Can We Prevent the Spread of Software Supply Chain Attacks? A Retrospective of SolarWinds, Accellion FTA, and More
If 2020 was the year of ransomware attacks, then 2021 is on its way to be remembered as the year of supply chain attacks. Among supply chain attacks, software supply chain attacks have been particularly on the rise. Since late 2020, a dramatic surge in software supply chain attacks has led to a change in the cybercrime scene. Widely used IT systems and software such as SolarWinds Orion, Accellion FTA, and Microsoft Exchange Server all suffered zero-day exploits, one after another, some of which had led to the compromise of hundreds of organizations.
What is a Supply Chain Attack?
A supply chain attack is an attack method where a threat actor poses damage to an organization by first compromising another organization in its supply chain. This other organization could be a supplier, distributor, retailer, or partner. Thus a supply chain attack is sometimes also called a value chain attack.
Very often, a supply chain attack has a specific target. The most common type of supply chain attack is when an attacker steals sensitive information of a targeted company from its supplier or partner. For example, in April 2021, the REvil ransomware gang contacted Apple claiming to have stolen unencrypted files containing the unreleased designs of future MacBooks, while demanding a ransom payment of an undisclosed amount. However, Apple was never breached by REvil. Instead, the attackers breached a Taiwanese firm called Quanta Computer. The firm is an Apple supplier that manufactures MacBooks, hence has all the detailed designs of future MacBooks.
Then how does a software supply chain attack differ? Does it share the same characteristics?
How Are Software Supply Chain Attacks Different?
A software supply chain attack is a unique type of supply chain attack in which there are often no specific targets involved. In a typical software supply chain attack, the attackers take advantage of zero-day vulnerabilities to inject malware into the products and services of an IT vendor, then use these corrupted products and services to potentially gain access to the IT network of their customers. As a result, these attacks offer extremely high leverage. A single zero-day vulnerability can be exploited to potentially gain access to hundreds of organizations that use the software. Additionally, after compromising the victims’ networks, the attackers could leverage them to further attack other organizations in their supply chain, spreading like a virus. This allows the attackers to spend the least time and effort for maximized destruction.
Take a look at some of the most devastating software supply chain attacks so far, all of which happened in the past six months.
The SolarWinds Orion supply chain attack shocked the world and changed the way people perceive cyber defence. Despite the first victim rising to the surface in December 2020, this was a long-planned attack that could be traced back to late 2019, when threat actors gained initial access to the internal IT network of SolarWinds. In a usual attack, the attackers would have caused direct damage to SolarWinds’ systems and stolen data from its servers. However, this time, the attackers stayed silent for over a year. Silently deploying malware into SolarWinds’ systems, they eventually managed to inject a backdoor (dubbed Sunburst) into the software updates of the SolarWinds Orion platform, an IT management platform used by many organizations across the globe, including the United States government.
What happened next? The attackers breached hundreds of organizations who installed the corrupted software updates. The first stage victims totaled up to 18,000 organizations around the globe, including large corporations like Microsoft, Cisco, SAP, Intel, Nvidia, Deloitte, FireEye, and Belkin. The US government was also a major victim, with agencies such as the Treasury, the Department of Homeland Security, Department of Commerce, Department of Health, Department of Energy, Department of State, the Cybersecurity and Infrastructure Agency, the National Nuclear Security Administration, and a number of state governments on the list.
But the attackers did not stop from here. After compromising the first stage victims, they used them to further penetrate more organizations in the victims’ supply chains. This led to a wider range of breaches affecting hospitals, universities, school systems, and countless municipal governments all across the US and Canada.
A supply chain attack of this scale was unprecedented, leading to an emergency meeting at the White House with the National Security Agency (NSA). A number of threat actors were suspected to be involved in the attacks, including state-sponsored APTs from Russia and potentially China. SolarWinds also signaled the beginning of a new era; an era where people began to see cyberattacks as potential acts of war and realize the importance of cybersecurity in national defence.
However, the SolarWinds attack only marked the beginning of this new trend. More and more threat actors are adopting similar tactics for financial gain and espionage.
Soon after the SolarWinds incident, four zero-day vulnerabilities of Accellion’s legacy FTA file transfer application were exploited by hacker group FIN11 and the clop ransomware gang. A web shell named DEWMODE was installed to exfiltrate data stored and shared among Accellion FTA users. Many victims received ransom notes.
The Accellion FTA attack used a different approach from the SolarWinds attack because the attackers took advantage of the nature of the FTA application. Since the application is used for file transfer, it likely contained sensitive data from a number of users. However, compared to SolarWinds, the Accellion FTA attack was less likely to cause a breach of the victims’ network because many victims had the application on a separate server isolated from the main IT network.
Nevertheless, the attack still caused significant damage. By April 2021, the total number of companies hit by the Accellion FTA supply chain attack exceeded 100, with at least a quarter of them suffering serious data breaches. Some of the major victims included oil giant Shell, the Reserve Bank of New Zealand, the Australian Securities and Investments Commissions (ASIC), aerospace manufacturer Bombardier, telecom giant Singtel, the University of California system, and Stanford University, to name a few.
A side effect of the Accellion FTA attack is that it significantly drove up the average ransom price, with the average payment sitting at $220,298 for Q1 2021, a 43% increase compared to Q4 2020. Some of the large targets are facing price tags of as high as $50 million.
Microsoft Exchange Server
Just as the world was busy dealing with the aftermath of SolarWinds and Accellion, in March 2021, Microsoft disclosed that its Microsoft Exchange Server was targeted by Hafnium, a sophisticated Chinese state-backed hacker group. Four zero-day vulnerabilities were exploited. One of them was exploitable remotely without the need for any credentials. This allowed the hackers to easily install malware in the servers to gain further access to the surrounding systems.
Within a week of the disclosure, an estimated 250,000 servers worldwide were compromised in the attack, affecting 30,000 organizations in the US alone. With the main goal being espionage, the hackers targeted research institutions, defence contractors, and NGOs. The Parliament of Norway, the European Banking Authority, and Chile’s Commission for the Financial Market were among the victims.
The same vulnerabilities were also exploited by other threat actors. For example, a food logistics firm in the Netherlands, Bakker Logistiek, was attacked in a similar manner, leading to food shortages at local supermarkets.
Are Software Supply Chain Attacks Preventable?
The sheer scale of these attacks causes ripple effects that lead to billions of dollars of damage every year. Both governments of the United States and Australia, two of the most affected countries, are looking into reassessing their stance on cybersecurity. President Biden is preparing for a cybersecurity executive order, while Australia is planning to raise its cybersecurity budget once again.
Yet, many of the victims are large corporations and government agencies that most likely already have adequate cybersecurity measures in place. But why didn’t they work?
The truth is that cybersecurity is not just about complying with regulations and checking things off the checklist. Having a number of legacy systems will not help protect against any of the modern threats. This is why it is important to do a cybersecurity reassessment on a regular basis to make sure the cybersecurity products are equipped with the latest technologies to cope with these new threats.
Penta Security’s R&D team works constantly to keep its security products up to date to defend against AI-based attacks while controlling its quality nonstop. Its web application firewall (WAF) WAPPLES has evolved into an AI-based logical WAF with a newly added automatic rule update capability.
Indeed, all the cases show that it can be quite difficult to prevent supply chain attacks. This is why it is important for every organization in the supply chain to take responsibility for securing their network. Since a chain is only as strong as its weakest link, everyone is responsible for everyone else in the chain.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security