Tag Archives: supply chain attacks

Supply Chain Attacks -Its the New Thing

The most famous supply chain attack of the last few years was the SolarWinds attack. That attack was a home run for the Russians. Other hackers (or maybe the same ones) thought that was a great attack vector. Now it seems to have become quite popular.

Then came DevOps tool provider Codecov. Hackers compromised Codecov, then they stole the software that was inside their customers’ code repositories. Codecov offers software testing tools. The hackers found a weakness in their code upload process, which gave the hackers access to any code that was uploaded. Sometimes developers are stupid and hard code credentials into their code.

HashiCorp is a client of Codecov. Some of HashiCorp’s clients used the compromised Codecov software. HashiCorp said that their private PGP (GPG) signing key was exposed. That means that the attackers, if they knew what they had, could have signed malware with HashiCorp’s key and presented it to their customers as legit.

Codecov has (or had) 29,000 customers. HashiCorp was one of them. They dodged a bullet by detecting the compromise. What about the other 28,999 clients.

Next comes Australian password manager firm Click Studios, makers of Passwordstate. Their software update process was compromised and a malware loaded update was live for 28 hours. The good news is that they detected it in a day. The bad news is that they are telling their customers to change all of the passwords they had stored in the software. Given that they also had 29,000 customers – unlike the big password manager firms who have millions of customers – it affected a small population and finally many of these password managers offer a feature that allows you to let the software automatically reset all of your passwords, making things a little easier. For those of you who use password managers, two thoughts – first use one of the big products – they have the money to implement better processes and second, even with the rare breaches of password manager software, and they are very rare, it is still better than people doing what they do otherwise – pick password123 as their password for many sites.

These are just the supply chain attacks this month.

You have a lot of suppliers. Those suppliers have suppliers. You use cloud software like HashiCorp. They have suppliers too.

The matrix of all of your suppliers and their suppliers and so on is large. Very large.

That means you need to improve upon your plan because the attackers seem to have figured out a weak spot.

Note that they haven’t stopped doing everything they were doing before. Your attack surface just got larger.

Sorry to be the bearer of bad news.

I Can’t Seem to Get Away from Supply Chain Attacks

Supply chain attacks are attacks on the software (and hardware) that goes into the software (and hardware) that you buy. We keep seeing attacks that compromise that underlying software. Earlier this year, it was Ripple20 that affected millions of IoT devices. Many of those devices will likely never be patched and will be vulnerable forever. In part, that is because the software that the Ripple20 affected software is integrated into is no longer supported.

This week it is a series of Thales products that were discovered to be buggy. The bugs were found by IBM’s X-Force security team and disclosed to Thales. While Thales has released patches to these bugs, now begins the long hard slog to get vendors who used the Thales software and hardware to release patches. The bugs were actually discovered a year ago. Of course no one knows if or when these bugs were discovered by hackers.

The hardware involved is a series of small computer circuit boards that are integrated into many IoT devices to support communications functions.

In this case, the boards store sensitive information like passwords and encryption keys.

Concerns include the possibility that these devices are used inside of medical equipment and if hacked, could possibly kill patients.

Another potential attack is against connected devices that manage the electric grid. Attackers could accidentally or intentionally take the electric grid down.

Its even possible that hackers could compromise VPN concentrators, stealing encryption keys, certificates and other confidential information.

These are just two examples of supply chain problems.

What needs to happen now is for buyers to understand these issues and demand that vendors have a strong supply chain security program. Part of this is to create and provide buyers with software Bills of Materials.

In this case, the healthcare industry is concerned that connected medical devices, many of which are old and no longer supported, may be affected. In the case of healthcare devices, they also have the challenge of getting FDA approval to patch the devices.

While this article focuses on medical devices, the problem runs across all industries and all electronic devices.

Until buyers start demanding that sellers fix these problems it is unlikely to get any better. Credit: Health IT Security

FBI Warns About Software Supply Chain Attacks Going On Now

While I have reported about software supply chain attacks in the past, they have all been one-off and in some cases highly targeted attacks.

The FBI has issued a warning about ongoing, large scale, software supply chain attacks.  The attackers are using the Kwampirs malware to install a Remote Access Trojan or RAT.

The FBI says that the attacks are targeting the victim’s strategic partners and customers (AKA you).

But since just attacking your suppliers is not enough, they are also directly attacking companies in the healthcare, energy and financial sectors directly.

Symantec reported attacks using Kwampirs in 2018 by a group they called Orangeworm.

Symantec also said that Orangeworm had been around since 2015 targeting mostly healthcare, but they said the group had secondary targets including IT, manufacturing, logistics and agriculture.

Lab52 confirmed Symantec’s finding last year.

The FBI issued this alert after all this time because the malware seems to have evolved and is now attacking industrial control systems, especially in the energy sector. That would likely include electric, natural gas, water and wastewater.

While Kwampirs does not, at the moment, seem to wipe systems it invades, it shares a lot of similarities with the Shamoon malware which did wipe infected systems.

Indicators of compromise are available for organizations that detection systems that can use them.

Source: ZDNet