Top 10 Supply Chain Attacks that Shook the World

The surge in supply chain attacks is not hypothetical; alarming statistics support this new amount of attacks. Relying on open-source components and third-party software, while crucial for reduced development times and operational agility, introduces significant risks.

Due to this dependency on external code, on different applications, and by multiple organizations, an attack on a base library can quickly escalate into thousands of vulnerable software stacks. 

Supply chain attacks can be considered a sophisticated form of cyber threat. They target the intricate network of relationships between an organization and its vendors, suppliers, and third-party service providers. Due to the interconnected digital supply chains, which often span multiple organizations, geographies, and systems, these attacks exploit loopholes. 

The Attacks

Attack techniques have largely diversified, with typosquatting, dependency confusion, protestware, and malicious code injection introducing new challenges and considerations for cybersecurity specialists. Here, we will explore the latest supply chain attacks that had massive ramifications. 

1. Discord Bot Platform Attack (March 2024)

   The Top.gg bot community of Discord, with over 170,000 members, has been impacted by a supply chain attack aimed at infecting developers with malware that steals sensitive information. Over the years, the threat actor has used several tactics, procedures, and techniques, including hijacking GitHub accounts, distributing malicious Python packages, using a fake Python infrastructure, and social engineering. Top.gg was infected by an information-stealing malware after downloading a malicious clone of a tool known as Colorama.

2. Okta Supply Chain Attack (October 2023)

   Okta, an authentication and identity management service provider, reported in October 2023 that threat actors could access private consumer data by obtaining credentials to its customer support management system. In recent support cases, the attackers could view files uploaded by specific customers.

3. JetBrains Supply Chain Attack (September/October 2023)

   In December, government officials warned that the Solarwind attackers were exploiting a critical vulnerability in JetBrains TeamCity servers. The critical authentication bypass vulnerability raised attention due to its potential impact and high severity.

   Unauthenticated intruders with HTTP(S) access can exploit this flaw to gain administrative control of affected servers and execute remote code, presenting a potential vector for supply chain attacks. This attack was carried out by a Russian threat actor named Cozy Bear, who is linked to the Russian Foreign Intelligence Service (SVR RF).

   In the attack, threat actors gained admin access to the server and employed remote code execution. No user interaction was needed while many large software organizations were using TeamCity servers for their CI/CD, with over 3,000 directly exposed.

4. MOVEit Supply Chain Attack (June 2023)

   In June, the MOVEit supply chain attack was executed, targeting users of the MOVEit Transfer tool, owned by the US organization Progress Software. MOVEit is designed to transfer sensitive files in a secure manner, and it is popular in the US. The ransomware group Cl0p has been associated with the attack.

   The attackers used EWIs (Exposed Web Interfaces) to cause significant damage. The web-facing MOVEit app was infected with a web shell called LEMURLOOT, which was then used to steal data from MOVEit transfer databases.

5. 3CX Supply Chain Attack (March 2023)

   n March, the 3CX attack targeted macOS and Windows Desktop applications, raising concern about the security and integrity of the software’s supply chain. The cyber criminals compromised the application using an infected library file, which subsequently downloaded an encrypted file containing command-and-control information. This enabled the attackers to execute malicious activities within the victim’s environment.

6. Microsoft Supply Chain Attack (February 2023)

   In February 2023, a software supply chain attack also affected Microsoft. The attack exploited a vulnerability in the Jfrog Artifactory, a binary repository manager that Microsoft uses to distribute and store its software components.

   The attackers accessed Jfrog Artifactory and injected malicious code into some of Microsoft’s software components, allowing them to access Microsoft’s network while stealing source code and other confidential information.

7. Norton Supply Chain Attack (May 2023)

   Norton’s most notable software is its antivirus, which is widely used. They were also attacked in May 2023. The attack used a zero-day vulnerability in MOVEit transfer, an MFT(Managed File Transfer) software that Norton’s parent company utilizes to transfer files between consumers and offices. The attackers accessed Norton’s network and stole employees’ personal information and specific details. The attackers also threatened to release the stolen data if Norton didn’t pay a ransom.

8. Airbus Supply Chain Attack (January 2023)

   Airbus was also attacked in January 2023 by a threat actor known as USDoD. The organization confirmed that the attack had been carried out through a compromised employee account at Turkish Airlines, one of Airbus’s consumers. The threat actor could access the employee’s account and gain access to Airbus’s systems.

   The data breached included personal information associated with over 3000 Airbus vendors, such as Rockwell Collins and the Thales Group. The data dump included names, phone numbers, and email addresses.

9. SolarWinds (Late 2020)

   In late 2020, SolarWinds provided software that contained malware that was intended together with sensitive information wherever it was installed. Customers had complete confidence in the signed software they received, and they believed that it was free of malicious code and viruses as it had not been modified since SolarWinds signed, built, and delivered it to them.

   However, attackers placed the Sunspot malware into the Orion IT monitoring system and management software utilized by SolarWinds. SolarWinds digitally signed the resultant, which was then utilized to infiltrate over 18,000 private commercial consumers and the government.

