has been on employee awareness and security culture training, as well as on gaining better visibility across endpoints using EDR and MDR. There is also more attention being paid to tightening remote work infrastructures such as VPN and RDP.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

For countries that wished to move goods and treasure back in the 16th and 17th centuries, wind-powered sailing ships and ocean transit were the only option. And pirates were a major, major problem. Pirate gangs like those headed by Edward Teach (better known as Blackbeard), the Barbarossa brothers and Captain William Kidd plied the Caribbean Sea, the Gulf of Mexico and coast of Central and South America (aka “The Spanish Main), the Mediterranean the Indian Ocean and elsewhere, seizing cargo including gold, jewelry and raw materials that fueled the home economies of colonizing nations like England, Spain and Portugal.

Episode 153: Hacking Anesthesia Machines and Mayors say No to Ransoms

Andy Jaquith
Andy Jaquith is the CSO at QOMPLX.

Modern Problem, Ancient Roots

The groups were a persistent menace, but they weren’t merely crooks. Many operated as “privateers,” helping to further the interests and ambitions of sponsor nations, like England and Spain. Sir Francis Drake is best known for circumnavigating the globe, but he was also a pirate of the first order: raiding Spanish colonial settlements in what is now Mexico and the West Coast of the United States on his way around the world. And he operated with the support of England’s Queen Elizabeth, who was interested in weakening the strength of the Spanish Navy on the high seas.

Episode 169: Ransomware comes to the Enterprise with PureLocker

All that complexity bears a striking resemblance to a modern scourge on commerce: ransomware. Today, ransomware gangs – like pirates of yore – swoop in on businesses, critical infrastructure owners and public sector agencies with no notice, holding them hostage for ransoms and stealing sensitive data. Behind these groups lurk sponsor nations, first and foremost Russia, which give them safe harbor to operate and benefit, indirectly, from the chaos they sow in rival economies.

Joey, Talk to Russia (about Ransomware)

That’s why ransomware was very much on the agenda when Russian Prime minister Vlad Putin and President Joe Biden met in Geneva this week. Among other things, Biden was expected to push Putin on that country’s practice of allowing ransomware gangs operate from within its borders. And, while there were no clear agreements reached about cyber security cooperation at the summit, there is evidence that industrialized nations are waking up to the threat posed by these groups.

Kaspersky Deems Crypto-jacking the New Ransomware as Crypto-miners up Their Game

To discuss what lessons history might hold for them as they confront this 21st century form of pirating, we invited Andy Jaquith back into the SL studios. Andy is the CSO at the firm QOMPLX and an expert on cyber security with a background in political science and economics In this conversation we talk about the deep similarities between the ransomware scourge of the early 21st century and the problems posed by pirates to sea faring nations back in the 16th, 17th and 18th centuries. We also discuss what lessons the rise – and fall – of piracy might have for countries interested in putting a check on ransomware groups.

You can listen to the podcast above, or download the MP3 using the button below!


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.

People always ask me if law enforcement is having any luck in combatting cyber criminals. Let me be clear: it is a very tough job to take down cyber criminals located in other countries or sponsored by foreign nations. Our government is focusing on cyber criminals more than I have ever seen before, and the effort is promising.

Not only did the Department of Justice (DOJ) lead an effort to recoup ransomware paid by Colonial Pipeline, but it also just took down (I love that term), with the help of international law enforcement, an online marketplace, Slilpp, that was selling stolen login credentials for banking and online payment platforms.

An unsealed affidavit for a warrant requested by the DOJ states that victims have reported over $200 million in losses in the U.S. The Slilpp marketplace sold login credentials for more than 1,400 account providers before law enforcement took them down.

According to the DOJ: “[W]ith today’s coordinated disruption of the Slilpp marketplace, the FBI and our international partners sent a clear message to those who, as alleged, would steal and traffic in stolen identities: we will not allow cyber threats to go unchecked…. We applaud the efforts of the FBI and our international partners who contributed to the effort to mitigate this global threat.”

The FBI and DOJ are tirelessly chasing cyber criminals and their efforts are paying off for all of us. They deserve huge credit for their persistence and efforts.

