A supply chain attack known as a third-party attack happens when hackers gain access to a company’s systems and data through an external partner or provider with poor security procedures. Attackers may choose to target hardware or software for other businesses. Since most businesses now work with more suppliers and service providers, the attack surface has significantly increased.
According to TechRepublic, today, software chain attacks are increasing every year; it increased by 51%in 2021 and this is not far from the fact that these attacks give them the ability to compromise hundreds or thousands of victims with a single breach and give them extensive internal access to the systems.
Although all attacks are harmful, software supply chain attacks are more harmful because aside from the fact that they have more network access, these attackers are also very hard to detect. In this article, we’ll look at some common examples of software supply chain attacks in 2022.
One of the examples of Software chain attacks was Solar Winds. Attacks against supply chains are uncommon, and the SolarWinds Supply-Chain Attack is one of the more dangerous ones we’ve seen recently.
A software service calledSolarWindsspecializes in providing IT specialists with systems management solutions. Orion, a network management system, is the SolarWinds product used most frequently.
Many of the US Federal government, including the Department of Defense, 425 of the US Fortune 500, and other customers around the globe are among SolarWinds’ more than 300,000 clients.
For some reason, NMS are popular targets for attacks. It is so because, firstly, the Network Management Systems must be able to connect with any devices being controlled and monitored, rendering outbound ACLs useless.
Second, many NMS are set up to watch and react to occurrences. This indicates the Network Management System can make adjustments to the setup. They can use credentials for system monitoring to lateral move to target systems. Network traffic may be reshaped for MitM possibilities by an attacker who gained access to an NMS. Attackers are smart with the implementation of several tactics, but organizations can be smarter by relying on trustworthy software supply chain security guides.
So, here is how SolarWinds was attacked;
A routine software update was made available to customers by SolarWinds. It was intended to deliver the standard fare—bug fixes and performance upgrades—to the well-known network management system offered by the company, Orion, a software package that closely checks all the different parts of a network. Customers needed to provide their login information once to the company’s website for software development before waiting for the update to download to their servers automatically.
Hackers utilized this routine software update thought to be working for the Russian intelligence agency SVR to smuggle the malicious code into Orion that was digitally signed by a legitimate digital certificate carrying their name.
From an NPRinterview with the CEO of SolarWinds (Sudhakar Ramakrishna), he affirmed that about 18,000 customers downloaded the malicious code injected into their software.
The Taiwanese computer maker ASUS was hacked in 2019 when hackers discovered crucial code signing keys on their web update service. Reuters States that the hackers infected one million ASUS computers, including malware to legal ASUS updates. Customers of ASUS notebooks that had enabled Live Update, a feature that automatically looks for new software and firmware upgrades from ASUS, were affected.
Each backdoor malware included a table of hardcoded MAC addresses, which are used to identify network adapters when a machine is connected to a network. As soon as it was installed, the backdoor checked its MAC address against this table, and “if the MAC address matched one of the entries, the virus downloaded the next step of the malicious code.
Kaseya is another example of companies that fell victim to software supply chain attacks.
Kaseya provides VSA, a unified remote monitoring and management tool for managing networks and endpoints. It also offers service desks, compliance systems, and a professional service automation platform.
Over 40,000 organizations worldwide are reportedly using at least one Kaseya software solution. Businesses and managed service providers (MSPs) make the company’s product. Kaseya is a vital component of a larger software supply chain because it offers technology to MSPs, which gives services to other businesses.
In contrast to Solar Wind attackers, Kaseya attackers took advantage of a previously unknown security flaw (CVE-2021-30116) in the Kaseya software. The recently identified vulnerability, which was initially only known to the attackers, enabled them to use the Kaseya software’s on-premises version to their advantage and ultimately launch the ransomware attack.
Additionally, the attackers spread the ransomware attack downstream to as many as 1,500 small and medium-sized enterprises that outsource their daily IT operations since so many of Kaseya’s clients are MSPs.
Unlike the SolarWinds hack, the attackers did not inject Kaseya’s software by compromising the upstream build process instead, they attacked victims through an automatic software update says Forbes
According to ArsTechnica, “the backdoor takes its name from the many pipes utilized for one module to interact with another as well as the project name of the Microsoft Visual Studio used by the creators.”
This backdoor bypasses built-in security measures by exploiting a legal, but stolen, code signing certificate granted to the computer games business Nfinity Games. Surprisingly, the private key theft for code signing happened two years earlier, but it seems that Nfinity wasn’t even aware of it at the time.
Thus, this code signing certificate was not canceled until much later, after Nfinity was informed that it was being used to disseminate malware.
Even when the certificate has been revoked, depending on how a timestamp was set up during the signing process, the malware may continue to function well for a very long period.
Just like all software supply chain attacks, the harm caused by a stolen, mishandled, or compromised code signing private key is tough to reverse.
Software supply chain attacks have negative effects that are pretty serious. To begin with, threat actors utilize the infected software vendor to get privileged access to a victim network and maintain that access.
They evade perimeter security mechanisms, such as border routers and firewalls, and acquire first access by hacking a software provider. Using the compromised software vendor, a threat actor may re-enter a network if they are denied access to it.
Threat actors will be more selective when deciding which victims they target for follow-up activities, even though getting initial persistent access can sometimes be accomplished very randomly.
A software supply chain attack might have many outcomes depending on the attacker’s motivation, resources, and expertise. Theft of data, espionage, sabotage, and extortion are some typical motives.