How to Stop Supply Chain Attacks in Their Tracks

If you attended Black Hat this year, you couldn’t avoid the topic of supply chain attacks. From keynotes to vendor messaging to booth presentations, they were a ubiquitous topic in Las Vegas this year.

Supply chain attacks are cyberattacks targeting an upstream vendor for the ultimate purpose of compromising one or more of its customers. Cybercriminals are aware that, by compromising updates from trusted vendors, they can easily bypass installed security software to infect all customers that install it.

Essentially, compromising a software vendor allows damage to cascade down the supply chain to another supplier–a consequence sometimes known as the “waterfall effect”–to increase collateral damage against multiple targets.

Black Hat founder Jeff Moss even began this year’s conference with a few words about software supply chains.

“We all rely on the software supply chain,” he said. “We’re building tools and systems based on it. We’re trusting it. We’re hoping that people in the supply chain … are doing things to help everyone else in the supply chain. Because, if they don’t, everything we do is potentially vulnerable.”

“We all depend on the supply chain being fully immunized,” he continued, “and it’s not there yet.”

Now, “not there yet” is putting it mildly. A few recent, high-profile attacks bear recalling to demonstrate the scope of the problem.

SolarWinds

For many within cybersecurity, the SolarWinds attack by what are widely believed to be state-sponsored cybercriminals was the most significant supply chain attack since the Cleaner attack of 2018 and a worrying reminder of the damage made possible by the tactic.

SolarWinds is a Texas-based IT management platform that unknowingly pushed a Trojanized update to a large portion of its some 300,000 customers. It’s believed that the attackers concealed their presence within the victim’s network for some time to ensure they could carefully select their next targets and preserve time for intelligence gathering.

While not widely known at the time, it’s now assumed that this wide-net attack was ultimately an effort to compromise a handful of high-value intelligence and governmental agencies. Second-stage infections were then pushed against these targets, plus some of the world’s most influential technology vendors.

Critically, this type of espionage-inspired cyberattack differs a great deal from moneymaking practices embraced by for-profit hacking groups. These broadly targeted attacks against suppliers cause widespread disruption without obviously disrupting a specific target.

Codecov

Another supply chain attack targeted Codecov, a software development firm that makes tools for developers, in January 2021. Investigators told the newswire service Reuters that attackers were able to use the access they’d gained to breach hundreds of Codecove customers.

As was the case with SolarWinds, compromising Codecov may have presented access to other software vendors, which could have initiated the waterfall effect presented previously. The firm counts among its clients giants like IBM, Hewlett Packard and Atlassian.

The infosec researcher Matt Tait, who spoke at this year’s Black Hat on the topic of supply chain attacks, called the Codecov compromise an instance of high-volume disruption based on indiscriminate targeting.

According to the company, information stolen from customer devices was then sent to a third-party server outside of Codecov’s control, suggesting that espionage may have once again been the end goal of the attackers.

Kaseya

Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world’s largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers.  Click on Page 2 to continue reading…