Advancements in technology are making our world increasingly interconnected, allowing for improved productivity – but with this also comes an increased risk of cyberattacks. Nearly every single company globally relies on the services of various third-party suppliers and a cyberattack on one supplier can have devastating impact downstream. In fact, a recent study by BlackBerry revealed that 75% of software supply chains were exposed to attacks in 2023.
Polyfill, Snowflake, Sisense, Okta, JetBrains, Progress Software – these are just some of the names of companies implicated in recent high-profile supply chain attacks. Supply chain attacks are often the work of advanced persistent threat actors, typically backed by government funding, but are also routinely carried out by cybercriminals looking for a big payday.
Different types of supply chain attacks
Several types of supply chain attacks exist, including ones involving third-party data breaches where an attacker exploits a vulnerability to gain access to a supplier organisation’s system. Another example is when attackers manipulate software updates with malicious code or push trojanised versions of open-source code via repositories to compromise the systems of organisations using that specific software.
In some cases, supply chain attacks may also be disruptive, with recent ransomware attacks good examples of how an attack on one company can directly impact other companies. Victims of ransomware attacks typically need to shut down their IT systems following an attack, meaning any services provided by a supplier will also suffer in downtime. This can result in the supplier’s clients being unable to provide the services to its own customers. Moreover, supply chain attacks typically result in the attackers gaining access to sensitive data held by the targeted supplier, meaning thousands, if not millions, of individuals may be impacted.
While supply chain attacks in the first instance are always costly for any given victim company, taking into consideration any downtime experienced as a result, money spent on securing systems, and possible fines needing to be paid as a result of data breaches, the wider implications should not be ignored. Companies targeted in a supply chain attack also risk reputational damage and a lack of trust from the wider community. Moreover, a supply chain attack can have devastating consequences that may even impact the lives of individuals, as has been seen in some of the attacks that have targeted the suppliers of healthcare organisations, who had to reschedule appointments or divert emergency care.
Exploitation of vulnerabilities to harm the supply chain
At the end of May 2023, Progress Software warned of the active exploitation of an SQL injection vulnerability, tracked as CVE-2023-34362, in its MOVEit Transfer software. By early June, the Clop ransomware gang claimed they were responsible for the zero-day exploitation, stating that they managed to steal data from hundreds of companies. Since then, about 2,500 companies and government agencies have disclosed being impacted – and affected entities are still coming forward to this day.
A more recent example is the exploitation of CVE-2023- 42793 in JetBrains TeamCity software that came to light in December 2023. The activity was attributed to the Russian state-sponsored threat actor APT29, who were found to have exploited the flaw at a large scale since September 2023. A patch was publicly released for the flaw around the same time, though only about 2% of TeamCity instances had been updated by December. At the time, cybersecurity authorities warned that APT29 installed a backdoor called GraphicalProton on compromised TeamCity servers and that the servers could be abused for supply chain operations. These are just some of the examples of when the exploitation of a security vulnerability in one software can have a cascading effect on multiple companies. Vulnerability exploitation is becoming increasingly common, with Verizon’s 2024 Data Breach Investigations Report. The report identifyies that 15% of data breaches involved a third party, including instances where the exploitation of a vulnerability is considered a supply chain factor. Patching still remains fairly slow across organisations, making them much more susceptible to vulnerability exploitation, and thus putting any client data they may hold at risk of being compromised by a malicious actor.
Software supply chain attacks – Malicious backdoors posing as legitimate software updates
Supply chain attacks involving the trojanisation of software have been seen time and time again. It is a frequent method used by nation-state threat actors as part of their espionage efforts. Perhaps one of the most devastating examples is the SolarWinds Orion hack by Russian-backed hackers that came to light in 2020. The attack had gone undetected for at least eight months and impacted about 200 organisations globally, in particular government organisations.
Another more recent example is the software supply chain attack on 3CX, first revealed in March 2023. A digitally signed and trojanised version of the 3CX Voice Over Internet Protocol (VOIP) desktop client was used to target the company’s clients to install a backdoor or other malware. The attackers were found to have exploited a ten-year-old vulnerability to digitally sign their executable and make it appear legitimate. The attack has since been widely attributed to North Korean state-sponsored threat actors, in particular Lazarus Group.
Fast forward to 2024 and we have already seen a number of similar incidents, though perhaps not as damaging as the SolarWinds hack. In March 2024, the Ukrainian Computer Emergency Response Team similarly observed the Russia-linked Sandworm hacker group attempting to disrupt around 20 critical infrastructure facilities in Ukraine. Sandworm targeted information and communication systems at energy, water and heating suppliers in 10 regions of Ukraine. In some cases, the hackers infiltrated the targeted network by poisoning the supply chain to deliver compromised or vulnerable software, or through the software provider’s ability to access systems for maintenance and support.
