Modal Title
Security / Software Development

Lessons Learned from 2021 Software Supply Chain Attacks

The number and impact of last year's attacks highlight the fact that application security teams face a new challenge that will require innovative thinking.
Feb 24th, 2022 6:31am by
Featued image for: Lessons Learned from 2021 Software Supply Chain Attacks
Feature image via Pixabay.

In 2021, the world woke up to a surge in an attack vector that had been a security risk for many years, one that the security community could no longer neglect: software supply chain attacks. Following the SolarWinds attack in late 2020, software companies of all sizes, across all industries, began facing an increased number of targeted and organized supply chain attacks. This enhanced threat resulted in significant system downtime, monetary loss and reputational damage to businesses worldwide.

When Did Random Attacks Become a Pattern?

Eran Orzel
Eran is chief customer and revenue officer and founding member of Argon Security, the leader in software supply chain security acquired by Aqua Security. Prior to joining Argon, he held several roles at Check Point Software Technologies, most recently as the global head of strategic sales and partnerships, where he led and played a significant role in the rapid growth of Check Point’s major business growth engines. Eran is an experienced and innovative business leader with over 20 years of experience in sales leadership and go-to-market operational roles in cybersecurity and enterprise software.

Throughout 2021, supply chain attacks were rapidly increasing in number and sophistication.

This represents a notable shift in attackers’ approach, now focusing their efforts on breaching software suppliers. This allows them to leverage paths that are implicitly trusted, yet less secure, and to establish a way to breach many victims with one attack, by proxy.

The high risk of software supply chains is, in part, attributed to the fact that a successful attack may affect a large number of companies that use the breached supplier’s software.

The SolarWinds attack is a good example of the potential damage of supply chain attacks. In this nation-state attack against the networking tools vendor SolarWinds, about 18,000 of its customers were exposed as a consequence of using SolarWinds’ breached software.

As many as 250 of these exposed organizations suffered targeted attacks, including governmental agencies, such as the U.S. Pentagon, and top enterprises, such as Microsoft and FireEye.

A Turning Point for Software Supply Chain Security

The SolarWinds attack is considered one of the largest and most sophisticated supply chain attacks to date and exemplifies the devastating potential of supply chain attacks. It directed attackers’ attention to the software supply chain’s comparatively low security status among organizations and was the trigger for a wave of supply chain attacks that followed. The SolarWinds attack received a lot of media coverage and inspired a global wave of security awareness and improvement initiatives focused on reducing the risk of supply chain attacks.

In February that year, Alex Birsan, an information security consultant and bug-bounty hacker, tested the exposure of enterprises to a supply chain attack technique that uses automated DevOps practices to compromise pipelines. This tactic, known as dependency confusion, results in malicious public libraries being incorporated into projects instead of the trusted private libraries of the same name. Birsan was able to hack into Apple, Microsoft and dozens of other top companies during this experiment, illustrating that even companies that highly prioritize security can fall victim to implicit shortcomings in the software supply chain.

SolarWinds was followed by a similar build-time code-manipulation attack in which attackers penetrated the Codecov product’s software supply chain, manipulating the build process to inject malicious code into its software and using the software update mechanism to distribute the malware to Codecov customers.

Not long after, on May 12, 2021, President Biden’s Executive Order on Improving the Nation’s Cybersecurity was released, emphasizing, for the first time, the need to enhance software supply chain security.

In July, the attack on Kaseya raised awareness of the immediate and downstream effects of supply chain attacks. In this attack, a managed service provider software was used to distribute the REvil ransomware to the managed service provider’s customers, causing significant downtime and revenue loss.

Visualizing where the biggest attacks compromise the software supply chain

Unfortunately, these examples are not isolated cases, and the number of supply chain attacks has since steadily increased with the most popular approach being software dependency poisoning. In November alone, we saw three attacks against popular npm packages (UA-Parser-JS, COA, and RC), each with millions of downloads per month. This malicious tactic has proven quite effective and further stresses the need for the security community to shift their attention to and address this highly damaging potential attack vector.

The past year’s final incident would come on December 9, when the Log4Shell vulnerability was discovered and forced software vendors into a patching frenzy. Shortly after the discovery, attackers started to exploit this popular package and take advantage of this vulnerability to launch their attacks.

Main Lesson Learned from 2021 Attacks Analysis

Examining the success rate and consequent damage of the many attacks in 2021, one of the most evident details is that current security tools and practices are not adequate for preventing supply chain attacks. Traditional application security testing cannot detect supply chain attacks, which often exploit trusted software artifacts rather than the vulnerabilities targeted by such tools.

Additionally, established Cl/CD and DevOps pipelines rely on implicit permissions to enable rapid commits and deployment, implementing security controls at the end of this process — far too late to preclude malicious activity.

For organizations to stay secure, there is an increasing need for new protective methods and solutions that are built to address the unique characteristics of supply chain attacks.

Supply Chain Attack Vectors Still Waiting for a Solution

The number and impact of the past year’s attacks highlight the fact that application security teams face a new challenge that will require innovative thinking. Most AppSec teams lack the resources, budget and knowledge to sufficiently address the risk of supply chain attacks. This is further complicated by the need for cooperation from development and DevOps teams.

For more insights into software supply chain security trends, explore the full 2021 Software Supply Chain Security Report.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.
TNS owner Insight Partners is an investor in: Kaseya, Aqua Security.