The ENISA report aims at mapping and studying the supply chain attacks that were discovered from January 2020 to early July 2021. Based on the trends and patterns observed, software supply chain attacks increased in number and sophistication in the year 2020 and this trend has continued in 2021, posing an increasing risk for organizations. The prediction – It is estimated that there will be four times more supply chain attacks in 2021 than in 2020 – has come true, more or less. With half of the attacks being attributed to Advanced Persistence Threat (APT) actors, their complexity and resources greatly exceed the more common non-targeted attacks, and, therefore, there is an increasing need for new protective methods that incorporate suppliers in order to guarantee that organizations remain secure.

Who is ENISA?

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

The main highlights of the report include the following:

  • A taxonomy to classify supply chain attacks in order to better analyze them in a systematic manner and understand the way they manifest is described.
  • 24 supply chain attacks were reported from January 2020 to early July 2021, and have been studied in this report.
  • Around 50% of the attacks were attributed to well-known APT groups by the security community.
  • Around 42% of the analyzed attacks have not yet been attributed to a particular group.
  • Around 62% of the attacks on customers took advantage of their trust in their supplier.
  • In 62% of the cases, malware was the attack technique employed.
  • When considering targeted assets, in 66% of the incidents attackers focused on the suppliers’ code in order to further compromise targeted customers.
  • Around 58% of the supply chain attacks aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people.
  • Not all attacks should be denoted as supply chain attacks, but due to their nature many of them are potential vectors for new supply chain attacks in the future.
  • Organizations need to update their cybersecurity methodology with supply chain attacks in mind and to incorporate all their suppliers in their protection and security verification.

There are four key elements in a supply chain:

  • Supplier: is an entity that supplies a product or service to another entity.
  • Supplier Assets: are valuable elements used by the supplier to produce the product or service.
  • Customer: is the entity that consumes the product or service produced by the supplier.
  • Customer Assets: are valuable elements owned by the target.
Taxonomy of Software Supply Chain Attacks
Attack Techniques for Software Supply Chain Attacks
Customer Assets being targeted by Software Supply Chain Attacks
CodeCov Attack Via The Software Supply Chain

It can be observed that a supply chain attack is usually composed of an attack on one or more suppliers and then a later attack on the final target, namely the customer. Each of these attacks may resemble very closely the lifecycle of APT attacks.

These distinctions are crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defenses are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them. Moreover, the potential impact of supply chain attacks affecting numerous customers of the same supplier is probably immense. This is yet another reason why these types of attacks are becoming increasingly common as they provide adversaries with a means to potentially boost their reputations, as well as possibly make large financial gains.

An additional characteristic of supply chain attacks involves the complexity in handling them and the efforts required to mitigate and address such attacks. The mere fact that at least two organizational entities are affected and the use, most likely, of sophisticated attack vectors, complicates the handling of an incident, forensics analysis, and overall management of the incident. The fact that the supplier-consumer relationship is continuously evolving and both suppliers and customers are constantly updating their systems, introduces the need for continuous security of the supply chain and active risk assessment and management.

The lifecycle of a supply chain attack has two main parts, the attack on the supplier and the attack on the customer. Each of these attacks is usually complex, requiring one attack vector, one plan of action, and careful execution. These attacks may take months to be successful and, in many cases, may go undetected for a long time. The lifecycle of a supply chain attack can be seen in Figure 2.

The Solarwinds Breakdown

SolarWinds is a company that supplies management and monitoring software. Orion is SolarWinds’ network management system (NMS) product. In December 2020 it was discovered that Orion had been compromised. An extensive investigation showed that attackers gained access to the SolarWinds network, possibly through exploiting a zero-day vulnerability in a third-party application or device, a brute-force attack, or through social engineering. Once compromised, the attackers collected information for an extended period of time. The malicious software was injected into Orion during the build process. The compromised software was then downloaded directly by the customers and was used to gather and steal information. The attack was attributed to the APT29 group.

The Kaseya Breakdown

Kaseya is a software service provider specializing in remote monitoring and management tools. It offers VSA (Virtual System/Server Administrator) software for its clients to download, and also to work through its own cloud servers. MSPs (Managed Service Providers) can use the VSA software on-premises or they can license the VSA cloud servers of Kaseya. MSPs in turn offer various IT services to other clients. In July 2021, attackers exploited a zero-day vulnerability in Kaseya’s own systems (CVE-2021-3011632) that enabled the attackers to remotely execute commands on the VSA appliances of Kaseya’s customers. Kaseya can send out remote updates to all VSA servers and, on Friday, July 2, 2021, an update was distributed to Kaseya clients’ VSA that executed code from the attackers. This malicious code in turn deployed ransomware to the customers being managed by that VSA.

