The Checkmarx Security Research team has recently revealed the top three trends in supply chain attacks that took place in January. These trends highlight the significant shifts in cyberattack strategies, further emphasising the need for security robustness in the IT industry, the cybersecurity firm says.
The primary trend, accounting for 56% of attacks in January, involves information and credential theft. These attacks seek to drain sensitive data, such as host details and user credentials, implying an increased focus by attackers on gaining unauthorized access to confidential data. This could potentially guarantee further exploitation for additional malevolent activities. Attacks often breach upstream servers or code repositories, subsequently injecting malign payloads that are dispersed downstream to a multitude of users. An example of such attacks was seen in the 2021 Codecov supply chain attack, which utilised stolen credentials from a flawed Docker image creation process to modify the Codecov Bash Uploader.
The secondary trend discovered, making up 28% of attacks, revolves around dependency confusion and typosquatting tactics. The research team found a high number of incidents where cybercriminals deployed packages with infringing names that closely mimic legitimate and trusted libraries. Typosquatting is a type of social engineering attack that leverages purposely misspelled domains for various malicious intentions. For instance, in 'open source' attacks, typosquatting tricks developers into downloading and integrating malicious packages into their software without their knowledge. In other scenarios, typosquatting is used for extortion by selling the misspelled domain name back to the trademark owner.
The third trend, according to the Checkmarx Security Research team, involved malware and backdoor injections, constituting 16% of January's attacks. Such attacks are prevalent where malware and backdoors are embedded within compromised packages, designed to infiltrate systems by providing cyber attackers with covert access. This can further compromise data and disrupt operations within targeted establishments. In 2021, an outdated WordPress plugin, Eval PHP, was utilised by attackers to inject PHP code that facilitated a payload giving remote code execution capabilities within the compromised sites. There was also an attack that forwarded all exfiltrated data through a Telegram bot API to a security researcher's personal Telegram chat, before redirecting the purloined data from the threat actor's chat to their own chat.
Checkmarx Security Research says the findings emphasise the sophistication and ever-evolving nature of cyber attacks. The trends highlight the need for businesses to stay ahead of these challenges by ensuring robust security measures are implemented and continually updated.