Guarding the Gates: An Exploration of the Top Supply Chain Attacks
Once upon a time, an anxious emperor, having heard a prophecy of his daughter’s demise by a snakebite, ordered the construction of an isolated fortress. This was the Maiden’s Tower, rising from the heart of the Bosphorus. The daughter was relocated to this distant haven, shielded from the world and, by extension, the foreseen serpent. Yet, destiny played its part. A seemingly innocent basket of fruits delivered to the tower concealed the deadly snake, which, against all odds and defenses, fulfilled the prophecy.
In our digital age, this tale reverberates. The tower is our network, the princess, our precious assets. The firewall stands tall, yet the serpent – a threat actor – is crafty, infiltrating through an unsuspecting ‘fruit basket’ – the trusted supply chain. Thus, the story whispers a cautionary tale – beware of what lies hidden in your supplies.
In today’s digital era, the complex interconnections of an organization’s supply chain may become its Achilles’ heel. As firms grow more reliant on their collaborations with partners and suppliers, they inadvertently subject themselves to the mounting danger of supply chain attacks. For organizations to protect themselves against these cyber threats, it is essential to recognize the most impactful incidents and draw valuable lessons from them.
This article investigates the most significant supply chain attacks that have considerably impacted the cybersecurity landscape, such as the APT29’s SolarWinds compromise, the recent GoAntywhere MFT, and 3CX supply chain compromises.
By analyzing the techniques utilized by cyber adversaries, the essential outcomes for targeted organizations, and the lessons extracted from these occurrences, this article delivers valuable insights to organizations on enhancing their security measures and protecting their assets from future threats targeting the supply chain.
1- SolarWinds Supply Chain Compromise
Overview of the attack:
In late 2020, a massive cyber-espionage campaign, known as the SolarWinds Attack, compromised the software of SolarWinds’ Orion platform. The attacker, APT29 (Cozy Bear), inserted a backdoor called SUNBURST, and another malware called SUPERNOVA was separately placed on the server, enabling them to infiltrate numerous government agencies and organizations worldwide. SUNSPOT was identified as the highly sophisticated and novel code designed to inject the SUNBURST malicious code into the Orion Platform during the build process. TEARDROP and RAINDROP were reportedly malware loaders that could be deployed as secondary tools using the SUNBURST backdoor.
Impact on organizations:
Among the affected were the US Treasury and the Department of Commerce. The attack highlighted the vulnerabilities in supply chain security and the need for a robust defense. As a part of their response to the SUNBURST vulnerability, SolarWinds revoked the code-signing certificate used to sign the affected software versions and obtained new digital code-signing certificates. They have rebuilt the affected versions, re-signed their code, and re-released all of the products previously signed with the certificate to be revoked.
Key lessons learned:
Adopting a comprehensive suite of security measures, such as Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems, is crucial. These systems provide real-time monitoring and automated responses to potential threats, reinforcing the ability to detect and prevent incoming attacks. Moreover, utilizing network anomaly detection technologies is vital to identify unusual behavior that could lead to a security breach. Additionally, using network anomaly detection technologies is crucial, as it allows for identifying unusual behavior that may indicate a breach. Furthermore, implementing a zero-trust architecture, which operates under the “Never trust, always verify” motto, can significantly reduce the attack surface and restrict lateral movement within networks.
In addition to all these preventative measures, it is strongly recommended that third-party platforms be installed behind firewalls, with their internet access restricted and ports and connections limited to operational necessities only. This further minimizes the potential entry points for attackers, mitigating the supply chain risk.
The SolarWinds breach demonstrates the criticality of promptly comprehending and responding to potential security anomalies, as it was detected but not fully comprehended for six months before its official discovery. Effectively identifying and addressing threats requires proactive action and not only detection. This event also emphasizes the importance of collaborating with external security firms to provide comprehensive threat analysis and resolution.
2- 3CX Supply Chain Attack
Overview of the attack:
The SmoothOperator supply chain attack hit the 3CX VOIP desktop client, compromised by a North Korean hacker group UNC4736 also allegedly affiliated with the APT group Lazarus. This incident marked the first-ever double supply chain attack involving compromised software chains of both 3CX and X_TRADER, a discontinued trading platform. This complex attack, involving malware strains TAXHAUL, Coldcat, and a backdoor named VEILEDSIGNAL, affected Windows and macOS systems.
