ENISA’s Threat Landscape Report 2022 – Part 10 – Supply Chain Attacks
A supply chain attack is aimed at disrupting the relationship between organizations and their suppliers. It involves a combination of at least two attacks, where the first attack is directed at a supplier and is then utilized to attack a target, with the ultimate goal of gaining access to its assets. This target may be either the end customer or another supplier. To qualify as a supply chain attack, both the supplier and the customer must be targeted.
The events of SolarWinds in 2020 highlighted the potential of supply chain attacks on both attackers and defenders. It appears that threat actors have continued to exploit this avenue to conduct their operations and gain entry into organizations. Surveys conducted by the World Economic Forum and Anchore indicate that between 39% and 62% of organizations have experienced a third-party cyber incident. Additionally, according to Mandiant, supply chain compromises were identified as the second most common initial infection vector in 2021. Furthermore, they accounted for 17% of intrusions in 2021, a significant increase from less than 1% in 2020.
The increasing prevalence of third-party cyber incidents has raised concerns among organizational leaders and garnered attention from governments and policymakers. Cyber defenses become less effective if attackers can gain direct access to organizations through compromised third-party relationships. In response, the European Commission has taken steps to address supply chain security with the NIS2 Directive and Cybersecurity Strategy, proposing measures to strengthen defenses and improve responses to malicious activities affecting the supply chain. The Biden administration also issued an executive order to enhance nationwide cybersecurity in the USA. As the complexity of supply chains and dependencies on third parties continues to grow, organizations must gain greater control and visibility into their supplier relationships and dependencies, potentially by reducing the number of partners they rely on. Surveys conducted by PWC and BlueVoyant underscore the need for greater understanding and management of third-party cyber risks. The complexity of supply chains has not only affected asset and vendor management and the transition to cloud services but has also increased the risk and consequences of supply chain insecurities for many organizations. Additionally, the lack of clarity in a shared responsibility model can result in cloud service security falling into a digital no man’s land.
Increased abuse of the complexity of systems and lack of visibility
Organizations rely on complex systems to meet customer demands and achieve production and delivery efficiency and speed. These systems require multiple suppliers, and selecting and managing them is influenced by various factors. However, many organizations struggle with vendor or supplier management, relying on inadequate initial assessments and infrequent reviews. Different departments may onboard suppliers using different processes, making it challenging to gain a comprehensive understanding of third-party relationships, dependencies, and risks. Data oversight is also often lacking. Adversaries can exploit these factors, along with the increased complexity and trust in suppliers, to gain access to organizations. Initiatives like the Software Bill of Materials (SBOM) aim to improve transparency and audibility. Visibility into third-party relationships and dependencies is critical, but proactive management remains difficult, so most organizations rely on reactive approaches.
Use of vulnerabilities in business technologies
Threat actors have found a new way to target organizations by investing in research to find vulnerabilities in commonly used business technologies, like email servers and knowledge management software. By exploiting a vulnerability in one technology, they gain access to multiple environments at once. These attackers can also obtain information about targeted victims’ infrastructure from public resources, such as tenders, marketing documents, or job announcements, allowing them to identify the exact brand and version of technology to target.
As a result, the number of 0 days being discovered has substantially increased, and although disclosure of such vulnerabilities is often responsible, it still leads to further attempts at the exploitation by opportunistic threat actors seeking an easy win.
It is likely that we will see an increased investment in vulnerability research in these supply chains in the future, as well as continued attempts to exploit the situation by opportunistic threat actors after the disclosure of vulnerabilities in popular business technologies.
Targeting security researchers for gaining access to targets
The investment in vulnerability research can be costly, as it requires significant resources and is made more difficult by the increased security measures of modern technologies. Additionally, there is a risk that a newly discovered vulnerability may be patched before an attacker can exploit it. As a result, threat groups may target researchers themselves in order to obtain information that can be used to gain access to a predetermined victim. Such attacks are considered a form of supply chain attack. Due to the expense involved in vulnerability research, it is likely that we will see an increase in attacks targeting individuals or organizations that conduct research on security flaws or vulnerabilities, with the goal of stealing their findings.