On June 3, 2021, the U.S. Supreme Court issued its first-ever interpretation of the Computer Fraud and Abuse Act (CFAA), the federal criminal and civil statute intended to deter and punish unauthorized access to computer systems. The decision in Van Buren v. United States adopts a narrow construction of a key provision of the CFAA addressing whether a computer user “exceeds authorized access.” In doing so, the Court echoed the concerns of many commentators who have warned against a broad reading of the statute that might over-criminalize computer activity.

The Court’s decision removed the CFAA as a tool to address certain circumstances when someone accesses a computer in violation of an authorized purpose, such as violations of workplace technology policies or a website’s terms of service. In Van Buren, the Court rejected the argument that violation of a purpose-based restriction can be the basis for a violation of this portion of the CFAA. Because this type of conduct is not actionable under the CFAA, companies may turn to technological access controls to control sensitive data rather than relying on internal policies.

The Court’s limits on the scope of the CFAA may be favorable to cybersecurity researchers, who often access computer systems in violation of terms-of-use to detect security vulnerabilities or other threats. Until Van Buren, white-hat cybersecurity researchers were deterred from carrying out such tests due to the threat of criminal prosecution under the CFAA for exceeding authorized access. Click here to read the full article on this and get more details.

Middle East malware attack

A Middle Eastern advanced persistent threat (APT) group has resurfaced after a two-month hiatus to target government institutions in the Middle East and global government entities associated with geopolitics in the region in a rash of new campaigns observed earlier this month.

Sunnyvale-based enterprise security firm Proofpoint attributed the activity to a politically motivated threat actor it tracks as TA402, and known by other monikers such as Molerats and GazaHackerTeam.

The threat actor is believed to be active for a decade, with a history of striking organizations primarily located in Israel and Palestine, and spanning multiple verticals such as technology, telecommunications, finance, academia, military, media, and governments.

Stack Overflow Teams

The latest wave of attacks commenced with spear-phishing emails written in Arabic and containing PDF attachments that come embedded with a malicious geofenced URL to selectively direct victims to a password-protected archive only if the source IP address belongs to the targeted countries in the Middle East.

Recipients who fall outside of the target group are diverted to a benign decoy website, typically Arabic language news websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net).

Middle East malware attack

“The password protection of the malicious archive and the geofenced delivery method are two easy anti-detection mechanisms threat actors can use to bypass automatic analysis products,” the researchers said.

The last step in the infection chain involved extracting the archive to drop a custom implant called LastConn, which Proofpoint said is an upgraded or new version of a backdoor called SharpStage that was disclosed by Cybereason researchers in December 2020 as part of a Molerats espionage campaign targeting the Middle East.

Enterprise Password Management

Besides displaying a decoy document when LastConn is run for the first time, the malware relies heavily on Dropbox API to download and execute files hosted on the cloud service, in addition to running arbitrary commands and capturing screenshots, the results of which are subsequently exfiltrated back to Dropbox.

If anything, the ever-evolving toolset of TA402 underscores the group’s continued focus on developing and modifying customized malware implants in an attempt to sneak past defenses and thwart detection.

“TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East,” the researchers concluded. “It is likely TA402 continues its targeting largely focused on the Middle East region.”

Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan (RAT) capable of stealing sensitive information from targets’ devices since at least 2015.

Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat (APT) group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar.

“The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind,” Kaspersky’s Global Research and Analysis Team (GReAT) said.

Stack Overflow Teams

“Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bases or strikes against the Iranian regime, suggesting the attack is aimed at potential supporters of such movements within the country.”

Kaspersky’s findings emerge from two weaponized documents that were uploaded to VirusTotal in July 2020 and March 2021 that come embedded with macros, which, when enabled, drop next-stage payloads to deploy a new implant called MarkiRat.

The backdoor allows adversaries broad access to a victim’s personal data, comprising features to record keystrokes, capture clipboard content, download and upload files, as well as the ability to execute arbitrary commands on the victim machine.

In what appears to be an attempt to expand their arsenal, the attackers also experimented with different variants of MarkiRat that were found to intercept the execution of apps like Google Chrome and Telegram to launch the malware and keep it persistently anchored to the computer at the same time also making it much harder to be detected or removed. One of the discovered artifacts also includes a backdoored version of Psiphon; an open-source VPN tool often used to evade internet censorship.

Another recent variant involves a plain downloader that retrieves an executable from a hardcoded domain, with the researchers noting that the “use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs.”