Impact on organizations:
Prominent clients, such as American Express, AirFrance, BMW, and Coca-Cola, were impacted. Over 242,519 IP addresses were potentially compromised, threatening the privacy and security of these organizations through the theft of user credentials and sensitive data.
Key lessons learned:
It is possible that “double supply chain attacks” will emerge in the future, highlighting the potential risks they pose and emphasizing the need for robust cybersecurity measures across a software’s lifecycle.
When this incident was asked about on the 3CX forums, the Support Team replied that it was a false positive; once again, it emphasized the importance of taking into account the anomalies in this case, as in the SolarWinds case.
3- GoAnywhere MFT
Overview of the attack:
Clop and LockBit ransomware groups exploited a high-severity vulnerability (CVE-2023-0669) in GoAnywhere MFT product, Fortra’s secure managed file transfer solution, leading to a 91% increase in ransomware attacks in March 2023.
Impact on organizations:
The compromised GoAnywhere MFT software contributed to a 91% increase in ransomware attacks, affecting various industries such as healthcare, finance, and manufacturing. Among these industries, the healthcare sector was heavily targeted; for example, Brightline, a mental health provider, suffered a data breach impacting over 780K patients.
Key lessons learned:
Organizations should prioritize patch management, conduct regular security audits, and maintain up-to-date backups to minimize the risks associated with supply chain attacks. According to SOCRadar’s observations, there are more than 1,000 systems worldwide whose administrative ports that may be vulnerable to this vulnerability are still open to the public internet. At this point, using a vulnerability intelligence service will enable organizations to recognize which vulnerability poses/may pose a risk and take precautions.
Through SOCRadar’s Vulnerability Intelligence panel, organizations can access the pages of CVEs and observe the CVE’s SVRS (SOCRadar Vulnerability Risk Score), a combination of many ‘Vulnerability Intelligence’ elements such as social media, news, code repositories, dark/deep web, attribution with threat actor and malware as opposed to quantitative elements in CVSS calculation, and CVSSv3 score, as well as whether the vulnerability is current and mentioned.
4- Okta Breach
Overview of the attack:
Ransomware group Lapsus$ claimed to have breached Okta, an identity management platform, by accessing an administrative account on March 21, 2022. The initial intrusion was detected to have occurred between January 16th-21st, 2022, through a third-party customer support engineer’s account.
Impact on organizations:
This breach represents a significant threat to Okta’s customers and the broader supply chain, and according to Bitsight’s report, there are potentially up to 2.5% of Okta’s customers are affected. Given Okta’s role in enterprise identity management, this incident has raised concerns about the potential cybersecurity implications for their customers and exposure throughout their third parties landscape.
Key lessons learned:
The incident highlights the critical importance of securing third-party supply chains and the potential risk even when internal systems are not directly breached. It is crucial for organizations to actively investigate their potential exposure in such incidents, monitor for unusual activities, and identify potential vulnerabilities within their own supply chain.
5- GitHub Supply Chain Attack
Overview of the attack:
In April 2022, a software supply chain attack was carried out against GitHub. The attackers used stolen user tokens from Heroku and TravisCI to gain access to private repositories. This was made possible due to an unknown vulnerability in OAuth tokens which GitHub had adopted recently.
Impact on organizations:
The attack affected several organizations, including GitHub and npm. It could have potentially put at risk over 2,200 companies that use Heroku and 1,700 that use TravisCI in their tech setups. The private repositories of these organizations were accessed, thereby exposing their sensitive information.
Key lessons learned:
This attack highlights the importance of having strong security measures in place to manage software supply chains, especially those involving third-party integrations. Organizations, therefore, need to regularly review their OAuth applications, restrict third-party access, and regularly review organization audit logs, user account security logs, and authorized OAuth applications.
6-Compromise of Comm100 Live Chat Application
Overview of the Attack:
In September 2022, the Comm100 Live Chat application fell victim to a supply chain attack. The attack employed a trojanized installer to distribute a JavaScript backdoor. The malware was spread using a Comm100 installer available on the company’s website, signed with a valid certificate.
