If one topic has been on the minds of CISOs and CIOs alike over the last three years of Covid and post-Covid hybrid enterprise work environments, it’s ransomware.
A distributed tech workforce — using distributed software services — proved to be no match for highly automated ransomware bots and malware executing encryption attacks. But this year, like the end of War of the Worlds, the attacking bots may suddenly fall silent.
Is ransomware dead? And if it is out of the way, what will top the list of executive cybersecurity concerns for 2023?
Sorry, ransomware is back with a cybernetic twist
We did see one kind of ransomware profile fade away — as darkweb-sourced encryption attack chains and cryptocurrency ransoms started becoming known quantities to the security community. Further, many of the crypto-exchanges that once would have laundered ransomed Monero and BTC to real currency are going belly-up or getting seized by authorities.
Despite that, ransomware is only picking up steam now. NCC group reported a 41% increase in ransomware attacks in just the month of November 2022, as impending holidays left many companies short-staffed to deal with them.
This attacker is also reappearing in a new, half-human/half-silicon-based cybernetic form. Even unskilled script kiddies can use ChatGPT or other AI-based chatbot routines to write and run sophisticated attack code.
What’s particularly insidious about this approach is the conversational AI power of today’s chatbot, and its willingness to help as an accomplice to its human counterparts. ChatGPT can adapt automated hacks from a universe of existing code and shell scripts.
AI chatbots can also write up a believable business dialogue based on past customer service conversations that can fool employees and effectively social engineer its way into account or network privileges to deliver malware — which it may have helped to write.
Most of these attacks are not even trying the old way of encrypting data and charging a ransom to unlock it anymore, such that nobody should believe a hacker will deliver on promises to remove the threat. Cybercriminals are straight up extorting second or third payments to avoid the future destruction of data or infrastructure.
The software supply chain will get its own czars
Software supply chains include both human and automated software delivery processes. Every bit of code and every component that gets created or copied, and every tool that configures and packages a software build on its way to production is a potential supply chain attack vector.
The Log4j exploit in December 2021 turned a very commonly used Java logging utility’s shell scripting window to a widespread vulnerability found within thousands of sensitive business and government systems.
Developers are always seeking to maximize productivity, so it’s only natural they will copy code snippets from Stack Overflow and collect popular NPM software component packages into their build constructs, before sharing them on GitHub or other repositories. It’s much easier to use whatever works for others, rather than writing their own configuration code from scratch.
In this politically charged age, nation-state attackers are well aware of the power of zero-day exploits within commonly used software and firmware. These bad actors are particularly dastardly when exploiting software supply chains, because their goals are not transparent grabs for money.
By embedding malware or malicious calls, attackers can sometimes lurk undetected for years, spying for sensitive information or waiting for the right opportunity to deliver a sabotaging payload. Executive leadership has taken notice, with more than 82% of enterprise CIOs reporting that they think their software supply chains are vulnerable, even though they are increasing reliance on third-party software packages.
That’s exactly why we’re going to see the security community rallying around software supply chains this year, and likely we will even see nations getting in on the action with their own technology supply chain czars and Interpol-style information sharing networks, including leading enterprises in the effort to report on, and respond to, this emerging threat.
The weaponization of open source
As a primary substrate of software supply chains, open-source software (or OSS) has become perhaps the greatest value generator of all time. Considering the $22B USD worth of software the Apache foundation says it publishes, its market valuation would easily exceed a trillion dollars by now, if you were to measure open source like any other enterprise.
Even formerly proprietary software vendors are getting in on the OSS game, because their best engineering talent wants to be involved in open-source projects, and companies that demonstrate leadership in the global development community stand to better serve end customers with differentiated services atop OSS, to increase the size of their addressable markets.
Unfortunately, attackers have taken notice of this uber trend and started to look within readily available open-source code repositories to check in malware footholds. The development community has also stepped up to this challenge by contributing white-hat vulnerability hunting experts to get ahead of zero-day exploits before they are exposed to malicious intent.
With so many open-source packages downloaded by distributed teams from repositories (we’re running at a rate of more than a billion git downloads a week, by some estimates), enterprises will need to take responsibility for their own software supply chains with a continuous SBOM (software bill of materials) audit and review cycle that offers a full risk-based accounting of every open source element and version in play.
The Intellyx take
The human attack surface will always present a greater security risk than innovative automation. That’s one cyber megatrend that will never go away.
Most malware and credential theft will still pass through well-intentioned human employees via phishing emails and convincing social engineering attacks, or developers downloading useful-looking packages recommended by their peers.
If anything, we’ve come full circle to a new reality of humans and intelligent automated systems working hand-in-hand to both attack and defend our critical applications and data.
Stay up to date on the latest cyber threat intelligence in our weekly roundup blog here.
©2023 Intellyx LLC. Intellyx is editorially responsible for this content. At the time of writing, Tanium is an Intellyx client.