How to Monitor & Stop Supply Chain Attacks
A supply chain attack is a type of cyberattack that targets the software or hardware supply chain. Instead of directly attacking a target organization, the attacker focuses on compromising the suppliers or vendors associated with the target. This approach allows the attacker to infiltrate the target organization indirectly, often exploiting trust in the supply chain. Such attacks usually affect either service providers with access or software manufacturers.
In recent years, such cyberattacks have become increasingly common – they have now developed into a significant threat to IT security, regardless of whether the company is a supplier or a customer.
Detecting and mitigating supply chain attacks can be challenging, but by combining different approaches and leveraging advanced detection technologies, organizations can enhance their ability to detect and mitigate supply chain attacks. Continuous monitoring, threat intelligence, and a proactive security posture are crucial elements in defending against such sophisticated threats.
A machine learning Network Detection & Response (NDR) can be a crucial asset for the security strategy in detecting and combating, among others, supply chain attacks and mitigating their blast radius. Regular and continuous network traffic monitoring is essential for detecting supply chain attacks early, which is exactly what NDR provides: real-time visibility into the network, allowing security teams to respond promptly to any suspicious activity.
But before diving into the technology behind the presented solution, let’s investigate the recent, massive incidents.
Recent examples of attacks on the software supply chain
Example 1. SolarWinds Orion Supply Chain Attack
The SolarWinds Orion incident in late 2020 exemplifies a supply chain attack – hackers compromised SolarWinds' software build process, injecting a malicious backdoor into updates. Thousands of customers, including government agencies and Fortune 500 companies, unwittingly received the compromised software. This allowed attackers to remotely access sensitive networks and data.
How would NDR have worked here?
An NDR solution such as ExeonTrace would have recognized in real time that Solarwinds' systems were compromised, as its machine learning-based model can immediately detect illegitimate network traffic. Solarwinds attackers used generated domains, and ExeonTrace is very fast in detecting domains generated by algorithms – when attackers use this method, they do not have to rely on a static address to communicate with the C&C server, which could be blocked.
ExeonTrace works well at detecting illegitimate traffic as it learns what legitimate web traffic looks like through supervised machine learning in the lab. Exeon generates the data itself using automated web browsers.
At the customer's premises, however, the model continues to learn, in an unsupervised manner, what normal behavior looks like in the specific network. To do this, it does not need to know the content of the data traffic, only the patterns of the data flows. If there is a conspicuous change in behavior, it rings the alarm. The solution can, therefore, also work with encrypted data.
Example 2. MoveIT vulnerability exploited by BianLian
The MoveIt supply chain attack primarily targeted a software package called MoveIt, which is widely used for motion planning and manipulation in the field of robotics. In this case, attackers gained unauthorized access to the software's build infrastructure. The build infrastructure is the environment where the software code is compiled and packaged for distribution. The attackers then introduced malicious code into the MoveIt codebase during the build process. Once the malicious code was integrated into the software, it was distributed to users as part of the legitimate software updates. Users unknowingly installed the compromised version of MoveIt, which could potentially allow the attackers to exploit vulnerabilities, steal sensitive information, or carry out other malicious activities on the affected systems.
This type of attack is particularly concerning because it can compromise a large number of users who trust the integrity of the software they are using. It emphasizes the importance of securing the entire software development and distribution process to prevent unauthorized access and tampering. Software developers and maintainers need to implement robust security measures to protect against such supply chain attacks and ensure the safety and reliability of the software they provide to users.
Example 3. compromise of an upstream server: Codecov attack
In many cyber-attacks on software systems, the bad actors typically sneak into a central server or code storage and insert harmful elements, like malicious code or fake updates. These elements then get sent out to numerous users. However, not all tech breaches follow this pattern. Take the Codecov incident as an example. Though people often compare it to the SolarWinds attack, they differ in key aspects. SolarWinds involved sophisticated attackers modifying a legitimate update file, SolarWinds.Orion.Core.BusinessLayer.dll, in SolarWinds' Orion IT monitoring product. The altered code, hidden in the RefreshInternal() method, activates a sneaky backdoor when Orion loads the Inventory Manager plugin. The impact, however, only hit over 18,000 SolarWinds Orion customers, including US government agencies, after the tampered update spread.
In contrast, the Codecov attack didn't involve spreading malicious code to users. Instead, the attackers exploited a flawed process in creating Docker images to grab credentials. These credentials let them tamper with the Codecov bash uploader hosted on the Codecov server. This uploader collects environment variables sent by customers' Continuous Integration/Continuous Delivery (CI/CD) environments. Despite the bash uploader script residing on the compromised server (codecov[.]io/bash), many repositories were already linked to this location for sharing their CI/CD data.