Impact on Organizations:
The full impact of the attack was unclear. Comm100, a company with more than 15,000 customers in 51 countries at the time of the attack, provides chat and customer engagement applications to businesses, making the potential reach of the attack extensive. North American and European companies operating in various industries, including technology and healthcare, reportedly found the malicious file.
Key Lessons Learned:
The attack highlights the essential role of robust supply chain security measures, given the trojanized installer’s use. It underscores the importance of promptly identifying and rectifying security threats, as one provider only marked the installer as malicious. Lastly, it is noteworthy that this attack, like the Solarwinds compromise, was potentially carried out by an APT group (APT-Q-27, aka Dragon Breath).
7- Exploitation of Kaseya’s VSA
Overview of Attack:
In July 2021, a US technology company, Kaseya Limited, fell victim to a ransomware attack orchestrated by the Russian-speaking criminal group REvil. The attackers exploited vulnerabilities in Kaseya’s Virtual System Administrator (VSA) remote management software, specifically within its latest update. This allowed the hackers to replace the software with ransomware, affecting numerous managed service providers that used Kaseya’s products.
Impacted Organizations:
The attack had a significant ripple effect, impacting around 50 managed services providers directly and approximately 1,500 organizations indirectly. These organizations were customers of the affected service providers, demonstrating the extensive reach of the attack. The victims were from various industries, including many small and medium-sized businesses that rely on managed service providers for their IT needs.
Key Lessons Learned:
It highlights the potential for a single vulnerability to have far-reaching effects due to the interconnected nature of digital services. The incident serves as a reminder that companies must regularly update and patch their software to address potential security flaws. Furthermore, it emphasizes the need for businesses to understand their supply chain thoroughly, including the security protocols of their suppliers, as vulnerabilities can quickly propagate downstream.
8- Exploitation of ASUS’s Live Update Utility
Overview of the attack:
In 2018, a sophisticated supply chain attack targeted ASUS, a prominent computer hardware manufacturer. The attackers exploited the ASUS Live Update Utility, a tool pre-installed on most ASUS computers for automatic BIOS, UEFI, drivers, and application updates. The attackers injected a backdoor into the utility, using stolen digital certificates used by ASUS to sign legitimate binaries. This allowed them to distribute trojanized versions of the utility from official ASUS update servers, affecting as many as 500,000 to possibly over a million systems worldwide.
Impacted organizations:
The primary victim of this attack was ASUS and its vast user base. The attackers were able to compromise the ASUS Live Update Utility, which is pre-installed on most new ASUS computers. This means that potentially every user of the affected software could have become a victim. However, the attackers were particularly interested in several hundreds of specific users, of which they had prior knowledge. Also, similar methods and techniques were found in software from three other vendors in Asia, suggesting they might have been compromised as well.
Key lessons learned:
The ASUS supply chain attack underscores the increasing sophistication and danger of supply chain attacks. These attacks exploit the trust between vendors and customers, making them particularly effective and difficult to detect. It highlights the need for robust security measures at every stage of the supply chain, especially the software update process. Furthermore, it emphasizes the importance of monitoring all applications for suspicious activity, even those from trusted sources. Also, the attack stands as a reminder that even large, reputable organizations can fall victim to such attacks, underlining the need for continuous awareness and proactive solutions.
9- CCleaner Supply Chain Attack
Overview of the attack:
In 2017, a popular system optimization tool, the CCleaner software, was compromised by a sophisticated cyber-espionage group, Axiom or APT17, likely based in China. The attackers infiltrated the software supply chain, embedding a malicious payload within the CCleaner software that was then downloaded by unsuspicious users. The attack was highly targeted and had multiple stages, with the initial stage affecting 2.27 million users and a more focused second stage impacting only a select group of tech companies.
Impacted organizations:
The attack specifically targeted large technology and telecommunications companies, with a particular interest in a subset of PC users working for these firms. Companies in Japan, Taiwan, the UK, Germany, and the US were targeted. Specific companies that were victims of the second stage of the attack included tech giants like Akamai, D-Link, Google, HTC, Linksys, Microsoft, Samsung, Sony, VMware, and Cisco.
