Supply chain attacks are malicious campaigns designed to damage an organization by targeting less-secure elements of their supply network. Advanced persistent threat (APT) groups have been successfully delivering exploitation and post exploitation payloads behind this attack vector for a number of years. This is evident in the very successful CCleaner Petya (MeDoc) campaigns of 2017, which affected millions of victims’ machines.
Below are some of the observed methods abused in order to implant malicious code in online software distributions that will end up in end user enterprises or home networks.
|Privileged user password reuse and failure to segregate duties|
|Compromise via third party applications|
|Orphaned and unsigned packages|
|Update infrastructure hijacking|
|Illicit use of stolen certificates|
|Violation of ‘honor system’ in repositories|
|Single point of storage/failure in repository architecture|
|Weak package signatures|
|Attack on software dependencies|
Figure 1. Supply chain attack vectors seen in online distributions
Supply chain attacks abuse the implicit trust between an organization, its privileged users, and the vendor vetting and update process. Compromising online software distribution in whatever form (i.e., package manager, updates, containers, code repositories, applications, etc.) often mitigates and sometimes effectively bypasses security controls of even well-hardened environments.
Under the cover of reputable and trusted software vendors, many enterprises have unknowingly given away access and privileges to malicious actors. The aforementioned CCleaner and Petya campaigns demonstrated this effective targeting, and this is reinforced by China’s long time use of supply chain attacks (e.g., the Schoolbell botnet delivering Kingslayer).
Open source environments and small companies seem particularly vulnerable to supply chain attacks due to reliance on peer trust and often immature security policies, procedures, or practices. This is part of the reason why the 2018 Verizon DBIR found that 58% of last year’s known victims were small businesses. Considering the prevalence of open source code (and dependencies), a large number of mainstream technologies and business applications are at an increased risk.
JASK Autonomous Security Operations Center Platform (ASOC)
While supply chain attacks can be exceedingly hard to detect, one potential discovery method is to evaluate the network and log environment for the presence of compromised or invalid code signing and SSL certificates. Current JASK ASOC visibility enrichment capabilities leverage existing customer VirusTotal api keys to identify malicious files with revoked certificates (‘tag:revoked-cert’).
Although perhaps less relevant to most supply chain attacks, ASOC also currently flags invalid and expired SSL certificates via established Signal logic. (ASOC’s threat intelligence integration can also be used to apply custom logic from open source projects such as the SSL Blacklist form abuse.ch).
The ASOC platform also currently parsers a number of different endpoint detection and response (EDR) capabilities (e.g. Carbon Black, Cylance, and Forticlient) and generates Signals and Insights based on the context of these logs. The context from the EDR logs and alerts is of critical importance to detection and mitigation of supply chain attacks (and generically most malware campaigns).
There are a number of approaches that organizations can apply in order to better secure their utilization of online software distributions and mitigate the potential of a successful supply chain attack. The following are some of them.
Supply chain attacks fundamentally abuse the trusted channels we (everyone one of us) have with the software providers (and the applications) that empower our daily business and personal activities. Given their low probability of detection, victims of these attacks are often unaware of compromise until secondary indicators are detected (i.e., C2, exfiltration, etc.).
And while supply chain attacks were once top tier APT tradecraft, these techniques have become increasingly common place in lower tier APT and even crimeware operations.
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.