Prevent Data Breaches

What’s more, the command-and-control infrastructure is also said to have hosted Android applications in the form of DEX and APK files, raising the possibility that the threat actor is also simultaneously developing malware aimed at mobile users.

Interestingly, the tactics adopted by the adversary overlap with other groups that operate against similar targets, such as Domestic Kitten and Rampant Kitten, with Kaspersky finding parallels in the way the actor used the same set of C2 servers over extended periods of time and attempted to gather information from KeePass password manager.

“Ferocious Kitten is an example of an actor that operates in a wider ecosystem intended to track individuals in Iran,” the researchers concluded. “Such threat groups do not appear to be covered that often and can therefore get away with casually reusing infrastructure and toolsets without worrying about them being taken down or flagged by security solutions.”

Binary Check Ad Blocker Security News
GDPR compliance

A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements.

Companies in the EU must have password policies that are compliant with the General Data Protection Regulation (GDPR). Even if your company isn’t based in the EU, these requirements apply if you have employees or customers residing in the EU or customers purchasing there.

In this post, we will look at GDPR requirements for passwords and provide practical tips on how to design your password policy. Remember, even if GDPR isn’t required for you now, the fundamentals of a data protection regulation plan can help strengthen your organization’s security.

Password requirements for GDPR compliance

You may be surprised to discover that the GDPR laws do not actually mention password policies at all. If you simply read the text, you may initially believe that a company can implement any password policy, without having any concerns over GDPR compliance.

However, the GDPR laws will impact password policy under the umbrella of prevention.

Preventing unauthorized access to information

Any information that a company gathers from customers or other sources needs to be properly protected under GDPR compliance. This means having strong security measures to prevent hackers, and other unauthorized individuals, from gaining access to this data.

As we all know, one of the most important digital security steps in protecting any data is passwords.

Tips for creating a GDPR compliant password policy

The following are some best practices to consider when creating a strong password policy that will keep your systems safe, and get you closer to compliance.

Use a password list to block compromised passwords

A good password needs to be difficult to hack, or guess. Today, stolen and brute-forced credentials are the leading cause of data breaches. To protect your data against these attacks, a password policy should ban common and breached passwords.

Thanks to password reuse, many credential-based attacks use breached password lists from one system, to target another. Government agencies such as NIST, and the NCSC recommend blocking compromised and easily guessable passwords from being used altogether. This is one of the only ways to protect accounts, even if stronger password settings are enforced.

Don’t use secret questions

It is a common practice to set up ‘secret questions’ that can be answered in order to unlock or reset the password on an account.

Secret questions would be things like ‘what is your mother’s maiden name,’ or ‘what was your school mascot.’ Since these types of questions can be vulnerable to social engineering attacks, it is best to avoid them completely.

Consider MFA

One of the best ways you can improve your password security is to implement multi-factor authentication. This is where, in addition to a username and password, other factors are used to verify a user.

For example, this can be a one-time password that is generated specifically for the user on their mobile device during authentication.

Making GDPR compliance simple

Implementing GDPR for your non-EU business may seem like a headache, but the compliance and additional security protections will cover your bases from a legal and cyberattack prevention standpoint. This article sums up the how, why, and when of GDPR compliance if you’re looking for additional intel.

When you’re implementing a password policy for your AD with GDPR compliance in mind it’s a good idea to use a 3-rd party tool to help your password policy reach your entire end-user directory.

My favorite is Specops Password Policy which can help you block breached and other compromised passwords from Active Directory. During a password change in Active Directory, this service will block and notify users if the password they have chosen is found in a list of leaked passwords and provides dynamic feedback for password compliance. Specops Password Policy makes it easy to keep out vulnerable passwords and comply with the latest password guidelines.

GDPR compliance
Specops Password Policy keeps your policies organized and easily configurable

Using a password policy tool not only helps with GDPR compliance in preventing unauthorized access to information, it keeps your internal AD infrastructures organized and safe. Specops Password Policy extends the functionality of Group Policy and simplifies the management of fine-grained password policies for a simpler approach to password security and compliance.

Whether you’re using a password policy tool or educating end-users manually GDPR compliance can be an asset to any security infrastructure regardless of location, and don’t forget it’s mandatory if you’re storing and EU citizen data.