April 2023 Security Update: Help Stop Supply Chain Attacks with SBOMs

Study Finds Comprehensive SBOM Is Best Defense Against Supply Chain Attacks

Synopsys, Inc.’s eighth edition of its Open Source Security and Risk Analysis (OSSRA) report concluded that only with a complete software bill of materials (SBOM) can organizations build an effective strategy to address risks such as the Log4Shell issue.

The report found that the average number of open-source components has risen 13 percent in the past year (from 528 to 595). Within the tech sector, the use of open source has spiked specifically in EdTech, aerospace, aviation, and automotive. Notably, open-source components grew by 95 percent in transportation and logistics solutions and by 74 percent in manufacturing and robotics.  At the same time, high-risk vulnerabilities have grown significantly in the past five years.

The report also found that 31 percent of codebases use open-source components with no license or with customized licenses. This can lead to unknown vulnerabilities or create IP issues or other legal implications.

Action Items:

• • • Synopsys identified three operational factors in open-source components that can affect overall code quality:
      • Age of the component
      • Versioning; is the component the most recent version
      • Support from an active community

Evaluate any open-source components you use against these factors, and create SBOMs for your clients to keep them informed of the components and potential vulnerabilities that may be present in the solutions they use.

• • • SBOMs should include both human-readable and machine-readable inventory of components in SPDX or CycloneDX to comply with U.S. government guidelines.

Synthetic Fraud Is On the Rise

According to AuthenticID’s 2023 State of Identity Fraud Report, synthetic fraud is the fastest-growing type of identity fraud, predicted to lead to $48 billion in losses. Synthetic identity fraud involves using personally identifiable information (PII) to create a false (or synthetic) digital identity.

It can impact your clients in telecom or utilities, retail and point of sale (POS), and banking and finance.

Action Items:

• • • Educate yourself and your clients about the tactics that fraudsters use.
    • Encourage your clients to use best practices to prevent fraud, including employee training, conducting audits and risk assessments, comply with strict data and privacy policies.
    • Build security measures into the solutions you provide, including multifactor authentication, biometric authentication, machine learning and artificial intelligence, and zero-trust infrastructure.

Cinoshi MaaS Makes Its Debut

Symantec reports a new malware variant, Cinoshi, distributed as Malware as a Service (MaaS). Cinoshi includes several modules, such as infostealer, data clipper, and cryptocurrency miner. It is used to steal passwords and banking information and add computers to a botnet.

Action Items:

PCrisk offers advice if your computers are infected with Cinoshi:

• • • Stay alert to diminished system performance.
    • Scan computers with effective antivirus software to eliminate the malware.

New Ransomware Has NAS Devices in Their Crosshairs

Hacker News reports a new ransomware family is targeting Linux-based network attached storage (NAS) devices made by QNAP Systems. The ransomware, QNAPCrypt, discovered by Intezer, and eCh0raix by Anomali, is written in the Go programming language, attacks the NAS servers by brute force or exploiting known vulnerabilities.

Action Items:

• • • Don’t connect NAS devices directly to the internet.
    • Enable automatic updates to keep NAS device firmware updated.
    • Always use strong passwords for NAS devices.
    • Backup data regularly, keeping an immutable copy of the data in a different location.

Progress on Pre-Ransomware Notification

The Joint Cyber Defense Collaborative (JCDC) announced success with pre-ransomware notification, which can provide early warning and possibly, give victims an opportunity to prevent threat actors from encrypting their data and holding it for ransom.

Action Items:

Read the post Getting Ahead of the Ransomware Epidemic.

Visit #StopRansomware to learn more.

CISA Issues 6 Industrial Control System Advisories

The Cybersecurity & Infrastructure Security Agency (CISA) released six advisories about vulnerabilities and exploits related to these industrial control systems (ICSs).

Action Items:

Review these advisories for technical details and mitigations:

• • • RoboDK
    • CP-Plus KVMS Pro
    • SAUTER EY-modulo 5 Building Automation Stations
    • Schneider Electric IGSS
    • ABB Pulsar Plus Controller
    • ProPump and Controls Osprey Pump Controller

For more security updates and insights, visit DevPro Journal’s Security resources page.