The polyglot supply chain attack: The most frightening prospect, however, is the convergence of these threats in a polyglot supply chain attack. Currently, security teams operate in isolation. AppSec monitors the code, CloudSec monitors the cloud, NetworkSec monitors the perimeter. A polyglot attack is designed to seamlessly break through these silos.This happens as follows: A worm infiltrates a frontend developer’s laptop via a low-level JavaScript dependency. It detects that the developer also has access to the company’s backend Rust repository, steals these credentials, and injects malicious build scripts into the Rust CI pipeline. The Rust pipeline then deploys a compromised binary to a Kubernetes cluster.The attack could begin in NPM but end as a compiled binary backdoor in the production cloud infrastructure. The JavaScript security team won’t detect it because it immediately left their domain. The cloud security team would also miss the threat because it was delivered from a trusted CI pipeline using valid credentials. CISOs need to be aware of this and take appropriate precautions Recommendations for CISOs: The EU Cyber “‹”‹Resilience Act (CRA) provides recommendations for CISOs. It mandates the protection of digital products for manufacturers, importers, and distributors, encouraging them to invest in secure design during development and maintenance. The requirements outlined therein must be implemented gradually by the end of 2027, and include the security of networked hardware and software through the handling of vulnerabilities and their publication or notification to the relevant authorities. Furthermore, the three aforementioned stakeholders must also document the components of the software in software bills of materials (SBOMs).The NIS2 Directive, which has now entered into force, contains similar requirements for operators of critical infrastructure (KRITIS) to those stipulated in the NIS2 Implementation Act (NIS2UmsuCG) and the KRITIS Umbrella Act regarding products and suppliers. OpenKRITIS provides a worthwhile overview.To protect themselves from Shai-Hulud and similar threats, CISOs and their teams should implement the following steps:You must end the “implicit trust” in identities. In the scenarios described earlier involving Shai-Hulud, the problem was that CI/CD systems were too often blindly trusted. Therefore, CISOs should ensure their teams critically examine their pipeline security.CI/CD systems must not automatically assume an activity is legitimate simply because it was signed with a valid developer token. Instead, they must prioritize identity protection. Attackers have already been observed specifically stealing credentials such as NPM tokens and GitHub secrets to automatically publish infected packages. Measures to protect these identities must therefore be given top priority.Security silos should be broken down. Many security aspects still aren’t consolidated under a single, overarching management structure. Tools and departments dedicated to application security, infrastructure security, cloud security, network security, and many others create numerous islands within the vast sea of “‹”‹security strategy. They all need to collaborate more closely and be coordinated by the CISO.A key risk is the previously described polyglot supply chain attack, which seamlessly transcends these silos. Therefore, CISOs must implement cross-departmental and cross-functional monitoring. To further illustrate the danger: An attack could begin with a JavaScript file, propagate through build scripts, and ultimately result in a backdoor in the cloud. Often, there’s no integrated visibility to track this entire process. The JavaScript team might lose sight of the attack once it leaves its sphere, while the cloud team relies on the CI pipeline.CISOs must therefore establish systems that monitor the entire path from software development to build and all the way to runtime. SBOMs, which document all software used, provide a solution.Prepare for active worms and ensure the protection of AI tools. To mitigate AI-driven risks, it’s crucial to prevent the hijacking and manipulation of AI tools. Numerous software developers rely on these tools to write their software. Security researchers are already observing attackers using packets that cause AI tools to hallucinate.Active worms represent the next level of threat. Therefore, security strategies should extend beyond simply protecting against typos. Threats like Shai-Hulud spread exponentially, like a worm. At this speed, manual packet inspection processes are no longer sufficient.This type of supply chain worm also features a “dead man switch” that wipes the victim’s system if an analysis is detected. CISOs should ensure that logs are secured even outside the developer’s machine to preserve traces of the attack for forensic investigations.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4123250/shai-hulud-co-the-supply-chain-as-the-achilles-heel.html
