The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original – singular – victim or may choose to cherry-pick from the most valuable potential targets.
This can save cybercriminals time and money, as one successful attack can open the door to potentially thousands of victims at once.
A ransomware attack levied against Kaseya in 2021 highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya’s VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya’s customer base.
However, it was only a small number of businesses that were impacted in this case. One of the most powerful examples in recent years is the SolarWinds breach, in which a malicious software update was deployed to roughly 18,000 clients.
The attackers behind the intrusion then selected a handful of high-profile customers to compromise further, including numerous US government agencies, Microsoft, and FireEye.
In an analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex – but the attack methods often chosen are not.
Supply chain attacks can be conducted through the exploitation of software vulnerabilities; malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors.
But what can we expect from supply chain security in 2022?
Low barriers to entry
Speaking to ZDNet, Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion – which is a “highly replicable” attack method. “It’s a no-brainer to use if the actor’s goal is to affect as many organizations as possible,” Turunen commented. “Add a cryptominer to a dependency confusion attack, and not only does a company need to worry about the effects this has on their software ecosystem, but the actor has now monetized it.” Brian Fox, the CTO of the enterprise software company, added that the majority of threat actors are copycats today, and “fad” attacks – or, the ‘attack of the day’ conducted by fast-acting threat actors – are going to increase the number of supply chain intrusions next year. Read on: Technology and the Global Supply Chain | Supply chain security is actually worse than we think | 91% of IT leaders affected by supply chain disruption: survey |
Increasing attacks while redefining the perimeter
In a world of Internet of Things (IoT) devices, old security models, working from home stipulations, hybrid cloud/on-prem setups, and complicated digital supply chains are no longer suitable. According to Sumo Logic’s CSO George Gerchow, enterprise players are “still struggling” with the concept of not having a defined defense perimeter. While also pressing ahead with digital transformation projects, they are failing to account for the expanded attack surface new apps and services can create. Companies now increasingly reliant on components, platforms, and services provided at different levels of a supply chain will also have to wake up to this reality, and as a result, security will need to be checked – and reinforced – including outside of a businesses’ own networks.
Ransomware incidents will increase
Ransomware is now one of the most lucrative aspects of the cybercriminal world, with high illicit payments made and due to the extortion tactics used, including permanent encryption and the threat of sensitive information being released. With a record blackmail payment made in 2021 of $40 million, ransomware will likely begin to make more of an appearance in supply chain attacks. However, these take planning, knowledge, and some skill – and so Splunk security strategist Ryan Kovar believes that cybercriminals on the road to becoming “professional” will likely be the ones to combine ransomware and supply chain attack vectors. “Through attacking the supply chain, attackers can hold an organization’s data for ransom, and research indicates that two-thirds of ransomware attacks are enacted by low-level grifters who bought ransomware tools off the Dark Web,” Kovar says. “With the ongoing supply chain crisis leaving supply lines more vulnerable than ever, organizations must prepare themselves for the inevitability of ransomware attacks to their supply chains.”
Technical debt will have to be paid
As enterprise organizations begin to analyze the digital supply chain for weak spots, they will also have to deal with their levels of “technical debt” – described by Stuart Taylor, Senior Director at Forcepoint X-Labs, as the difference between “the ‘price’ a technical project should cost in order to be future-proofed and secure, and the ‘price’ an organization is prepared to pay in reality.” Forcepoint expects to see a “significant” rise in copycat attacks against the supply chain next year, and so organizations are urged to conduct frequent code reviews and to keep security in mind during every step in the development and deployment process. Taylor commented:
SBOMs
The lack of transparency surrounding the components, software, and security posture of players within a supply chain also continues to be a problem for today’s vendors. In light of recent, debilitating attacks such as Solarwinds, Gary Robinson, CSO at Uleska, believes that over the next 12 months, more companies will require a security-orientated Bill of Materials (SBOMs), potentially as part of due diligence in future supply chain business agreements. SBOMs are software and component inventories designed to enforce open transparency around software use in the enterprise. They may include supplier lists, licenses, and security auditing assurances. “Organizations will also move to Continual Security Assurance where suppliers will be required to provide up-to-date security reports,” Robinson predicts. “No longer will a security report from six months ago satisfy security concerns of an update delivered yesterday. This gap in security directly relates to the company’s own security assurance, and suppliers will need to catch up.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0