New Solutions for Addressing Software Supply Chain Attacks - Cyber Threat Intelligence Roundup
A pro-China disinformation campaign targeting US elections, Google’s new GUAC open-source project, and the ongoing debate about password expiration
Up first is a breakdown of the most recent campaign attributed to Dragonbridge, a suspected China-backed advanced persistent threat (APT) actor currently engaged in intensive influence campaigns targeting the U.S. ahead of midterm elections and pushing outlandish and ugly narratives. Next up is an overview of Google’s new open-source security project focused on software supply chain management. Plus, industry leaders and policymakers weigh in on whether mandatory password expiration is helping or hurting password security.
1. Pro-China disinformation campaign targets US elections
Leading cybersecurity and threat intelligence firm Mandiant released a report last week detailing a pro-People’s Republic of China (PRC) influence campaign during which the company’s researchers observed the attackers leveraging new tactics, techniques, and procedures (TTPs) in support of aggressive operations targeting U.S. interests including midterm elections.
The campaign has been attributed by Mandiant to a group it tracks as Dragonbridge. Mandiant’s researchers have reportedly observed the group promoting China’s state interests for years; primarily via fake grassroots social media campaigns focused on influencing politics in Taiwan and Hong Kong.
This time around, Dragonbridge is attributed with a slew of intensive influence campaigns featuring a significant range of far-fetched false narratives, all targeting U.S. entities.
What is Dragonbridge?
Cyware claims that Dragonbridge has been active since at least 2019. In a recent post, Cyware characterized the group as a state-backed hacker collective devoted to targeting entities of strategic interest to the PRC.
Dragonbridge’s influence operations feature social media campaigns which spread misinformation designed to aid in securing China a dominant global position in the future (due to the structure of the PRC government – in which there are virtually no term limits on high-ranking positions – long-term operations designed to secure the state a successful future are common). China’s legions of state-sponsored hackers will deploy whatever tactics necessary to achieve this goal, including propagating outlandish narratives among Americans.
Like many APTs with a China-nexus, Dragonbridge’s operations are long-running (little surprise there, given what we stated above). That said, unlike many APTs with a China-nexus, Dragonbridge’s latest election-meddling activity has been described by WIRED magazine as being “remarkably ham-fisted,” despite the group’s likely access to the PRC’s considerable resources and shared toolsets.
For some insight, here are some of the more outlandish narratives and disinformation that Dragonbridge has been peddling as of late, courtesy of Mandiant:
- Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor.
- Aggressive attempts to discredit the US. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections.
- Allegations that the US was responsible for the Nord Stream gas pipeline explosions.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“There are a few important conclusions that can be drawn from this story. First and foremost, Dragonbridge’s apparent lack of technical sophistication and limited success should not be equated with the idea that the U.S. is impervious to disinformation and foreign influence campaigns.”
“In addition, Mandiant’s VP of Intelligence Analysis, John Hultquist, along with Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, both argue that the current divisive atmosphere permeating American society maymake the country a prime target for foreign influence operations. Dragonbridge has been working hard – not only to capitalize upon Americans’ perceived divisiveness to push its narratives, but also to increase Americans’ perception of their country as a nation irrevocably split into venomous factions. In an example of its own (occasionally) acute perception, Dragonbridge has gone to great lengths to paint the U.S. as a virtual caricature of itself, seizing upon anxieties and fears which reside, to some degree, within all Americans concerned with the current state of their country.”
2. Google announces GUAC open-source project on software supply chains
An announcement from Google last week unveiled a new open-source security project centered around software supply chain management.
The project is called Graph for Understanding Artifact Composition (GUAC) and its primary focus is on creating sets of data about a software’s build, security, and dependency. To put it simply, GUAC aggregates and synthesizes software security metadata at scale, making it both meaningful and actionable.
GUAC overview
GUAC is a free open-source tool that was designed to bring together many different sources of software security metadata and was created to help address the increase in software supply chain attacks. Google worked with Purdue University, Citibank, and Kusari to create GUAC and assembled a group of technical advisory members to help with the project.
GUAC is still in its infancy and only exists thus far as a proof-of-concept (PoC), but Google believes the project will change how the industry understands software supply chains. Aligning to Google’s mission to organize and make the world’s information universally accessibly and useful, GUAC’s purpose is to democratize the availability of security information by making it accessible for all organizations, not just those with security and IT funding.
What does GUAC solve?
GUAC essentially aggregates and synthesizes software security metadata to generate a more comprehensive view. Further, GUAC will allow someone to figure out the most critical components in their software supply chain ecosystem, and the security weaknesses/risky dependencies within that ecosystem.
Google notes that GUAC will be able to help answer questions at three important areas of software supply chain security including proactive, operational, and reactive stages.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The supply chain remains a lucrative attack vector for threat actors, as evidenced by cyberattacks in the vein of SolarWinds and Log4Shell. considering how many software supply chain attacks we’ve seen in the news recently (not to mention the industry fervor which surrounds the discovery of zero-day vulnerabilities in open-source platforms), it’s about time that something like GUAC was created.”
