Big Game Hunting
If you’ve performed any recent research about supply chain attacks, it becomes apparent rather quickly that after ransomware (itself also a cause in several cases), these attacks are a growing trend to feel strongly about. There’s a solid case to be made about an overall trend we’ve already seen with ransomware, that so-called “big game hunting” is the norm now with each attack designed for maximum impact, and attacks on the supply chain fit the bill.
Back in May, Wired did a great job explaining the problem with supply chain attacks. Essentially, instead of a frontal assault on one network, it’s finding a weak point elsewhere that allows access at a one-to-many scale. Adversaries are banking on someone somewhere not having the most robust security policies or best practices in place, and they get the benefit of rolling for the initiative first, so to speak. A study this year from ENISA, the EU’s cybersecurity agency, echoes a lot of this same concern. Even more troubling, there was a significant gap in knowledge around how attacks even occurred in a large majority of incidents.
There’s also a profound psychological aspect to this: The thought of not trusting even the legitimate software you purchased introduces some percentage of doubt into everyone’s mind. With a supply chain attack, this time, it’s not just malicious code attacking with obvious ties to threat actors; it’s now worrying about whether your vendor’s code is secure. In some cases, it also comes down to trusting your vendor’s vendor is also doing the right thing. It also burdens everyone with checking the code, and, as ENISA put it: “customers demand products that are more cyber secure but that remain at a low cost, two needs that it is not always possible to reconcile.” Rightfully so, we’re all taking a giant leap of faith every day, logging into our home and work networks.
From APTs to Criminal Actors
The concept itself is not new, as we’ve seen just in the past decade with attacks on both well-known and relatively obscure applications and vendors. You know it’s significant when the name of a small provider or niche application suddenly becomes a household name in the media. Outside of the big IT world and, more specifically, in the hosting space, who knew what Kaseya was before July 2021? The more recent public arc of this story might’ve started back with the Adobe breach in 2013, continued with the CCleaner attack, and most recently, the SolarWinds breach, with many victims in between. The difference between these case studies and previous ones was that recent attacks have the marks of criminal actors rather than traditional nation-state APTs.
This year alone, there have been several newsworthy attacks that deserve some attention. We’ll spare you a couple of stories since Kaseya and SolarWinds have been done ad nauseam at this point. Instead, we’ll pull together a couple of significant case studies to walk you through what we know now after time has passed and hopefully glean some lessons from them.
Accellion: Attack on a Trusted Service
By all accounts, things came to light about this attack around February 2021, but the attack on Accellion occurred at the end of 2020. Accellion was the maker behind the decades-old FTA (File Transfer Appliance) product, used for file transfer, that was to reach End-of-Life (EoL) status by April 2021. Because of the EoL, Accellion was actively moving customers to other applications and services with different codebases.
Attackers were able to leverage four zero-day vulnerabilities to gain access to an FTA server and deploy a web shell to exfiltrate customer information from multiple databases. Accellion gave notice about the breach and assured customers that patches had been released. Still, as the world discovered by February and over the following months, the damage had been done. Out of about 300 users of the software, 100 had some measure of impact from the attack, with another 25 of those experiencing significant data loss.
Looking at some of the victims involved, one of them a leading cybersecurity firm, it’s likely that they were doing many of the right things in terms of security practices on their own networks. However, they probably never saw a weak point in a trusted third-party application that perhaps had some level of privileged access and was already on its way out.
A Change in Tactics
This attack was significant because this was the first of several large attacks involving Clop ransomware. Already a player since the end of 2019, this was, for lack of better words, their breakthrough event. There were also several significant tactics changes observed in this incident in terms of the actors.
At the time, Bleeping Computer wrote about accounts of Clop operators emailing victims directly whose information was found in stolen data, with the thought that victims contacting affected companies would add pressure to ransom demands. Furthermore, in another change of tactics, the attackers in this incident skipped the usual double extortion method, which sees ransom for encryption demands, and went straight for data extortion. This was to be a later hallmark of actors such as Marketo.
