Software suppliers offer rich pickings for criminals


Software suppliers beware – chances are, online criminals quite literally know your secrets. That’s the outlook for 2024, courtesy of ReversingLabs, which warns that thousands of digital authentication credentials, aka ‘secrets’ have already been exposed.

The cybersecurity analyst conducted a scan of frequently used online software platforms NuGet, PyPI, npm, and RubyGems, leading it to conclude that login credentials, API tokens, and encryption keys were a “major target” for cybercriminals last year.

That period saw a staggering 40,000 secrets detected across the four platforms, with the bulk, more than three-quarters, detected on npm. Of those, more than half were used to illegally access Google services, with roughly one in ten being deployed in a similar way against Amazon’s cloud service AWS.

What’s more, lower-skilled cybercriminals, known somewhat derisively in the industry as “script kiddies,” are increasingly targeting third-party software suppliers, as the barrier for entry to such a life of crime reduces thanks to the wider availability of ‘off-the-shelf’ high-tech equipment.

“No longer just the domain of nation-state actors, software supply chain attacks are increasingly being perpetrated by low-skilled cybercriminals,” said ReversingLabs, pointing to the increased uptake of open-source automated phishing packages to be used as tools in such campaigns.

“Threat actors have recognized how to abuse weak links in the software supply chain to support both targeted and indiscriminate campaigns,” it added.

ReversingLabs claims this situation is being exacerbated by complacency among third-party suppliers, despite last year’s high-profile MOVEit hack by Cl0p, whose ripple effect saw thousands of targets impacted.

“Lacking sufficient visibility, software producers and their customers are failing to spot signs of code tampering and abuse within development pipelines or threats hiding in compiled software artifacts,” it said.

Warning that software supply chain attacks will “escalate if organizations don’t address the threat,” ReversingLabs urges businesses to “shift from blind trust” in software integrity and instead use “proven tools and processes that can verify software and ensure it is free of material risks.”

It added: “This includes the ability to scan raw code and compiled binaries in any software they build or buy for behaviors and unexplained changes that may indicate instances of malware and tampering.”

In the meantime, ReversingLabs expects both profit and politically motivated cyber gangs to continue targeting weak links in the software supplier industry.

“Threats and attacks targeting open source and commercial, third-party code will continue to grow, even as the methods and preferences of malicious supply chain actors evolve,” it said. “Both cybercriminal and nation-state hackers can be expected to gravitate to platforms and techniques that are the most likely to succeed.”



Leave a Reply

Your email address will not be published. Required fields are markedmarked