CyberSecurity Magazine Newsletter: January 2023

 

Dear Reader,

 

In our first newsletter of 2023, we put a spotlight on one of the security issues many have predicted to remain a major pain point this year: supply chain security. Whether it’s large organizations with complex supplier ecosystems or individual developers, anybody can be affected by supply chain attacks. Read on to find out more about recent attacks and best practices for how to prevent them.

 

Same name, different contents

The popular PyTorch project was not off to a good start into 2023, getting hit by a dependency confusion attack over the holidays. When the Python package manager tried to locate one of the project’s dependencies on the Python Package Index (PyPI), an attacker had already registered a malicious package with the same name. As a result, people who downloaded the project’s nightly builds were served spyware.

 

Supply chain threats on the rise

The attack on PyTorch may have been the latest, but certainly not the only attack of this kind. In fact, Python and its package index have been subject to similar supply chain attacks before. In a similar fashion, a malware called W4SP stealer was shipped to PyPI users last year.

 

Common attack vectors

Cybersecurity Magazine recently featured an article providing an overview of supply chains security risks. It outlines attack vectors commonly abused by malicious actors which are overlooked all too often in interaction with suppliers, incl. API vulnerabilities, third-party data breaches, and social engineering. 

 

How to do better

To support organizations with managing associated security risks, NSA and CISA recently published recommended practices for securing software supply chains. In it, they provide practical advice on how to vet third-party code, produce secure software, and ensure the organization is ready to handle an attempted attack.

 

Slightly broader in scope is the supply chain security guidance by NCSC. On just a few web pages, the authors provide attack examples, assessment criteria, and best practices that are actionable and easy to understand.

 

 

Cybersecurity Magazine Editorial Team

 

----------------