Increased interest of threat groups in supply chain attacks and attacks against MSPs
The Russian intelligence services (SVR) affiliated group APT29 was attributed to the notorious SolarWinds compromise that occurred in 2020. This event served as a warning of the growing interest of threat groups, particularly those from China and Russia, and to a lesser extent North Korea, in supply chain attacks.
Threat actors linked to China
In October 2021, HoneyMyte, a Chinese state-sponsored threat actor, also known as Mustang Panda, tampered with an installer package for fingerprint scanner software on an Asian distribution server. The modified package contained changes to configuration files and tools that enabled the deployment of the PlugX backdoor. Since the use of this software was mandatory for employees of a central government in South Asia, this allowed the attackers to gain remote access to critical environments.
APT10, also known as Stone Panda, exploited vulnerabilities in financial software widely used by Taiwan securities traders, using a credential stuffing attack as a cover to ultimately plant the remote access tool Quasar on targeted systems.
Finally, APT41 was believed to have orchestrated a third-party attack on Air India and compromised the Mongolian certification authority MonPass. All of these incidents illustrate the growing interest and involvement of Chinese threat groups in supply chain attacks.
Threat actors linked to Russia
A report by Microsoft on APT29, also known as The Dukes (or Nobelium), highlights an operation in which this Russian group targeted organisations in the US and European IT supply chains. The campaign focused on specific resellers and technology service providers responsible for customising, deploying, and managing cloud services and other technologies. Rather than exploiting vulnerabilities, the threat actors employed common techniques such as password spraying and phishing to steal legitimate credentials from the targeted service providers, allowing them to gain privileged access to downstream customers.
Threat actors linked to North Korea (DPRK)
Suppliers of security software are not safe from APT attacks either, as evidenced by Google’s report on North Korean hackers targeting South Korean security companies that sell anti-malware software. Attackers also target software providers that grant extensive permissions into a variety of environments, such as administration management tools, automation software, and remote monitoring and management tools. One of the most widely publicized attacks was the exploitation of a vulnerability in Kaseya’s software. In this incident, managed service providers (MSPs) and their customers were victimized by ransomware delivered through Kaseya’s remote monitoring and management tool, Kaseya Virtual System Administrator (VSA). It should be noted that there is no evidence that the attackers modified Kaseya’s built systems or source code.
Long-term access by APTs
The increased activity in targeting supply chains by state-sponsored groups suggests their intention to gain long-term and systematic access to these chains. If these threat actors successfully compromise key MSPs, it would grant them significant opportunities to acquire access to critical European governments and institutions. This belief is reinforced by a joint warning issued by cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA, NSA, FBI), which urges MSPs and their customers to take action to reduce the risk of falling victim to such intrusions.
In addition, it is important to note that the effects of supply chain attacks, particularly those intended for espionage purposes by nation-state actors, may not be immediately apparent to their victims. Despite the significant decrease in median dwell time in recent years, these threat groups can remain hidden and undetected for extended periods.
Targeting build systems, source code and developers
Vulnerabilities in popular business technologies are not the only vulnerabilities that play a role in supply chain attacks. Palo Alto’s research shows that 21% of the security scans against development environments resulted in misconfigurations or vulnerabilities, while 63% of third-party code templates used in building cloud infrastructure contained insecure configurations, and 96% of third-party container applications deployed in cloud infrastructure contained known vulnerabilities. As container infrastructure and the software supply chain on which it relies continue to expand, they remain a growing attack surface for supply chain attacks.
Attacks can also target the source code or systems used to build and release software.
One of the stealthier attack methods for changing source code, dubbed Trojan Source by researchers at the University of Cambridge, uses Unicode control characters to reorder tokens in the source code. This attack takes advantage of the fact that developers sometimes copy and paste useful snippets of code from online postings directly into their editors. The attack code is not visible in the source for humans, depending on the developer toolkit used, and can easily find its way into the final released software.
Supply chain cryptojacking for more financial gain