   The malware gathered information from the infected networks and sent data to a remote server. Cozy Bear was again responsible for this attack, which is connected to the Russian Foreign Intelligence Service (SVR).

10. ShadowHammer/ASUS (2019)

    In 2019, Taiwanese computer manufacturers fell victim to attackers who found critical code signing keys on their web update server. The intruders added malware to legitimate ASUS updates, signed with ASUS’s code signing keys, infecting 1 million ASUS computers.

    The ShadowHammer attacks happened over a period of 6 months. They impacted ASUS notebook customers who enabled the Live Update feature, a utility that automatically searches for and installs new firmware and software updates from ASUS.

Recent Trends in Code Signing Attacks 

Code signing or supply chain attacks have recently witnessed notable trends as attackers continually evolve their tactics. Understanding these trends can enable organizations to stay vigilant and implement effective security measures.

• Supply Chain Poisoning

  Cybercriminals have increasingly targeted the software supply chain by injecting malicious codes into legitimate software packages during the distribution or build. This poisoning technique allows them to bypass conventional security courses and distribute compromised software to users.

• Certificate Abuse and Forgery

  Attackers have exploited vulnerabilities in the certificate infrastructure to forge and abuse code-signing certificates. They either steal legitimate certificates from developers or are responsible for creating fraudulent certificates that appear authentic. These tactics enable them to sign malicious software and deceive users into believing it is from an authentic source.

• Targeted Attacks on High-Value Software

  Cybercriminals have shifted their focus towards high-value software targets, such as widely used Oss, critical infrastructure software, or enterprise applications. Compromising the code signing procedure for such software can have ramifications, allowing intruders to infiltrate numerous organizations and cause significant damage.

Financial and Recovery Time Implications of Supply Chain Attacks 

While the total costs of these data breaches are hard to pinpoint, we certainly know that data breaches are costly. These supply chain attacks and corresponding data breaches cost 4.45 million USD. However, we have seen recent breaches with estimated costs, which may tilt that scale in the future. 

The direct costs of data breaches include remediation efforts and investigations, regulatory fines, litigation, forensic audits, bank reimbursement demands, legal settlements, customer service costs, and damage control measures. 

Lengthy recovery times also impact the total cost of a data breach. A major healthcare provider can certainly feel this pain as their data breach’s recovery time lingers. The cost of catching up would continue to grow in the aftermath of the data breach. That is the reason why it is crucial to only allow the execution of approved code across your organization. 

How can Code-Signing be Leveraged to Protect Organizations from These Threats? 

1. Origin Verification

   Origin verification in codesigning can be considered a security measure that ensures the code originates from an authentic source before it is signed and distributed. It comprises details regarding the source repository and its validating components, such as build information, commit, and branch.

   This procedure helps reduce the risks of unauthorized access to malicious codes or code modifications. This is responsible for offering an extra layer of security and trust in the software distribution and development process.

   This feature is designed to be used in environments that require high security and need to maintain compliance standards, ensuring safety for both end-users and developers.

2. Reproducible Build

   Reproducible builds, a fundamental concept in modern software development, ensure application builds’ security, consistency, and reliability. With reproducible builds, any attempt to modify the application’s code can easily be detected, providing robust protection against malicious attacks while ensuring the integrity of the app development solution.

3. Build Verification

   Build verification tests (BVT) run on every new build to check its stability and readiness for further testing. It consists of test cases that validate the software build’s core features. Any build that fails BVT is rejected and returned to the developers for resolution.

   BVT enables the mitigation of risks associated with the behavior of the system. It identifies potential risks such as data loss, security vulnerabilities, or incorrect functionality by addressing and validating the expected behavior before the system gets deployed to production.

Why Trust CodeSign Secure to Avoid These Attacks? 

There are several reasons why you should opt for CodeSign Secure for performing your codesigning operations:

• CodeSign Secure helps consumers stay ahead of the curve by providing a secure codesigning solution with tamper-proof key storage, complete control, and visibility into codesigning activities.
• The private keys of the codesigning certificate can be stored in an HSM, eliminating the risk of corrupted, misused, or stolen keys. 
• Client-side hashing ensures build performance while avoiding unnecessary movement of files, providing greater security. 
• It also provides seamless authentication via client-side hashing, device authentication, multi-factor authentication, multi-tier approver workflows, and more. 
• Support for InfoSec policies to improve solution adoption while enabling different business teams to have their own workflow for codesigning. 
• It is also embedded with a state-of-the-art client-side hash signing mechanism, resulting in less data traveling over the network. This makes it a highly efficient codesigning system for the complex cryptographic operations occurring in the HSM. 

Conclusion 

As we have explored the ten most impactful supply chain attacks that reverberated worldwide, it is quite clear that the scale and sophistication of these cyber threats are escalating. These incidents mentioned in the blog underscore the vulnerabilities that organizations may face in securing their assets, ranging from injecting malicious codes to exploiting certificate infrastructures.

The response to this growing threat lies in practicing safer codesigning practices and fostering a deeper comprehension of the risks associated with software development and distribution. CodeSign Secure works for you by enhancing your codesigning security posture while maintaining trust, integrity, and security in this evolving digital landscape.