Understanding Supply Chain Attack Vulnerabilities and Attack Surface
In 537 A.D., while laying siege to Rome, the Ostrogoths cut the aqueducts supplying the ancient city with the water and power needed to run grain mills that kept the city fed. During World War II, German U-boat campaigns damaged America and her allies by limiting the free movement of goods needed to fuel the continued war effort. More recently, the United States has placed sanctions and embargos on Russia to limit the country’s ability to acquire goods abroad in order to hinder their efforts and help end Russia’s war against Ukraine.
These examples from across history are called Supply Chain Attacks. Supply Chain Attacks are aggressions meant to harm a target by attacking their network of organizations, people, activities, information, and resources used in creating and delivering goods or services. With the transformation to the digital age, supply chain attacks have become harder to defend against cyber-attackers.
The key to a cyber supply chain attack is to target upstream IT services, where the victim has less control and insight over a system’s security attributes. Targeting upstream digital resources is also attractive because third-party vendors, software, and other systems might be considered less valuable to an organization and, therefore, less protected targets. Targeting the upstream supply chain can also provide the aggressor with efficient methods of attack, by offering multiple ways to access victims through targeting a common shared vendor, source, or technology.
The Adlumin Threat Research Team categorizes supply chain threats and cyber-attacks into multiple categories depending on the TTPs and the apparent operational objectives of the attacker. In this article, we’ll walk through some of the most common and dangerous types of supply chain attacks.
Vendor Access Attack: Target Data Breach
An upstream vendor access attack is when an attacker engages in cyber supply chain operations to gain access to a target through a partner, vendor, client, or anyone outside the company with access to enterprise resources.
A commonly cited example of a modern cyber supply chain attack was conducted against Target in 2013. As part of the data breach, attackers compromised an upstream provider servicing Target’s HVAC system. A “Kill Chain” Analysis report of the 2013 Target Data Breach was released by the U.S. Senate’s Committee on Commerce, Science, and Transportation. The report found that the financial and personal information of as many as 110 million target customers was compromised ([1] Committee on Commerce, Science, and Transportation).
The attack began when hackers stole security credentials from a Pennsylvania-based HVAC company that services refrigeration systems in the mid-Atlantic region. These credentials were likely used as part of Target’s billing system. Target initially failed to respond to multiple automated Intrusion Detection Systems (IDS) warnings, which indicated they were installing malware and exfiltrating data. Hackers applied lateral movement during the attack and compromised Target’s connected financial systems, which stored customer data such as payment information and other Personally Identifiable Information (PII). The malware was a tailored version of BlackPOS and was installed on Point-of-Sale (POS) terminals at U.S.-based Target stores.
BlackPOS utilizes a RAM scraping technique which allows for the collection of unencrypted plaintext data. As a result, the data of Target customers passed through theses infected POS devices before transferring to the company’s more secure payment processing provider. Malware was also installed on a Target server and was designed to move stolen data through Target’s network and firewalls. Attackers collected over 11GB of stolen information using a Russia-based server
Figure 1: Target Breach Timeline – Source: U.S. Senate Committee on Commerce Science and Transportation https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
Target failed to properly isolate their most sensitive network assets from those used by less secure or multi-access systems. They also failed to respond to automated detection alerts based on the reported breach timeline. Attackers had access to Target’s internal network for more than a month before the operation was at full scale.
A prominent defense to this kind of supply chain attack is using a full-service MDR security platform that integrates logging, alerts, and detections across multiple products and security vendors to provide one interface for assessing, tracking, and responding to alerts. Proper use of such a system could have cut off the attackers before they spread throughout Target’s POS systems. Adlumin provides a multi-vendor compatible MDR platform to help manage and centralize alerts and logging. Importantly, Adlumin provides an interface to observe the connections and directionality of access for network endpoints that could’ve helped uncover the flow of malicious traffic.
Vendor Backdoor Access: Solar Winds
In 2020 one of the most serious, menacing, and impactful supply chain attack operations ever identified was discovered. The Solar Winds attack is the exemplar of a Vendor Backdoor Access attack.
SolarWinds is an American company that provides different products typically used for Information Technology (IT) network provisioning, management, and monitoring. Beginning with a breach in at least 2019, attackers began infiltrating the company’s infrastructure, breaching a server used to build software for distribution. Attackers moved from proof of concept to operational exploitation. By March 2020, attackers had planted a fully functional remote access tool into Solar Wind’s Orion product software updates ([2] Timberg, C., & Nakashima, E..). Hackers used to access this upstream software vendor (Solar Winds) to insert malicious code into otherwise benign software to gain backdoor access to customer systems where it was deployed.
