The most famous supply chain attack of the last few years was the SolarWinds attack. That attack was a home run for the Russians. Other hackers (or maybe the same ones) thought that was a great attack vector. Now it seems to have become quite popular.
Then came DevOps tool provider Codecov. Hackers compromised Codecov, then they stole the software that was inside their customers’ code repositories. Codecov offers software testing tools. The hackers found a weakness in their code upload process, which gave the hackers access to any code that was uploaded. Sometimes developers are stupid and hard code credentials into their code.
HashiCorp is a client of Codecov. Some of HashiCorp’s clients used the compromised Codecov software. HashiCorp said that their private PGP (GPG) signing key was exposed. That means that the attackers, if they knew what they had, could have signed malware with HashiCorp’s key and presented it to their customers as legit.
Codecov has (or had) 29,000 customers. HashiCorp was one of them. They dodged a bullet by detecting the compromise. What about the other 28,999 clients.
Next comes Australian password manager firm Click Studios, makers of Passwordstate. Their software update process was compromised and a malware loaded update was live for 28 hours. The good news is that they detected it in a day. The bad news is that they are telling their customers to change all of the passwords they had stored in the software. Given that they also had 29,000 customers – unlike the big password manager firms who have millions of customers – it affected a small population and finally many of these password managers offer a feature that allows you to let the software automatically reset all of your passwords, making things a little easier. For those of you who use password managers, two thoughts – first use one of the big products – they have the money to implement better processes and second, even with the rare breaches of password manager software, and they are very rare, it is still better than people doing what they do otherwise – pick password123 as their password for many sites.
These are just the supply chain attacks this month.
You have a lot of suppliers. Those suppliers have suppliers. You use cloud software like HashiCorp. They have suppliers too.
The matrix of all of your suppliers and their suppliers and so on is large. Very large.
That means you need to improve upon your plan because the attackers seem to have figured out a weak spot.
Note that they haven’t stopped doing everything they were doing before. Your attack surface just got larger.
Sorry to be the bearer of bad news.