Exclusive: Open-source tools fire up supply chain attacks
Open-source code and legitimate hacking tools have contributed to the rising popularity of a once-rare and complicated type of cyberattack, according to new research shared exclusively with Axios.
Why it matters: Malicious hackers of all levels — from nation-state groups to lower-level cybercriminals — have gotten better at executing what experts call a software supply chain attack.
- In these schemes, hackers target a single third-party piece of software to access information from that organization's customers or to gain access to a target's network.
The big picture: Thousands of top consumer brands were vulnerable to widespread supply chain attacks last year — and many are being targeted this year through recently discovered flaws in Citrix's and Ivanti's products.
- Typically, nation-state hacking groups turn to these types of attacks because they're more difficult for victim organizations to detect.
Driving the news: But last year, more cybercriminal groups started building tools and sharing their tips with one another — effectively lowering the barrier to entry for software supply chain attacks, according to a new report from cybersecurity company ReversingLabs.
- That's in part because attackers are sharing more open-source tools and resources among each other to launch such attacks, per the report.
What they're saying: "It's a cat-and-mouse game, and every single time you develop the technology that can detect that type of attack, they just pivot somewhere else," Tomislav Peričin, chief software architect and co-founder of ReversingLabs, told Axios.
- "To me, 2023 was the year of many, many different pivots that we saw."
By the numbers: ReversingLabs' researchers found a 28% increase in the number of malicious packages available across three major open-source repositories in the first nine months of 2023 compared to the same period in 2022.
- Researchers also uncovered at least five new techniques hackers used last year to evade detection from basic network monitoring tools.
Details: Many of the malicious packages had code that would help hackers obfuscate or encrypt their activity from traditional security-monitoring tools.
- The malicious packages could help hackers create backdoors into company networks, spread so-called infostealer malware, facilitate trojan horse attacks and more, according to the report.
Zoom in: In July, ReversingLabs released details about a campaign it called "Operation Brainleeches."
- ReversingLabs found that hackers created phishing schemes based on packages hosted on popular open-source platform npm.
- The files included all of the raw components needed to launch an email phishing campaign, researchers found, as well as the tools needed to host any files hackers might want to attach to their emails.
Between the lines: Cracking down on supply chain attacks requires that companies continuously audit the technologies they use.
- Programmers must scan code for security flaws as they're building new products and government officials must continue to develop new software supply chain guidance, Peričin said.
What we're watching: Some of the new tactics ReversingLabs uncovered will likely stick around in 2024 as malicious actors continue to lower the barrier to entry.