So, the harmful code only stayed on the compromised server without spreading downstream because the linked repositories were already set to upload data to the compromised Codecov server. Yet, this affected those downstream repositories, as they unknowingly sent their information to the compromised bash uploader. The attackers reportedly infiltrated hundreds of networks using credentials obtained through the compromised bash uploader.
Example 4. Dependency confusion attack:
For the past few years, nearly every report on supply chain attacks has highlighted a recurring issue known as dependency confusion. This problem has gained prominence because it's a straightforward and automated type of attack. It exploits a design flaw in various open-source systems, making it a hassle-free process for attackers. To put it simply, here's how it works: imagine you're building software, and it relies on a private, internally created component that isn't publicly available. A clever attacker can take advantage of this by registering a similarly named component with a higher version number on a public repository. Your software build might inadvertently pull in the attacker's version instead of your internal one.
In essence, it's a sneaky maneuver that capitalizes on how software components are managed, and it has become a common point of concern in the tech security landscape.
Example 5. Stolen SSL and code signing certificates:
Beyond regular SSL certificates, there's code-signing certificates. And opposed to certificates used for encrypting your traffic to the central server, a code signing certificate would transmit a sense of authenticity as your software has successfully been signed by the private key of your supplier. If this private key associated with the certificate now gets stolen, consequences for software security are significant. Picture it like this: the attacker gets a hold of the private code-signing key and uses it to sign malicious software just as if it were a legitimate program or update from a reputable company.
Pretty much a year ago (December/January 2023), Github and Microsoft got their code signing keys stolen by a bunch of attackers and just like that it happened to AnyDesk just a few weeks ago.
Remember Stuxnet? Another classic example of such a sophisticated attack where the bad actors used stolen private keys to make their malicious code appear "trustworthy." Why go back so far in time? Well, it was one of the first occurrences of malicious people “successfully” using code-signing certificates to transmit this false sense of security and trust.
To summarize, code signing issues are something to really look out for and something that can happen to organizations of either size. So, the next time you hear about SSL and code-signing certificates, know that they are not just tech jargon – they are essential safeguards in the digital world, and keeping those keys secure is crucial for everyone, but still can bear danger.
Example 6. Targeting the CI/CD infrastructure of developers:
Imagine a sneaky attack on computer programs that not only involves slipping in harmful changes to someone's project on GitHub, but also takes advantage of a fancy system GitHub has for automating tasks. This attack goes beyond just causing trouble – it also secretly uses the automation setup to generate cryptocurrency. On GitHub, developers can set up automated processes using something called GitHub Actions. These processes help them test and deploy their code smoothly. In this attack, the bad guys copy real projects from GitHub, make small tweaks to the automation setup, and then suggest these changes to the original project owner. If the owner accepts the changes, the harmful modifications sneak back into the project, causing all sorts of issues. Plus, in the background, the attackers are making money by mining cryptocurrency without anyone knowing. It's like a double whammy of trouble for both the project and the unsuspecting developers.
How can companies protect themselves? What else can you do?
Here are 5 ways to combat supply chain attacks and why they’re efficient:
- Anomaly detection analyzes network traffic for unusual patterns, especially in communications with external servers or unexpected data transfers finds anomalies in network traffic, user behavior, or system activities can be indicative of a supply chain attack. NDR tools identify anomalies by comparing current behavior to historical data or predefined norms.
- Behavioral analysis to look for unusual or unexpected behavior in networks and monitor for anomalies in process execution, file changes, and network communication can flag suspicious activities, such as unauthorized access or unusual data exfiltration patterns. NDR with Machine Learning uses behavioral analysis to establish a baseline of normal network behavior. Any deviations from the baseline could indicate suspicious activity, such as unexpected data flows or unusual communication patterns originating from the supply chain.
- User and entity behavior analytics (UEBA) to monitor user and entity behavior, identifying any unusual activities or access patterns uncovers supply chain attackers that may attempt to impersonate legitimate users or entities, and UEBA can help spot such anomalies.
- As NDR tools integrate with threat intelligence feeds to stay updated on the latest indicators of compromise (IOCs) related to supply chain attacks, it allows the tool to identify and alert on any network activity associated with known malicious entities or techniques.
- Integrating NDR with EDR solutions can provide a comprehensive view of the network and endpoint activities. This allows for a more holistic approach to detecting and responding to supply chain attacks.
Deep Packet Inspection or Not?
Some NDR solutions include deep packet inspection capabilities, that shall allow them to analyze the content of network packets to help to identify malicious payloads or communication patterns associated with supply chain attacks.
A major problem here is that, while organizations are increasingly using encryption to protect their network traffic and online interactions, hoping that encryption brings benefits for their online privacy and cybersecurity, it also provides cybercriminals with a good opportunity to have a secure and encrypted connection into their infrastructure.
