The Sysdig Threat Research Team (TRT) has uncovered this week that cyberattacks using binaries written in Go and .NET compromise instances of the on-premises editions of the GitLab continuous integration/continuous delivery (CI/CD) platform.

Michael Clark, director of threat research for Sysdig, said most attacks against software supply chains employ scripts. Cybercriminals that appear to be based in Russia are using binaries to launch proxyjacking and cryptomining campaigns utilizing infrastructure resources used to host instances of GitLab.

Cryptomining is the process used to validate cryptocurrency transactions. Proxyjacking involves reselling bandwidth to providers of proxyware services to allow someone to hide their physical location.

The Sysdig research effort, dubbed LABRAT, also noted that the tactics and techniques used to launch attacks are reasonably sophisticated. In addition to using binaries, the cybercriminals also employ tools with undetected signatures, cross-platform malware designed to evade cybersecurity platforms, a command and control (C2) platform that bypasses firewalls and kernel-based rootkits to hide their presence. Furthermore, the attackers abused a legitimate service, TryCloudFlare, to obfuscate their C2 network.

The attacker, still active, is also continuously updating their tools, which requires organizations running GitLab to track the tactics, techniques and procedures (TTP) being employed by the cyberattacker to keep their indicators of compromise (IoCs) list updated.

Relative to the illicit revenue that might be gained from cryptojacking and proxyjacking, this cyberattack is noteworthy in its sophistication. What is less clear is the degree to which this attack might also be used to inject vulnerabilities into the software supply chains based on the GitLab platform.

The one certain thing is that cybercriminals have developed more advanced capabilities for compromising software supply chains that are likely to be used to compromise multiple DevOps platforms.

Fortunately, there’s a lot more focus on securing software supply chains in the wake of a series of high-profile breaches. The challenge is most efforts are still relatively nascent. As such, there isn’t a high enough appreciation for the lengths cybercriminals might go to compromise a software supply chain. The ability to inject malware that might one day find its way into any number of downstream applications makes a software supply chain a tempting target.

Multiple legislative initiatives have been launched that eventually will require organizations to better secure software supply chains. As such, most DevOps teams would be well-advised to begin those efforts now. Some aspects of the proposals being debated today eventually will become law. Rather than trying to comply with a requirement, a more methodical approach to ensuring the security of software supply chains would create less stress for all concerned later.

In the meantime, thanks to the adoption of DevSecOps best practices application security continues to steadily improve. The issue stands that those advances are not being made as quickly as cybercriminals are evolving new tactics and techniques.