As the year 2023 comes to a close, the cybersecurity landscape is ablaze with reports and analyses. Among them, the NSA 2023 Cybersecurity Year in Review has garnered attention. Xygeni, in this tumultuous year, aims to contribute to the understanding and mitigation of threats to the software supply chain. In an era where software complexity is overwhelming, our reliance on open-source components and the evolution of DevSecOps and cloud-native approaches have reached new heights. This sneak peek into Xygeni’s report provides insights into the key challenges faced by software supply chain security in 2023 and offers strategies for addressing them in 2024.
Table of Contents
The Complex Web of Software Supply Chain Security
In the current state of the SSCS, cyber threats loom large, posing significant concerns for companies and individuals alike. The surge in remote work and increased dependence on cloud-based services have expanded the attack surface, making the safeguarding of the software supply chain an even more formidable challenge. The realization that the supply chain has become a deliberate attack vector is slowly dawning upon the software industry. Questions arise: How do we secure this intricate web? Can we trust software from both open-source communities and commercial providers? How can organizations instill confidence in their software consumers regarding the absence of vulnerabilities or malware?
What Xygeni’s Report Will Uncover
Xygeni’s report aims to shed light on the events and trends that defined software supply chain security in 2023 and offers an initial glimpse into what 2024 might bring. The report will cover:
Highlights: “By the Numbers”
Termed the year of ‘digital forest fires,’ 2023 witnessed headline-grabbing incidents, including those affecting PyTorch, 3CX, and MOVEit Transfer. The grim reality is that 82% of organizations are currently vulnerable to software supply chain attacks, with the average number of vulnerable components in a supply chain increasing by more than 50% annually. NTT Ltd reports that the technology sector is the most targeted industry, accounting for 28% of all supply chain attacks.
Open source software, comprising 70% to 90% of contemporary application stacks, faces a surge in malicious packages on public registries – a staggering 245,032 instances, doubling the figures from previous years.
The Attack Landscape
In 2023, cyber attacks were on the rise, with the EU Agency for Cybersecurity recording 2,580 security incidents, 220 of which specifically targeted multiple member states. Ransomware and denial-of-service attacks dominated, but targeted attacks on the software supply chain were also observed. Notably, AI chatbots entered the cybersecurity threat landscape, introducing concerns about ‘cheap fakes’ and AI-enabled manipulation of information.
Attack Techniques in 2023
Attackers continued to leverage familiar techniques such as spear phishing and social engineering, stolen credentials, and dependency attacks like typosquat packages. However, 2023 witnessed a rise in sophisticated methods, including vishing (Voice Phishing) using AI-generated voice-mimicking messages. Malicious packages deployed in public registries reached an alarming 245,032 instances, emphasizing the need for robust preventive measures.
Advanced Threat Actors
Geopolitics influenced cyber operations, with state-backed APTs engaging in disinformation, espionage, and sabotage. The Ukrainian war became a focal point, showcasing cyber operations by Russian, Iranian, and North Korean actors. China solidified its position as a global CyberPower, while cybercrime continued to evolve, exemplified by China’s Evasive Panda targeting an international NGO.
Turning our focus to recent conflicts, the cyber confrontation between Hamas and Israel involved reciprocal DDoS attacks. Some analysts connect Hamas to Iranian threat activity. The Iranian-linked APT Agrius, also known as “Agonizing Serpens,” notorious for its destructive wipers, has been predominantly targeting Israeli organizations across various sectors and countries. In 2023, Agrius’s efforts were concentrated on the education and technology sectors in Israel.
Impact of Attacks
The digital impact of cyber attacks, such as damaged systems, data corruption, and intrusions, outweighed financial and social impacts. Splunk’s survey highlighted the significant time and resources expended on cleanup, with only 4% of respondents reporting no significant consequences.
Summary of Relevant Attacks in 2023
The year witnessed paradigmatic attacks, including the PyTorch nightly InfoStealer, CircleCI incident, 3CX multi-step attack, MOVEit Transfer data breach, PyPI temporal suspension, NPM Manifest Confusion, JumpCloud attack, and the VMConnect campaign. Each incident underscored the diverse and evolving nature of SSC attacks.
Evolution of Standards and Regulations
The regulatory framework for the SSC is under construction. With highly different intensities across regions, it seems that the US has the most mature framework, with the European Union lagging. The publication of the National Cybersecurity Strategy and the Open Source Software Security Roadmap were the major events in the US. In the EU the Cyber Resilience Act reached a political agreement, but most organizations worked on the NIS2 directive and the Digital Operational Resilience Act (DORA).
Perhaps the single most significant worldwide event was the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software led by CISA and joined by many cybersec authorities across the globe.
Glimpse into 2024
The report offers some predictions: By 2025, 45% of organizations worldwide will experience at least one SSC attack. We will see organized criminal groups engaging in cybercrime, leveraging more mature Cybercrime-as-a-Service offerings. Regulations entering into force during the year will improve the transparency on security incidents, with more attack details and lessons learned disclosed. Cyber risk insurance will show limits and excesses. And technological advancements will align with the security-by-design trend, with more burden on the side of the software manufacturers.
The AI wave attracted many security vendors during 2023 to add some “AI touch” to their products. Nonetheless, AI is set to play a critical role in the future of software supply chain security. AI will play an increased role in areas like threat intelligence and risk assessment, anomaly detection in code repositories, vulnerability assessment and prioritization, and phishing attack detection, but mainly in intelligent remediation and code review automation.
But bad actors started to weaponize AI, and we will see new techniques like AI-powered reconnaissance, highly convincing spear phishing, jailbreaking AI tools, or CAPTCHA solver services.
Conclusion
As Xygeni prepares to unveil its comprehensive report on the state of software supply chain security in 2023, the challenges and threats facing the industry are apparent. The software supply chain once considered a behind-the-scenes process, has emerged as a prime target for cyber adversaries. The industry’s response to these challenges will shape the trajectory of software security in the years to come. Stay tuned for the full report as we delve into the details and provide insights that can help navigate the complex landscape of software supply chain security.