It is because DPI technology was not designed to analyze encrypted traffic and has become blind to inspecting encrypted packet payloads. This is a significant shortcoming for DPI, as most modern cyberattacks such as APT, ransomware and lateral movement rely heavily on encryption in their attack routine to receive attack instructions from remote command and control (C&C) servers scattered throughout cyberspace. As in a supply chain attack, the attackers may compromise a vendor or partner within an organization's supply chain, encrypted communication between the compromised entity and the target organization can go unnoticed by traditional DPI, making it difficult to detect malicious activities or data exfiltration. Another issue is that APTs often establish command and control servers for managing and orchestrating their activities. Encrypted communication between compromised systems and these C2 servers helps APTs maintain stealth. Without the ability to inspect encrypted payloads, DPI may miss critical indicators of compromise associated with such communication.
In addition to the lack of encryption capabilities, DPI requires a lot of computing power and time to thoroughly inspect the data section of packets. As a result, DPI cannot inspect all network packets in data-intensive networks, making it an infeasible solution for high-bandwidth networks.
Powerful detection, even for threats that span multiple data sources, or to automatically detect cyber threats such as advanced persistent threats (APT), ransomware, supply chain attacks or data leaks from exposed insecure systems works better with NDR with metadata analysis. Why? It’s developed to overcome the limitations of DPI!
By using metadata for network analysis, security teams can monitor all network communications running over physical, virtualized or cloud networks without examining the entire data section of each packet. As a result, metadata analysis is independent of encryption and can cope with ever-increasing network traffic. It provides security teams with real-time information about all network traffic and metadata analysis captures a variety of attributes about network communications, applications, and actors (e.g. user logins).
For example, a source/destination IP address, session length, protocol used (TCP, UDP) and type of services used are logged for each session traversing the network. Metadata can therefore capture all key attributes that help detect and prevent advanced cyberattacks:
- host and server IP address,
- port number,
- geographic location information,
- DNS and DHCP information that maps devices to IP addresses,
- websites that are accessed together with the URL and header information,
- assignment of users to systems using DC protocol data,
- encrypted websites - encryption type, encryption and hash,
- client/server FQDN,
- various object hashes such as JavaScript and images, and so on.
Implementing an NDR solution with metadata analysis provides security teams with comprehensive insights into network activity, regardless of encryption. This approach, complemented by system and application logs, helps identify vulnerabilities and enhances visibility, including shadow IT devices, often exploited by cybercriminals.
Unlike DPI-based NDR solutions, this approach offers holistic visibility, addressing blind spots effectively.
- A conclusive supply chain risk management strategy, implementing robust countermeasures and practices, including vetting and auditing third-party vendors. It is further important to maintain a comprehensive inventory of software and hardware components used in the organization's infrastructure. In case you haven’t heard of it yet, look at a software bill of materials and which of your (security) vendors provide those.
- It also matters to stay informed about the latest threats and vulnerabilities in the cybersecurity landscape and to participate in threat intelligence sharing communities to exchange information about potential supply chain risks.
- Identifying and documenting the supply network and the involved stakeholders, with a focus on pertinent dependencies and risks to establish transparency.
- Categorizing assets, including data, information, and IT systems shared with third parties, and establishing access protection protocols.
- Contractually specifying security requirements and reporting obligations for third parties, along with guidelines for contract allocation and termination procedures.
- Supervising supplier performance through routine security audits, including maturity assessments and threat analyses.
- Defining responsibilities for secure product/service operation throughout their life cycle, including post-service measures. Advanced NDR tools can be used to monitor and assess the security posture expanded to supply chain partners. By establishing a baseline of normal behavior for these partners, any deviations can be flagged as potential risks.
Companies based in Germany can access fundamental tips and maturity checklists for IT security through the German Federal Office for Information Security (BSI). Beyond complying with regulations like the KRITIS regulation or industry-specific requirements such as UNECE Regulation No. 155 in the automotive sector, German-based companies must promptly report all findings, available at the time of the incident detection, to the BSI in accordance with Section 8b (4) of the BSI Act. This reporting obligation applies to individual companies and extends across supply networks.
Recognizing the urgency and significance of the matter, governments, and authorities worldwide are actively contributing to the development of regulatory requirements and specifications, particularly concerning cybersecurity threats within supply chain networks.
For questions or more information, don’t hesitate to contact me!
How can you protect your network and detect supply chain attacks?
Watch our recorded demo of a cyber attack to see exactly how ExeonTrace works.
Author:
Philipp Lachberger
Head Information Security, Head Pre-Sales & Deployment
email:
philipp.lachberger@exeon.com
Share:
Published on:
20.02.2024