Cyber security investigators have reported that replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases in 2022. The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original singular victim or may choose to cherry-pick from the most valuable potential targets. This can save cybercriminals time and money, as one successful attack can open the door to potentially thousands of victims at once.
A ransomware attack levied against Kaseya in 2021, https://www.kayseya.com an international company that produces remote management software for the information technology industry. It develops and sells commercial software to remotely manage and monitor computers running Windows, OS X, and Linux operating systems. This highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya's VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya's customer base.
It was only a small number of businesses that were impacted in this case. One of the most powerful examples in recent years is the SolarWinds breach, in which a malicious software update was deployed to roughly 18,000 clients. The attackers behind the intrusion then selected a handful of high-profile customers to compromise further, including numerous US government agencies, Microsoft, and FireEye.
An analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex, but the attack methods often chosen are not. Supply chain attacks can be conducted through the exploitation of software vulnerabilities; malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors.
In a recent interview, Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion which is a "highly replicable" attack method. "It's a no-brainer to use if the actor's goal is to affect as many organizations as possible," Turunen commented. "Add a crypto miner to a dependency confusion attack, and not only does a company need to worry about the effects this has on their software ecosystem, but the actor has now monetized it."
Brian Fox, the CTO of the enterprise software company, added that the majority of threat actors are copycats today, and "fad" attacks or, the 'attack of the day' conducted by fast-acting threat actors are going to increase the number of supply chain intrusions next year. In a world of Internet of Things (IoT) devices, old security models, working from home stipulations, hybrid cloud/on-prem setups, and complicated digital supply chains are no longer suitable.
According to Sumo Logic's CSO George Gerchow, enterprise players are "still struggling" with the concept of not having a defined defense perimeter. While also pressing ahead with digital transformation projects, they are failing to account for the expanded attack surface new apps and services can create. Companies are now increasingly reliant on components, platforms, and services provided at different levels of a supply chain will also have to wake up to this reality, and as a result, security will need to be checked and reinforced including outside of a businesses' own networks.
Ransomware is now one of the most lucrative aspects of the cybercriminal world, with high illicit payments made and due to the extortion tactics used, including permanent encryption and the threat of sensitive information being released. With a record blackmail payment made in 2021 of $40 million, ransomware will likely begin to make more of an appearance in supply chain attacks. These attacks take planning, knowledge, and some skill and so Splunk security strategist Ryan Kovar believes that cyber criminals on the road to becoming "professional" will likely be the ones to combine ransomware and supply chain attack vectors.
"Through attacking the supply chain, attackers can hold an organization's data for ransom, and research indicates that two-thirds of ransomware attacks are enacted by low-level grifters who bought ransomware tools off the Dark Web," Kovar says. "With the ongoing supply chain crisis leaving supply lines more vulnerable than ever, organizations must prepare themselves for the inevitability of ransomware attacks to their supply chains."
As enterprise organizations begin to analyze the digital supply chain for weak spots, they will also have to deal with their levels of "technical debt" described by Stuart Taylor, Senior Director at Forcepoint X-Labs, as the difference between "the 'price' a technical project should cost in order to be future-proofed and secure, and the 'price' an organization is prepared to pay in reality." Forcepoint expects to see a "significant" rise in copycat attacks against the supply chain next year, and so organizations are urged to conduct frequent code reviews and to keep security in mind during every step in the development and deployment process. The lack of transparency surrounding the components, software, and security posture of players within a supply chain also continues to be a problem for today's vendors.
In light of recent, debilitating attacks such as Solarwinds, Gary Robinson, CSO at Uleska, believes that over the next 12 months, more companies will require a security-orientated Bill of Materials (SBOMs), potentially as part of due diligence in future supply chain business agreements. SBOMs are software and component inventories designed to enforce open transparency around software use in the enterprise. They may include supplier lists, licenses, and security auditing assurances. "Organizations will also move to Continual Security Assurance where suppliers will be required to provide up-to-date security reports," Robinson predicts. "No longer will a security report from six months ago satisfy security concerns of an update delivered yesterday. This gap in security directly relates to the company's own security assurance, and suppliers will need to catch up."
How can any company keep up with constant supply chain threats? Jim McKee, CEO of Red Sky Alliance, a 10-year-old cyber threat intelligence firm suggested, “Use a simple service like our RedXray cyber threat notification service https://www.wapacklabs.com/redxray and set-up a dashboard where you can be notified of cyber threats that have not yet breached your network. You can enroll your key suppliers too, so you can see cyber threats against them before they can infect your systems.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers proactive solutions to protect your networks. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings