Supply chain attacks are a growing threat to every online organization and individual. The ROI of a supply chain attack presents glittering motivation for any aspiring cybercriminal: with just one successful atack, the private data of thousands can be accessed, ransomed, and sold. Today’s attack surface is fast approaching critical mass thanks to the increasing reliance on microservices and third-party cloud-based applications and APIs. High-quality cloud application security is now a necessity.
The Rise of the Supply Chain Attack
Kaseya provides IT solutions that streamline asset and service desk management. In July of 2021, its VSA product, used by Managed Servers Providers (MSPs) to monitor and administer IT services for their customers, was targeted by notorious hacker group REvil. The threat actors took advantage of CVE-2021-30116; a small component of the download process. The on-premises version of Kaseya VSA includes a download page, offering access to the installation client. This download page gave REvil the necessary foothold to access the systems of each Kaseya customer.
Once the unwitting MSP had downloaded the bugged VSA instance, the clock was already ticking: REvil would use this supply-chain backdoor to detonate ransomware. The ripple effect of the Kaseya attack was staggering: initially, only 30 MSPs were breached in this manner. From these 30 MSPs, the related ransomware attacks ballooned to over 1,000 attacks. REvil’s ‘Happy Blog’ took the credit for over 1 million ransomware deployments from this attack path.
When supply chain attacks are mentioned, however, it’s rarely the Kesaya attack that first comes to mind – that honor is bestowed upon the 2020 SolarWinds attack. SolarWinds is a global Network Management System provider, boasting over 300,000 customers. This includes the Department of Defense, and 425 of the Fortune 500.
The attackers infiltrated SolarWinds customers in a similar way to the Kesaya attack: by relying on download trickery. In this case, the malware was deployed as part of an update from SolarWinds’ own servers. The malware was even digitally signed by a valid digital certificate; SolarWinds have admitted it’s possible that the build environment itself was compromised. The damage wreaked by the attackers exceeded any other cyberattack in the 21st century.
Once downloaded, the attackers rifled through the tens of thousands of compromised companies, homing in on the specific victims to pursue. When suitable candidates were identified, further payloads would be dropped on software firms, IT Services, and equipment providers. US Government targets included Finance, National Security, Health, and Telecommunications teams. Highly confidential information was siphoned out of otherwise secure servers: a suite of anti-detection capabilities meant this major supply chain attack went totally unnoticed for at least the first 3 months.
Cloud Applications: Part of the Problem
The cloud drives speed, scalability, and agility. The same infrastructure that has revolutionized the technical landscape, and continues to help millions of businesses optimize their operational costs and streamline their data-driven decision-making, comes with often-overlooked security considerations. What was once a tight on-premises environment is now scattered throughout a number of cloud providers. No doubt more cost effective, many businesses make the mistake of offloading all security concerns onto their cloud provider. This approach greatly underestimates the importance of sound configuration. Without airtight security controls, businesses are unwittingly exposing themselves to attackers. In many cases, it takes only a single misconfiguration, for the business to be suddenly battling a storm of bad PR, leaked information, and class-action lawsuits.
Cloud storage is a particularly vulnerable category of application. Poorly secured AWS instances have been at the heart of many major breaches over the years. One recent example is the Capital One breach. Attackers found that a single web application firewall (WAF) was configured incorrectly. The attacker repurposed this security tool for their own ends, using it to generate an access token. From there, access token allowed the attacker access to the bank’s AWS storage. 700 folders, along with numerous data packages containing customer information, were stolen from the bank’s servers.
These skilled attackers made use of specific AWS commands to perform lateral movement. Even more concerning, the breach raised no alerts, and even the transfer of data to outside the organization was hidden under the guise of normal network traffic.
The Capital One breach shows precisely how cloud applications present the largest threat to today’s software supply chains. As a business’ reliance on cloud applications swells, internal visibility exponentially decreases. The biggest challenge faced in prioritizing security is pinpointing an accurate view of assets. Knowing what your organization has in terms of applications, subscriptions, components, and functionalities, is a task that scales each year.
Making things even harder is the fact that cloud service providers are regularly churning out new functionalities and features, broadening the hidden security demands of each cloud environment.
Managing Cloud Application Security
If visibility is your security roadblock, a security solution with an automated inventory compiler is a must-have. This logs and creates a real-time list of all current and historical cloud assets under your belt, helping you prevent your cloud growing out of control. The automated nature of this means that you can quickly and reliably view the assets you own; the user accounts they’re connected to; and events taking place on each asset. This is the first step to creating a cloud security perimeter.
Following this, cloud security demands solutions that are built for the ever-shifting cloud landscape. Multiple connected resources can be almost impossible to manage without clear visibility – meaning that the rule of least privileged permissions is often left in the dust. Ruling out misconfigurations is not just vital for your customers and brand image – often, if your cloud is unknowingly misconfigured, then you may be in breach of your industry’s regulatory controls. Cloud Security Posture Management (CSPM) provides a holistic analysis of your cloud stack, identifying security vulnerabilities throughout.
The cloud may have revolutionized the online business landscape, but it’s a tool that demands great security responsibilities. The major fallout of supply chain attacks has been demonstrated over and over again throughout the last few years: the only defense is collective cloud security.