Since 2020, supply chain attacks have grown exponentially, and innovative mitigation solutions are urgently required. Analysis

Sipa USA via REUTERS

Over the last couple of years, security teams in large enterprises and high-profile government organizations started experiencing a new form of attack.

This attack type leverages the supply chain of the organization’s software eco-system (and sometimes, though much less frequently, the supply chain of hardware components) to inject through these suppliers’ products a malicious code that will later be used to create damage within the breached entity.

Supply chain attacks were already in existence during the previous decade but have grown exponentially in frequency, scale and sophistication since 2020.

The most famous supply chain attack to date was exposed in December 2020, using the common “Orion” software management platform supplied by SolarWinds to breach some of the most significant US federal agencies, major technology firms and key government contractors, aiming to exfiltrate sensitive national defense-related information.

The victims list included, among others, the US State Department, Department of Energy, Department of Homeland Security and major corporations like Microsoft and Cisco. Since then, information regarding many similar events was made public, including ones exploiting major software & hardware suppliers such as Asus, Codecov, Kaseya and Accelion.

Leveraging the trusted relationship between the target and its supplier

A supply chain attack is a multi-phase breach operation that is usually performed by very sophisticated attack organizations (APT groups). In essence, the whole point of a supply chain attack is to allow unauthorized code execution inside what is presumed to be a protected system or a segmented/isolated network, leveraging the trusted relationship between the target organization and its software suppliers.

During the first phase of the attack, a breach is made into the network of the vendor supplying the software platform that the attacker wishes to compromise. This platform will be, in many cases, a common IT management product that is in use within the target organizations.

The goal of this phase is to find and reach the R&D or DevOps environment of this supplier and inject the malicious code into the next SW version or the data / configuration update that will be distributed soon to the supplier’s customers.

At the next stage of the attack, the perpetrator leverages the fact that the customers of this SW platform enable the supplier to have a direct and relatively easy remote access to their enterprise network, to allow ongoing software updates and upgrades.

This open interface between the supplier and the customer enables the injection of the malicious code, which is bundled and “hidden” within the legitimate code coming from the supplier, into the target enterprise. This malicious code is usually not detected at this stage by the organization’s security systems, as it is seemingly coming from a recognized and trusted source.

The fact that the supplier’s software platforms are typically used by the IT teams of the target organization. Having high-level, administration access rights within the enterprise’s network makes it easier for the attacker to implement the 3rd phase of the attack, which is to gain control over the enterprise network, reach the specific assets / resources he wants to exploit, by performing data exfiltration, component disablement or infliction of sheer physical damage, to achieve his malicious goal.

Since the malicious code is perceived to be a part of the trustworthy supplier SW package and leverages its users’ access rights, the perpetrator is able to “roam around” the organization without invoking security alerts related to unauthorized behavior until very late in the process and not before much of the damage is already done.

Potentially, supply chain attacks have a very large “damage footprint”. In essence, it can affect the entire user base of any prevalent software product. As such, it can be used by politically motivated attack organization not only to breach a relatively small number of high-value agencies and enterprises (as was the case in the SolarWinds or the Asus attacks) but alternatively to create havoc and even paralyze a nation by attacking a huge number of organizations using a widespread software product.

From theory to major threat

This seemingly theoretical scenario became a reality in 2017, when an attack group, assumed to be connected to the Russian government, leveraged a common Ukrainian accounting software supplier named MeDoc, injected malicious code into its product, and used it to attack thousands of organizations in the Ukraine.

This basically brought the country’s government and most of its business sector to a halt, disabling everything from the monitoring system of the Chernobyl nuclear reactor to international airports, causing direct and collateral damages of billions of dollars.

To date, there is no available security product or procedure that can effectively and consistently block most of the variants of these supply chain attacks. In a recent survey performed by Crowdstrike, 84% of the responders saw supply chain attacks as one of the biggest Cyber threats to their organization over the next 3 years. 63% said that they are losing trust in their software suppliers (including major suppliers such as Microsoft) due to these frequent security incidents.

Enterprises threatened by this type of attack can work to reduce the risk of a breach through rigorous supplier auditing, careful management of SW updates and implementation of zero-trust approach within the organization.

However, as these supply chains are, in most cases, very complex and opaque, involving also many open-source components whose suppliers cannot always be monitored and audited, these actions - important as they may be - are far from being sufficient in order to really mitigate this serious and complex problem.

In some cases, the “security hygiene” best practices can even work against the target organization during a supply chain attack, since the first enterprises to be breached are the most security-aware ones who are quick to install the latest supplier software updates (and with it - unknowingly - also the malicious code) while the ones which don’t stay up to date with the latest SW versions may be spared.

Here to stay, but what can be done?

Looking into the future, there may be different directions and approaches that can be implemented to better mitigate this type of attacks. software suppliers need to achieve better visibility into their CI/CD process and detect these malicious code injections before the SW is sealed and released to the market.

In addition, target enterprises should deploy run-time environment detection and prevention tools that can identify unauthorized or unusual behavior of (what appears to be) the software product within their environment and immediately block it from accessing network resources that should be outside its reach.

One of the more promising potential technologies that can be used to achieve effective run-time protection in the target enterprise network is Moving Target Defense (MTD). When MTD is properly utilized across the organization, no two machines look precisely alike, and even a single system keeps changing over time.

This means that the defender can randomize some of the underlaying operating system components, frequently used services and library APIs.

While trusted applications are made aware of the modified runtime environment, this MTD mechanism will block any software component oblivious of the traps left behind. What makes this approach so potent is the ability to perform this modification in memory, where an adversarial attempt to inspect, modify or even bypass would be immediately trapped and blocked.

This periodic in-memory randomized changes make it incredibly difficult for an adversary to train in one place and then reuse the training results to exploit other machines or even the same machine later in time.

To conclude, supply chain attacks are here to stay, and will only become more prevalent and more harmful going forward. They should be seen as one of the most severe threats to be addressed by security teams of software suppliers, large enterprises and government agencies.

With time, we may even see this type of attack addressing smaller enterprises as the techniques and skillsets required to conduct such an attack will become commoditized (as was the case with other types of attacks in the past, like DDoS or Ransomware).

Therefore, Cyber defense vendors need to come up with innovative products and procedures to mitigate this threat as it evolves and expands in the years to come.

Hudi Zack is the Chief Product Officer at Morphisec.

Zack will deliver a main stage presentation at the upcoming Cybertech Global Tel Aviv, to be held (in person!) between March 1–3, 2022. For additional information, please visit the event's official website.