Key lessons learned:
It highlights the need for robust security measures at all software development and distribution stages. The attack also demonstrates the potential for state-level or industrial espionage in the cyber realm. Organizations should consider not only their own security practices but also those of their software suppliers. Regularly updating software to the latest versions and using quality antivirus products are recommended practices. For corporate users, restoring from backups is advised to ensure the complete removal of any potential malware.
10- NotPetya
Overview of the attack:
The NotPetya cyberattack, primarily targeting Ukraine in 2017, was a devastating supply chain attack that used a malware wiper disguised as ransomware. The attackers infiltrated the accounting software firm MeDoc and injected malicious code into their software, which was widely used by Ukrainian businesses. Unlike typical ransomware, NotPetya was designed to irreversibly encrypt data on infected systems, making recovery impossible.
Impacted organizations:
The NotPetya attack had a global impact, affecting numerous organizations beyond its primary target in Ukraine. Multinational corporations such as Maersk, an international shipping giant, were severely impacted, with operations grinding to a halt due to the attack.
Key lessons learned:
The NotPetya attack underscored the vulnerability of supply chains to cyberattacks and the potential for widespread damage. It highlighted the need for organizations to integrate security at every stage of the development process, as well as the importance of validating the origin of code before including it in production releases. The attack also demonstrated the catastrophic consequences of failing to secure internal networks.
11- Ivanti EPMM Supply Chain Attack
Overview of the attack:
In July 2023, Ivanti faced a critical zero-day vulnerability (CVE-2023-35078) in its Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. This flaw allowed unauthorized remote access, potentially exposing user data.
Impacted organizations:
The first victim was the Norwegian National Security Authority (NSM). They confirmed that attackers breached a software platform used by 12 ministries in the country by exploiting the zero-day vulnerability. The exact threat actors remain unidentified, but the compromised systems raised concerns over potential access to sensitive data. The events did not stop there, and consecutive vulnerabilities were discovered as well, which are CVE-2023-35081 and CVE-2023-35082.
Key lessons learned:
The initial vulnerability was flagged by multiple researchers upon its discovery, given its straightforward exploit potential. The issue seemed manageable to patch at first glance. However, the subsequent attacks on Ivanti EPMM has starkly highlighted the absolute necessity of swiftly applying a complete patch. This incident underscores the crucial significance of proactively addressing patch bypass risks from the outset in order to ensure the security of customer systems.
To explore more on the subject, you can check the SOCRadar blog posthere.
12- MOVEit Transfer Supply Chain Attack
Overview of the attack:
In June 2023, CL0P hit the cyber scene with a zero-day on MOVEit Transfer (CVE-2023-34362). MOVEit Transfer is a managed file transfer software developed by Progress. The vulnerability allowed attackers to execute remote code and steal data from targeted organizations using SQL injection.
Impacted organizations:
he notorious CL0P Ransomware group leveraged this vulnerability to launch a series of attacks. Among the victims of Cl0p’s MOVEit Transfer campaign were major entities such as Gen Digital, the parent company of Avast, Norton, AVG, and Avira, as well as PwC, Ernst & Young, and Medibank. Another vulnerability followed the first one, CVE-2023-35036. Since the first report, 595 organizations and more than 30 million individuals have been affected by CL0P’s actions.
Key lessons learned:
The situation escalated dramatically when the Clop ransomware group began publicly exposing the compromised data. Their onslaught in the MOVEit Transfer campaign persisted through multiple vulnerabilities. This case illustrates the substantial threat posed when a well-known malicious actor identifies and capitalizes on opportunities to exploit data-handling applications.
To explore more on the subject, you can check the SOCRadar blog post here.
13- FishPig
Overview of the attack:
In September 2022, WordPress sites faced a supply chain compromise due to an attack on FishPig’s distribution server. Threat actors injected malicious code into FishPig’s software, which integrates Adobe’s Magento eCommerce platform into WordPress websites, allowing them to access these sites. The Rekoobe Linux trojan was then launched, creating a backdoor for attackers to remotely control the affected systems and access customer data.
Impacted organizations:
FishPig confirmed that all their paid FishPig Magento 2 modules were likely impacted, while their free Magento modules on GitHub, with over 200,000 downloads, were believed to be unaffected. The threat actor behind this compromise is expected to sell the access information of the breached servers.