The Kaseya Attack

Supply chain attacks leverage the interconnectedness of the global markets. When multiple customers rely on the same supplier, the consequences of a cyber-attack against this supplier are amplified, potentially resulting in a large-scale national or even cross-border impact. For some products, such as software and executable code, the existence of a supply chain is opaque or even completely hidden to the end user. End-user software depends, directly or indirectly, on software provided by the supplier. Such dependencies include packages, libraries, and modules — all of which are used pervasively to lower development costs and accelerate shipping times.

The better protected against cyber-attacks organizations become, the more the attention shifts to suppliers. The math is simple, suppliers are becoming the weakest link on the supply chain. At the same time, customers demand products that are more cyber secure but that remain at a low cost, two needs that it is not always possible to reconcile.

As we observed in numerous incidents of supply chain attacks, organizations are becoming increasingly aware of the need to assess of the cybersecurity maturity of their suppliers and the level of exposure to the risk arising from this customer-supplier relationship. Customers need to assess and take into account the overall quality of the products and cybersecurity practices of their suppliers, including whether they apply secure development procedures. Moreover, customers should exercise increased due diligence in selecting and vetting their suppliers, and in managing the risk that stems from these relationships.

To manage supply chain cybersecurity risk, customers should:

  • identify and document types of suppliers and service providers,
  • define risk criteria for different types of suppliers and services (e.g. important supplier and customer dependencies, critical software dependencies, single points of failure),
  • assess supply chain risks according to their own business continuity impact assessments and requirements,
  • define measures for risk treatment based on good practices,
  • monitor supply chain risks and threats, based on internal and external sources of information and on findings from suppliers’ performance monitoring and reviews,

make their personnel aware of the risk. To manage the relationship to suppliers, customers should:

  • manage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components,
  • classify assets and information that are shared with or accessible to suppliers, and define relevant procedures for their access and handling,
  • define obligations of suppliers for the protection of the organization’s assets, for the sharing of information, for audit rights, for business continuity, for personnel screening, and for the handling of incidents in terms responsibilities, notification obligations and procedures,
  • define security requirements for the products and services acquired,
  • include all these obligations and requirements in contracts; agree on rules for sub-contracting and potential cascading requirements,
  • monitor service performance and perform routine security audits to verify adherence to cybersecurity requirements in agreements; this includes the handling of incidents, vulnerabilities, patches, security requirements, etc.,
  • receive assurance of suppliers and service providers that no hidden features or backdoors are knowingly included, ensure regulatory and legal requirements are considered,
  • define processes to manage changes in supplier agreements, e.g. changes in tools, technologies, etc.

On the other hand, suppliers should ensure the secure development of products and services that is consistent with commonly accepted security practices49. Suppliers should:

  • ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
  • implement a product development, maintenance and support process that is consistent with commonly accepted product development processes,
  • implement a secure engineering process that is consistent with commonly accepted security practices52, 53,
  • consider applicability of technical requirements based on product category and risks54,
  • offering Conformance Statements to customers for known standards, i.e. ISO/IEC 27001, IEC 62443-4-1, IEC 62443-4-2 (or specific ones such as the CSA Cloud Controls Matrix (CCM) for cloud services), and ensuring and attesting to, to the extent possible, the integrity and origin of open source software used within any portion of a product,
  • define quality objectives such as the number of defects or externally identified vulnerabilities or externally reported security issues, and use them as an instrument to improve overall quality,
  •   maintain accurate and up-to-date data on the origin of software code or components, and on controls applied to internal and third-party software components, tools, and services present in software development processes,
  • perform regular audits to ensure that the above measures are met.

Moreover, as any product or service is built from or based on components and software that is subject to vulnerabilities suppliers should implement good practices for vulnerability management55, such as:

  • the monitoring of security vulnerabilities reported by internal and external sources that includes used third- party components,
  • the risk analysis of vulnerabilities by using a vulnerability scoring system (e.g. CVSS56),
  • maintenance policies for the treatment of identified vulnerabilities depending on the risk,
  • processes to inform customers,
  • patch verification and testing to ensure that operational, safety, legal, and cybersecurity requirements are met and that the patch is compatible with non-built-in third-party components,
  • processes
  • for secure patch delivery and documentation concerning patches to customers, or
  • participating in a vulnerability disclosure program that includes a reporting and disclosure process. Vulnerabilities should be managed by suppliers in the form of patches. Likewise, a customer should monitor the market for potential vulnerabilities or receive respective vulnerability notifications from his suppliers.

Some good practices for patch management include:

  • maintaining an inventory of assets that includes patch-relevant information,
  • using information resources to identify relevant technical vulnerabilities,
  • evaluating the risks of identified vulnerabilities and having a documented and implemented maintenance policy available,
  • receiving patches only from legitimate sources and testing them before they are installed,
  • applying alternative measures should a patch not be available or applicable,
  • applying rollback procedures and effective back-up & restore processes.

For more information on how your organization can implement these standards in place please feel free to contact us at Riscosity, +1-888-RISCOSI, or book a free demo with us.