2021 – The Year of the Supply Chain

René Pfeiffer/ July 8, 2021/ Conference

Creator: Unclassified | Credit: CPL Sam Shepherd/NZ Defence Force Copyright: Crown Copyright 2011, NZ Defence ForceLogistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers.

Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software created by Kaseya. The term supply chain implies linked entities. Attacking a system of dependencies can have enormous benefits for attackers, because a single target can enable the access to a variety of connected systems. Packaged software and trust relationships are the prime goals of these attacks. It is similar to finding security vulnerability in software libraries. Widely used components can open a lot of doors simultaneously.

Software updates have introduced cryptographic signatures and encrypted transport mechanisms in order to ensure that code passes an integrity check before being added to the system. Some updaters feature no integrity checks, occasionally checks fail. This means that software updates stay an open channel into an organisation’s network and can be compromised. Security researchers have explored these cascading effects in the past. Given the REvil attack, the adversaries have adopted to turn this research are into a mainstream tool for generating their revenue.

If you have ideas how to counter these attacks or help affected companies to spot vulnerabilities of this kind before the compromise happens, then let us know. The DeepSec call for papers is still open.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.