Trojan Source hides bugs, FBI Alert on ransomware, and critical Android patches issued

Published 11/11/21, 9:30am

Cybersecurity News for the Week of 11/01/21

A new obfuscation technique dubbed Trojan Source featured prominently in last week’s news, with researchers warning of its potential dangers. The FBI has issued another ransomware warning advising businesses that threat actors are targeting corporate financial events. And the November 2021 Android security update has fixed several critical- and high-severity bugs, including one being actively exploited.

• Trojan horse called Trojan Source: undetectable malicious code could target supply chains
• FBI ransomware alert: gangs coercing companies engaged in time-sensitive financial activities
• Android November updates: numerous patches released; 5 critical 

Cybersecurity News Final Thoughts

With the announcement of the new class of vulnerabilities called ‘Trojan Source,’ cybersecurity news pundits hailed the significance of the discovery, issuing warnings of the possibility of powerful supply chain attacks being leveraged through the use of the vulnerabilities. While many of these pundits spent time slicing and dicing the research to evaluate the attack methods, few noted in their coverage some telling information contained in a single paragraph of the research paper. According to researchers Nicholas Boucher (University of Cambridge) and Ross Anderson (University of Cambridge and University of Edinburgh), they contacted “nineteen independent companies and organizations in a coordinated disclosure effort to build defenses for affected compilers, interpreters, code editors, and code repository front-ends.” These dedicated researchers also created a self-imposed 99-day embargo period during which “disclosure recipients could implement defenses before we published our attacks.”

The result? Despite carefully following ethical guidelines and offering a 99-day embargo period to affected suppliers, of the nineteen software suppliers contacted, only nine committed to releasing a patch. The researchers further disclosed that “quick dismissal and references to legal policies” were among the responses they received from the suppliers they contacted.

As we close out a year that will go down in the record books for cyberattack scale and impact, it beggars belief that the response of any software supplier to a bug discovery is “quick dismissal.” In a year in which supply chain disruptions cost an estimated $4 trillion and in which numerous hospitals had to turn away patients because of system shutdowns due to ransomware, the process of mitigating critical code vulnerabilities should be an extremely high priority for any software developer.

Independent threat research plays a critical role in the field of cybersecurity, particularly during a time when the cybersecurity skills gap makes hiring and retaining skilled security professionals a challenge. There is tremendous value to having independent researchers engaged in responsible threat disclosure activities, yet these researchers are increasingly finding themselves ignored, dismissed, and uncredited. 

Responding to vulnerabilities and threats requires more than just employee awareness, the latest and greatest cybersecurity tools, and government regulations. It requires a commitment from all parties involved in the software development process to embrace help where they can get it and make the updating and patching process a priority.