The lesson from this attack was that despite an application nearing EoL, it’s still important to ensure code stays secure until retired or deprecated. Also, it’s important to note that some of the low-and-slow tactics, technical proficiency, and use of zero-days signaled the end of ideas that criminal groups didn’t operate at nation-state levels. This clearly shows that criminal groups could perform on par with any of the professional APTs out there but without the geopolitical constraints, those groups have.
Codecov: Attack on the Code
In April 2021, news emerged around an attack on Codecov, a popular software testing vendor for developers hosting code on various online repositories. At the end of January 2021, attackers were able to leverage weak security on a Docker image creation process to gain access to Codecov’s Bash Uploader script. Once inside, attackers then modified code to capture end-user information such as repository URLs, raw code, credentials, tokens, and keys. In practice, attackers leveraged the compromised script to push malicious code to customers and intercepted customer credentials to conduct further attacks. With well over 29,000 customers using Codecov, the potential of this turning into a very deep watering hole attack was very real.
Once Codecov discovered the problem, they engaged the public, updated their code, took affected servers offline, and worked with incident response firms to resolve the attack. A long-running NodeJS project to replace their Bash Uploader was announced in June 2021, which was set to replace the Bash process by February 2022, according to Bleeping Computer. Codecov encouraged any customers using the online service to update their login processes and check their code. Users of self-hosted Codecov instances were likely not affected, but according to media reporting at the time, several executives speaking anonymously stated they would also be reviewing their accounts in an abundance of caution.
The scary part about this breach is there is yet to be any public statement regarding attribution or conclusion of the investigation. By the end of April 2021, US Federal law enforcement agencies were reportedly investigating the matter, but in the typical Department of Justice form, there has been no comment as of August 2021. In previous supply chain attacks, the complete truth sometimes wasn’t known until weeks or even months after. Attackers in possession of customer credentials could very well still be in those networks, quietly reconnoitering, creating new accounts, escalating privileges, and further poisoning the well downstream.
As of the time of this writing, speculation across the web pointed towards a likely nation-state actor, given the speed of movement to capture customer information and technical proficiency displayed. A backdoor into victim networks with such a large group of potential victims that could serve national political or economic interests would be in the realm of a nation-state APT. However, as we’ve seen previously with initial access brokers and the criminal underground, it may also be a question of supply and demand.
This was yet another case of a tiny weak point causing havoc for downstream users. In this case, an overlooked security process to create Docker images allowed all of this to happen. To add insult to injury, the way Bash Uploader worked meant that downstream customers sending code to Codecov needed to trust the server itself, in addition to the code. The customer who reported the problem to Codecov noticed that the checksums had changed between versions of code, which led to the investigation. Had that customer not seen those changes, who knows how long it would’ve taken to discover, if at all? With attackers in control of the server and the processes running, it would’ve been a boon for them.
Given the prominence of some of the affected customers mentioned, among them popular software and hardware developers and security companies, this was a case again of enterprises likely doing the right thing within their own networks but having the failure come from a trusted partner. Moves toward a more secure platform with NodeJS and other added features were good moves and well-timed, but it highlights the risks with using open-source and third parties.
No Silver Bullet
In the wake of these significant incidents in just the first half of 2021, time will tell what further fallout we may be seeing this same time in 2022. There’s a pretty good chance we may see ripples from these or future attacks, and we’ll be back writing about what happened and what could’ve gone better. The reliance on third parties is not going away anytime soon as businesses outsource expertise to save time and money. As more diverse services come online and businesses expand, the attack surface for any organization will likely grow.
One key point from the ENISA study was that even though an organization may be well-defended on its estate, there may still be a vulnerable supply chain. Organizations need to perform due diligence on their partners, as well as the shared infrastructure and accesses required for vendor products and services. The hard part is there is no one good way to do all of this, especially on your own, and it requires a holistic view of the threats to the business and the daily exposures to risk.
Although we’re by no means the silver bullet here, Digital Shadows (now ReliaQuest) can help provide a view of risk from suppliers. If you’re curious about how we can help in the fight against these kinds of attacks, take a look at SearchLight for a week to see how intelligence can help, or request a demo.