Key lessons learned:
The WordPress supply chain breach via FishPig’s compromised server emphasizes the need for thorough third-party vetting, prompt updates, and proactive monitoring. Integrations require robust security assessments, akin to critical digital assets, and swift patching is essential.
14- Apache Log4j (Log4Shell)
Overview of the attack:
In December 2021, the cybersecurity landscape was rocked by the discovery of the Log4Shell vulnerability, a critical flaw in the widely-used log4j logging library maintained by Apache. Identified as CVE-2021-44228 and assigned the highest CVSS score of 10.0, this vulnerability allowed attackers to execute arbitrary code on a victim’s system, potentially compromising it and leading to the theft of sensitive information.
Impacted organizations:
Given the ubiquity of the Apache Log4j library, the potential impact was vast, with major tech giants like Apple, Google, Amazon, and Tesla among its users. Throughout the year, twelve APT groups, including notorious ones like Lazarus Group and MuddyWater, exploited this vulnerability. Ransomware groups also capitalized on it, with LockBit, Conti, and Alphv/BlackCat being the primary culprits.
Key lessons learned:
The Log4j vulnerability incident highlights the risk of delayed issue resolution in widely used open-source libraries due to limited maintenance resources. It also underscores the importance of monitoring all software integration levels for vulnerabilities in transitive dependencies. Swift crisis response hinges on maintaining comprehensive security visibility, while proactive resource allocation is crucial for effective vulnerability addressing.
To explore more on the subject, you can check the SOCRadar blog post here.
15- PyPI Packages
Overview of the attack:
In July 2021, in a supply chain compromise, several Python packages hosted on the Python Package Index (PyPI) were found to be maliciously designed to steal users’ credit card numbers, Discord tokens, and web-browser files. Some of these packages even provided attackers with code execution abilities. The malware within these packages used simple obfuscation techniques, with some even disguising themselves as optimization tools.
Impacted organizations:
These packages, published under three different PyPI accounts, were downloaded over 30,000 times. The packages, including “noblesse,” “genesisbot,” and “aryi,” were primarily maintained by a user named “xin1111.” Organizations that used the malicious packages were most likely compromised and may have spread the problem further.
Key lessons learned:
Given widespread open-source adoption, it is vital to recognize that incorporating open-source packages into a company’s supply chain exposes both packages and their developer teams to the risk of software supply chain attacks. Caution is paramount when using PyPI packages, given the potential for threat actors to discreetly distribute and utilize malicious packages, infiltrating organizations.
16- Fujitsu ProjectWEB
Overview of the attack:
In May 2021, Fujitsu’s “ProjectWEB” information-sharing tool became the epicenter of a significant breach affecting multiple Japanese government agencies. Attackers gained unauthorized access to projects using ProjectWEB, leading to the theft of proprietary data. The exact perpetrators behind this attack remain unidentified, but the incident’s magnitude prompted Fujitsu to suspend the ProjectWEB portal during the ongoing investigation.
Impacted organizations:
This breach resulted in the exposure of at least 76,000 email addresses and other sensitive information, including email system settings. Notably, Narita International Airport near Tokyo was impacted, with attackers pilfering air traffic control data, flight schedules, and business operation details. Additionally, Japan’s Ministry of Foreign Affairs experienced a data leak, exposing certain study materials.
Key lessons learned:
The ProjectWEB breach in 2021 serves as a stark reminder of the far-reaching consequences of inadequate information-sharing tool security. The incident underscores the necessity of robust security measures to safeguard sensitive data and protect against unauthorized access.
17- Codecov
Overview of the attack:
In April 2021, Codecov, a popular code coverage tool, became the target of a supply chain attack. Threat actors exploited a vulnerability in Codecov’s Bash Uploader script, allowing them to silently harvest credentials, tokens, and API keys from the continuous integration (CI) environments of Codecov’s users. The breach, which went undetected for over two months, had a ripple effect, impacting hundreds of customer networks. The extent of the attack drew comparisons to the SolarWinds incident, with U.S. federal investigators stepping in to assess the damage.
