What are the supply chain threats?
What’s a picture of the current situation?
Since 2019, there has been a growing focus on third-party attacks. With good reason: CyberArck estimates in a study from 2022 that 71% of organizations suffered a successful
software supply chain-related attack that resulted in data loss or asset compromise. According to Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week. The Software Supply Chain Security Review from Argon’s report that software supply chain attacks grew by more than 300% in 2021 compared to 2020.
In terms of maturity, in 2022: a survey of 1,000 CIOs found that 82% said their organization is vulnerable to cyber-attacks targeting software supply chains (Venafi). From our own Cyberbenchmark, we can see that 50% of our interviewee don’t control their security requirements with their third party and 15% conduct audits on their most critical suppliers in 2022.
What kind of attacks are we talking about?
Attacks on the supply chain are related to threats around third parties. ENISA defines this type of attack as follows: “ A supply chain attack is a combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets. The target can be the final customer or another supplier. Therefore, for an attack to be classified as a supply chain one, both the supplier and the customer have to be targets.”
As a reminder the supply chain involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores), and management software
- Indirect or bounce attack: An attack on one or more intermediate information systems. The attacker uses the supplier as an entry vector to retrieve the information needed to access the final target.
- Supply chain attack: the attacker relies on a software production chain to infect a legitimate program and distribute it to third parties.
Why is it serious?
First because these attacks are complicated to detect: originally used for espionage, these are attacks where the attacker aims to remain discreet until the attack is launched. Second because it is a one-to-many kind of attack. A small change in software source code can affect the entire supply chain (plus, the chains are increasingly interconnected). The most known example is Kaseya and its 800 and 1,500 total businesses affected victims. Thirdly, many enterprises don’t have enough visibility on their ecosystem to anticipate or even detect the flaws in their IS. As we have seen, the security maturity in this field is currently quite low.
There are some aggravating factors:
- The cyber criminal’s ecosystem has matured and industrialized, allowing more sophisticated attacks to target matured victims. They can therefore afford this kind of sophisticated attack which used to take time, financial investment, and expertise…
- Expansion of the attack surface: The IS ecosystem is increasingly large, and increasingly interconnected, and more and more third parties are involved. They have potentially less control of the IS and less visibility, therefore potentially less control of the security of all these third parties, particularly in IAM management: who has very privileged access rights to its IS…
- The risk is to give access to third parties who can represent entry points for attackers: to one’s IS and to one’s sensitive data since one shares them with third parties
- In 2021, in an analysis conducted with 1200 CISOs (in America, Europe and Singapore), about 38% of respondents said that they had no way of knowing when or whether an issue arises with a third-party supplier’s cybersecurity (in 2020, it was 31%) (BlueVoyant66)
- Github estimates that there is 203 dependencies on an average software project in 2022. If a popular app includes one compromised dependency, every business that downloads from the vendor is compromised as well, so the number of victims can grow exponentially.
Examples of attacks
- Compromise intermediate elements of the supply chain (i.e. source code tools)
Midstream attacks target intermediate elements such as software development tools, manipulating the build process of the artifact
- Ex: SolarWinds
- Compromise upstream software (i.e. compromising the source code)
Infects a system that is ‘upstream’ of users, for example through a malicious update, which then infects all ‘downstream’ users who download it.
- One of the biggest was the compromise of CCleaner 2017 update with 2.3 million users impacted
- Compromise project interdependencies
Compromise third-party components, such as an open-source package
Dependencies confusion: the attackers provide a fake “new” upgrade of a software’s project needed component for the targeted software to automatically download it and implement it in the project.
- Ex: Apple, Microsoft, Uber, Paypal (BugBounty 2020)
Within these strategies, one of the most impactful methods is to target the CI/CD pipeline. If the infrastructure is not secured enough and there is a poor access management (our audit teams often see this), it can be easily targeted. Once compromised, the attacker has access to a part of the critical ‘linfra, to the source code of the application and the infrastructure and can generally do what he wants
The impacts are high:
- Attackers have access to critical IT infrastructure, development processes, source code, libraries, and applications:
- Modify the code or inject malicious code during the build process and alter the application
- Deploy malware via the orchestrator directly on production environments
CERT-W: FROM THE FRONT LINE
The First Responder Word
READING OF THE MONTH
This is the tenth edition of the ENISA Threat Landscape (ETL) report, an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis.
SEE YOU NEXT MONTH!!