The undetected, trusted, but malicious updates were installed on SolarWind’s customers across the globe. Once the user had installed the update, the malware would reach out to command and control (C&C) servers mimicking legitimate SolarWinds traffic after an initial dormancy period.
When the malware was successfully installed on SolarWinds systems, it would call back to the attackers, giving them back door access to the Orion hosting device. It also gave hackers access to customer networks. It appears only a small portion of these malware deployments were taken advantage of by attackers, mainly traditionally hardened targets like federal government agencies such as the Department of Treasury, Commerce, and Justice.
Of its 33,000 SolarWind’s Orion customers, 18,000 government and private users downloaded hacked versions allowing for remote access. Leveraging follow-on exploitation and pivoting throughout networks, the attackers could conduct activities such as manipulating Department of Treasure software keys to enable access to the email used by the department’s highest-ranking officials.
The SolarWinds breach demonstrates both the clear impact and potential sophistication of supply chain attacks. Trusted vendors can have security environments that are unseen to customers and may serve as a weakened link in the ATT&CK chain of exploitation. Government and industry regulation, along with customer requirements, might help push vendor’s towards a more secure system – but until then, the best defense is a zero-trust architecture and strong logging, monitoring, and auditing environment. Using products such as an MDR security platform can help aggregate logging data from multiple sources and vendors and provide an overview capability for the entire network. Such capability can help expose actors as they laterally move from the initially backdoored system to others through exploitation giving access to sensitive information and valuable digital assets.
Open Source Library Attacks
A less concerning cyber supply chain attack is an open source library attack. These attacks come in two primary varieties:
- Malicious Commits: Attempt to trick developers into using malicious code
- Availability Attack: Targets software updates and packages
Both can cause harm to a business, but the latter has typically been self-driven by authors for political or personal reasons. In an open source library attack, the goal for an attacker is to either modify the code of a public opensource library or affect the library’s availability. In the first case, when an actor commits malicious code to an open-source repository and is approved and merged with the software, the attack can look like SolarWind’s Orion breach. In addition to backdoors, malicious actors can also insert intentional vulnerabilities which allow for later exploitation. GitHub, the world leading open source code repository system, found that 17% of all vulnerabilities in software were malicious ([3] Tung, L.). Almost a fifth of all bugs reported was placed into the code by attackers.
A second notable way open-source libraries are targets in the cyber supply chain is through attacks on library availability through package managers such as NPM, the JavaScript node package manager, or PyPI, The Python Package Index. In these attacks the actor, potentially a project owner, delists or modifies a popular library used as a dependency for thousands of downstream software projects and products.
One Availability Attack involved the open source JavaScript libraries, colors, and faker, which were hosted on NPM and were downloaded millions of times daily with thousands of projects using them, such as Amazon’s popular AWS Cloud Development Kit ([4]Sharma, A.). In this case, the “attacker” was the library’s owner and founder. They intentionally caused infinite loops or removed the code used in downstream software, affecting customers and end-users by causing availability and runtime issues. The author did so in relation to corporations and commercial consumers of open-source projects who rely on the software for their business.
Old Tactics, Made Digital
Supply chain attacks are an ancient and reliable tactic of striking the target upstream, where targets are typically weaker. Today, this has evolved into a reliable method for compromising IT business systems. Businesses must consider supply chain attacks’ risks on their networks, products, and operations. Implementing best-case solutions such as MDR security, as well as Vulnerability and Patch Management Systems can help mitigate these risks by providing a smaller attack surface and better visibility into attacks to help prevent data breaches and business loss.
- Committee on Commerce, Science, and Transportation. (2014, March 26). A “Kill Chain” Analysis of the 2013 Target Data Breach. Target Kill Chain Analysis. Retrieved July 19, 2022, from https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
- Timberg, C., & Nakashima, E. (2020, December 16). Russian hack was ‘classic espionage’ with stealthy, targeted tactics. The Washington Post. Retrieved July 21, 2022, from https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/
- Tung, L. (2020, December 23). Open source: Almost one in five bugs are planted for malicious purposes. ZDNet. Retrieved July 19, 2022, from https://www.zdnet.com/article/open-source-software-how-many-bugs-are-hidden-there-on-purpose/
- Sharma, A. (2020, December 3). Dev corrupts npm libs’ colors’ and ‘faker’ breaking thousands of apps. Dev corrupts NPM libs’ colors’ and ‘faker’ breaking thousands of apps. Retrieved July 19, 2022, from https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/