Impacted organizations:
Among Codecov’s 29,000 customers are notable names like IBM, Atlassian, and Hewlett Packard Enterprise, all of whom launched investigations into the potential impact on their systems.
Key lessons learned:
Instances like these highlight the significant implications of security breaches involving APIs, credentials, and tokens. This is particularly concerning when such incidents involve major companies, as they can potentially expose substantial volumes of sensitive data, impacting both individuals and organizations on an unparalleled magnitude.
There Are Always Possibilities
Except for the supply chain attacks listed above, some situations might seem like they had the potential for supply chain attacks but didn’t actually lead to one. Some of them are listed below:
- MSI Ransomware Attack and Code Signing Keys Leak: In 2023, a ransomware attack on the PC manufacturer MSI led to the theft and public leak of private code signing keys, including those for Intel Boot Guard. This breach could potentially have enabled attackers to deploy malicious firmware updates, affecting an entire ecosystem of devices.
- Log4Shell Vulnerability on Apache Log4j: The discovery of a zero-day vulnerability in the Apache Log4j library, widely used in Java applications, led to the potential for remote code execution on victim systems. Despite its widespread impact, the exploit did not result in a direct supply chain attack, although it highlighted the potential for such attacks in similar situations.
- NVIDIA Ransomware Attack and Data Leak: The tech company NVIDIA suffered a cyberattack in 2022, which resulted in operational disruption and the threat of a large-scale data leak. The attackers demanded changes to NVIDIA’s product firmware and threatened to release confidential files. While this did not result in a supply chain attack, it exposed potential vulnerabilities in the supply chain.
Conclusion
Supply chain attacks have become an increasingly prominent threat to organizations worldwide. The top significant attacks that have been discussed demonstrate the diverse tactics employed by threat actors and the devastating impact these attacks can have on businesses and consumers.
Key lessons learned from these incidents emphasize the importance of implementing strict access controls, securing third-party relationships, and investing in advanced threat detection and response capabilities. Notably, the integration of vulnerability intelligence becomes a necessity in this landscape. This means identifying, assessing, and mitigating potential weaknesses in our systems or applications. Further, promoting collaboration between security and development teams is vital, as is the inclusion of vulnerability intelligence in the continuous integration and deployment (CI/CD) process. Organizations should prioritize patch management within their CI/CD process, backed by effective vulnerability intelligence, and always monitor their systems for anything unusual. Employees should also be educated about the dangers tied to attacks that come through the supply chain, including those potentially exploiting known vulnerabilities.
In addition, implementing a “shift-left” approach, where security checks are integrated early in the development process, ensures fewer vulnerabilities and faster mitigation times, reinforcing the overall infrastructure.
Organizations can adopt a proactive approach to cybersecurity with Cyber Threat Intelligence (CTI). This forward-thinking strategy helps businesses identify and counteract emerging cyber threats like supply chain attacks. Leveraging the power of CTI, companies can anticipate potential cyber-attacks, prioritize security patching, and cultivate a culture centered around cybersecurity. In today’s rapidly changing digital environment, investing in CTI is crucial to protect crucial assets, safeguard valuable data, and uphold the organization’s reputation. With the rise in cyber threats, the importance of CTI in our interconnected digital world cannot be overstated.
How Can SOCRadar Extended Threat Intelligence (XTI) Help Organizations Defend Against Supply Chain Compromises?
Organizations can obtain various insights from the Supply Chain Intelligence panel inside the CTI of SOCRadar’s platform. These pieces of information are explained below respectively:
When logged into the module, the first tab (Latest Hacked Companies) shows the news of companies that have suffered cyber attacks:
In the Vendor Intelligence tab, apart from the hacked companies, there is up-to-date news about the vendors that have suffered supply chain attacks.
In the Supply Chain Report tab, which is currently in the beta phase, it is possible to review reports with detailed information about companies and their status on the web in terms of security.
Here is an example report generated by Supply Chain Report:
In addition to the Supply Chain Intelligence module, the Vulnerability Intelligence module will also help organizations with information about various threats:
Screenshot of the Vulnerability Intelligence panel, when the panel is opened for the first time, the Vulnerabilities that have been on the agenda that week appear as a pop-up in front of the user.