Beyond SolarWinds: 6 More Notable Software Supply Chain Attacks
SolarWinds has become almost a household name and for all the wrong reasons: beginning in 2019, the system management company was the target of one of the largest software supply chain attacks in history.
Software supply chain attacks are especially insidious because they target organizations by going after their third-party vendors or suppliers of software, hardware, or services at any stage of the development lifecycle. The goal is to gain access, conduct espionage, and enable sabotage.
These attacks range from using simple deception techniques such as disguising malware as legitimate products to more complex means to access and modify a legitimate program’s source code.
Besides compromising the infrastructure of developers and distributors, adversaries may try to exploit tools, dependencies, shared libraries, and third-party code.
In the case of SolarWinds, the third-party software was its Orion IT monitoring platform, which was used by hackers to install malicious code. Unfortunately, SolarWinds is not the only notable attack in recent years. Here is a look at six others.
Kaseya, an IT management company, announced in July 2021 that its VSA software had been exploited. It was later revealed that the attackers were named REvil, and that they exploited a vulnerability in the platform to carry out ransomware attacks on several managed services providers and their customers. Kaseya confirmed that about 60 customers and another 1,500 businesses were impacted by the attack. The company maintained that it did not pay a ransom.
Prior to the Kaseya attack, in April 2021, software testing platform Codecov, which generates code coverage reports and statistics, discovered it was targeted by a supply chain attack that manipulated Docker upload scripts. Codecov’s environment was compromised for two months before the hackers were detected. A customer finally noticed an error in the code. The damage was substantial since Codecov serves over 29,000 enterprise clients.
In 2022, Okta, a provider of authentication services with more than 15,000 global clients, disclosed three breaches that year – the most recent of which was the compromise of its GitHub repositories. In March of that year, hackers from the notorious Lapsus$ group gained access to Okta’s network by compromising the laptop of a technician at one of the company’s third-party vendors, Sykes, which is owned by Sitel, one of the largest call center operators in the world. Several healthcare organizations were compromised by the Lapsus$ hack. Lapsus$ is best known for hacking and then leaking files stolen from Samsung. Once inside Okta’s network, the hackers were able to access data on about 2.5% of the company’s customers.
The GitHub OAuth Tokens Attack
In April 2022, repository hosting service GitHub revealed that an attacker had stolen OAuth user tokens issued to third-party integrators Heroku and Travis-CI, which were used to download data from dozens of GitHub’s customers. The company said the attacker targeted select organizations and then listed the private repositories for user accounts of interest.
The FishPig Magento Hack
UK-based e-commerce software maker FishPig, discovered a security breach of its distribution server that gave threat actors the ability to control its systems and infect customers of its fee-based Magento 2 open source WordPress modules. The hackers used Rekoobe, a sophisticated backdoor that masquerades as a benign SMTP server. The supply chain attack took place in August 2022. It is not known how many Magento e-commerce stores were affected by the attack, although the FishPig software has over 200,000 downloads.
Log4j reveals more of a massive “potential” for attack, but is a significant example of the inherent vulnerability in the software supply chain. At the end of 2021, a Java-based logging utility known as Log4j fell victim to a vulnerability, Log4Shell and put millions of computers at risk. Log4j is open source software that was built by the Apache Software Foundation to record diagnostic information about systems. The information is communicated to users and administrators to help keep things running smoothly.
The Log4Shell vulnerability meant attackers could break into systems, steal data, uncover logins and passwords, and unleash further malicious software. The effects were widespread because Log4j has been used by a vast number of individuals and organizations.
How to Protect Yourself From Software Supply Chain Attacks
It is difficult to prevent software security attacks because of the vast number of suppliers in the supply chain. But there are some rules of thumb to follow:
- Keep an updated inventory of all your software assets with a Software Bill of Materials (SBOM)
- Secure your endpoints
- Implement solid code integrity policies that include stringent rules to authorize apps
- Prepare an incident response plan to protect all mission-critical components
How Rezilion Can Help You Defend Against Software Supply Chain Attacks
True defense of the software attack surface requires a Dynamic SBOM. A Dynamic SBOM creates a continuous inventory of all of your software components, maps any recognized vulnerability to these components, and assesses your attack surface. Learn more about how we can help you create a Dynamic SBOM at https://www.rezilion.com/platform/sca-dynamic-sbom/.