“According to Tanium Director of Endpoint Security Research Melissa Bischoping, the prevalence of open-source software as shared libraries, dependencies and integrations across enterprise tooling and custom-built projects can lead to repo jacking attacks which could scale rapidly if successful. Bischoping recommends that consumers of third-party products maintain an accurate inventory via SBOM solutions to have insight into dependencies and risks. These recommendations, coupled with the GUAC effort underway by Google, may better position and empower teams everywhere.”
“The timing of this story coincides with the announcement of what was originally described as a “Critical” vulnerability in the open-source OpenSSL library, which gathered a significant amount of industry buzz as researchers scrambled to determine the degree of risk and the scale of the potential attack surface (OpenSSL disclosed the technical details of the security issue a week or so later; the Critical flaw turned out to be a pair of vulnerabilities, CVE-2022-3786 and CVE-2022-3602, buffer overflow bugs that were subsequently downgraded in severity to “High”).”
“The obvious concern among industry professionals was that the OpenSSL library is incredibly ubiquitous; it’s included in many OSs, client-side software, web/email software, network appliances, ICS, and so on. Given the number of services and resources leveraging the library, dependency issues and supply chain worries were raised and, as such, Tanium took a proactive approach to providing its customers with the appropriate guidance for identifying impacted systems and mitigating them as soon as possible in the short time between OpenSSL’s announcement of the vulnerability’s existence and its disclosure of its technical details and CVE numbers a week and a half later.”
3. Industry experts ask: Is mandatory password expiration helping or hurting your password security?
In a development sure to stir up controversy, trusted cybersecurity organizations like the National Institute of Standards and Technology (NIST) and Microsoft are actively arguing against mandatory password expiration as a security best practice.
According to Microsoft’s password policy recommendations, there are at least two main reasons why organizations should abandon regularly scheduled password expirations.
- Microsoft claims that such requirements do little to prevent dedicated cyberthreat actors from gaining access to victims’ networks. This is due in large part to the increasingly common practice among cybercriminals of making immediate use of compromised passwords, of which there is no shortage. The Account Takeover in 2022 report found more than 24 billion username and password combinations for sale on the dark web, up from 15 billion in 2020.
- Microsoft also argues that forcing users to periodically change their passwords often leads to creating credentials that are more predictable and less secure. For example, users may simply add a new number or special character to a previous password when prompted to renew their credentials.
What the research says about mandatory password expiration
In a 2009 study, researchers from UNC Chapel Hill obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every three months. Using password cracking tools in an offline attack, UNC’s researchers eventually cracked about 60% of the passwords. For 7,752 accounts, the researchers were able to crack at least one password that was not the last password the user created for that account. The researchers used the passwords for this set of accounts to conduct the rest of their study, which consisted of developing a cracking approach that formulated guesses based on previous passwords selected by users.
More recently, researchers at Carleton University wrote a paper in which they developed a quantitative measure of the impact of password expiration policies. In this study, Carleton’s researchers assume that attackers will systematically attempt to guess every possible password until they hit paydirt.
Ultimately, Carleton’s researchers were able to draw several conclusions that mirrored those reached by the UNC study. In short, frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users. In addition, an attacker who already knows a user’s password is unlikely to be thwarted by a password change.
Not everybody is convinced
Despite an apparent abundance of valid arguments against enforcing mandatory password expirations, there are still organizations and industry verticals that remain unconvinced.
The payment card industry is one such entity, requiring any organization that accepts credit card payments to comply with the Payment Card Industry Data Security Standard, (PCI DSS) a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. PCI DSS 4.0 goes into effect when PCI DSS version 3.2.1 is retired in 2024 and will require scheduled password changes. The 4.0 version of the PCI DSS standards require organizations to use passwords that are at least 12 characters in length (with some exceptions) and that passwords expire every 90 days.
What’s the best path forward?
A consensus has yet to be reached by the cybersecurity industry about enforcing mandatory password expirations.
Of note, Cybersecurity firm Specops’ Password Policy solution for enterprises supports an interesting concept called “length-based password aging.” With this strategy, organizations can configure access management in such a way that users who create strong passwords are essentially rewarded with less frequent mandatory password changes.
At first glance, this may seem a bit of a band-aid solution for a problem which requires stitches. After all, who create strong passwords are still required to change them at certain points, a situation which could potentially influence that user to eventually resort to using password transformations as opposed to creating entirely new, strong passwords.
While solutions like this may not be enough to solve this dilemma on their own, when used in conjunction with other password security features, certain combinations may prove to be effective.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Microsoft is right on the money when it asserts that users who are required to reset passwords more often are more likely to use weak passwords and reuse those weak passwords across multiple accounts.”
“Multifactor authentication — while not a cure-all and subject to its own limitations and security gaps — can help protect user accounts from attackers, even if they have managed to obtain a password. Password screening can also help users create strong, difficult-to-guess passwords. NIST recommends all the above, plus implementing a limit on failed password attempts and salting/hashing passwords. The complete list of recommendations, NIST-800-63b, can be viewed here.”
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.