One of the most prominent supply chain attacks in 2024 was the discovery of a backdoor in the widely used XZ Utils compression tool that enabled remote code execution. What stands out in the case of XZ Utils is that the maintainer, using the name Jia Tan, spent two years slowly building trust with the developers to receive permissions to make changes to the repository. Throughout those years, Jia Tan regularly contributed to the code, before introducing the backdoor in 2023. The malicious code was not introduced to any production releases of Linux, though Red Hat and Debian confirmed at the time that it was present in some of its beta releases. While the backdoor was caught before it could have a global impact, it is a stark reminder of how easily the supply chain can be poisoned.
A more recent discovery of a software supply chain compromise impacted the Justice AV Solutions Viewer, used by 10,000 courtrooms across the world. Rapid7 researchers found that the software on the company’s official website had been replaced with a trojanised version that contained an executable associated with the GateDoor and RustDoor malware, which could allow for the execution of unauthorised PowerShell commands and grant full control of an affected system. While software supply chain attacks are immensely difficult to prevent from an end-user perspective, it is nonetheless crucial for each organisation to verify the veracity of updates before executing a potential malicious file.
The devastating consequences of ransomware attacks on supply chains
Supply chain attacks cannot be discussed without also mentioning ransomware as an attack vector. There have been multiple incidents of ransomware actors targeting companies that operate as suppliers for hundreds of other companies from various industries, including the government and healthcare sectors. Ransomware attacks typically result in victim organisations having to take their IT services offline, with any downtime directly impacting the operations of their clients. In addition, as ransomware actors typically engage in double, or even triple extortion – not only encrypting systems but also stealing data prior to encryption – any data a targeted company may hold is likely to end up in the hands of the criminals. When it comes to companies responsible for handling the data of its clients, this can result in a massive amount of third-party data breaches.
In February 2024, the United States healthcare technology firm, Change Healthcare, was similarly targeted by a ransomware attack claimed by the ALPHV gang. The attack resulted in widespread network disruptions affecting several pharmacies across the country. Despite having paid the hefty $22 million ransom, data stolen in the attack was later leaked by former affiliates of the ransomware gang. Change Healthcare’s parent company, UnitedHealth Group, confirmed that the attackers had exploited a critical vulnerability in Citrix NetScaler, tracked as CVE-2023-4966. The flaw is commonly known as CitrixBleed and was widely exploited, especially by ransomware actors, since October 2023. It is yet another example of how a known vulnerability was exploited for initial access and resulted in widespread supply chain disruptions, despite patches being available at the time.
Unfortunately, the attack on Change Healthcare was not an isolated event. More recently, a June 2024 Qilin ransomware attack on the UK pathology laboratory, Synnovis, saw the personal information of patients of Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust being stolen and subsequently leaked online. Moreover, the attack directly impacted services provided by the NHS trusts, with routine healthcare procedures having to be cancelled or redirected to other providers. Blood transfusions were particularly affected, prompting NHS Blood and Transplant to issue an urgent appeal for universal blood donors to donate as the ransomware attack prevented hospitals from matching patients’ blood at the same frequency as usual. As these examples have shown, ransomware attacks on one supplier can have a devastating impact on the operations of its clients, as well as compromise sensitive data it may hold. While most ransomware attacks primarily result in financial loss due to such interruptions in services, they can also directly impact the health and safety of individuals.
Lessons learned
Considering the high frequency of supply chain attacks, and the grave consequences they have on business operations, organisations should stay up to date with the tactics and techniques employed by threat actors. Both nation-state actors and cybercriminals continuously adapt their methods to avoid detection, and vulnerability exploitation is currently a popular trend among threat actors to carry out supply chain attacks. Though zero-day vulnerability exploitation is tough to mitigate, in many cases, compromises occur weeks, months, or even years after patches or mitigations have been made available. Organisations should establish a mature patch prioritisation to ensure that any available mitigations are applied as soon as possible after a zero-day has come to light.
Software supply chain attacks are much harder to prevent as organisations would not generally have a reason to distrust an update provided to them by one of their trusted suppliers. However, keeping up with reports on any trojanised software updates can decrease the scope of the impact immensely and prevent a company from becoming a victim themselves. In addition, organisations should reserve the highest privileges for system changes to only the most essential of staff, who should also be vigilant about vetting any software before execution. Ransomware supply chain attacks are similarly difficult to prevent for clients of impacted suppliers. Fostering strong relationships with suppliers from the get-go is essential to minimizing third-party risk, especially in terms of setting clear security expectations and obligations for both parties. As with the other types of supply chain attacks, constant monitoring of any potential security issues is also vital.
While this may seem rather daunting and time consuming, Silobreaker can help organisations in automating the monitoring of supply chain attacks. Our platform enables organisations to track suppliers critical to their operations and any major incidents that may disrupt their operations, as well as keep up to date with any vulnerabilities known to be exploited as part of a supply chain attack. To learn more about how Silobreaker can be leveraged to help keep your organisation safe from supply chain attacks please get in touch here.