2021 – The Year of the Supply Chain
Logistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers.
Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software created by Kaseya. The term supply chain implies linked entities. Attacking a system of dependencies can have enormous benefits for attackers, because a single target can enable the access to a variety of connected systems. Packaged software and trust relationships are the prime goals of these attacks. It is similar to finding security vulnerability in software libraries. Widely used components can open a lot of doors simultaneously.
Software updates have introduced cryptographic signatures and encrypted transport mechanisms in order to ensure that code passes an integrity check before being added to the system. Some updaters feature no integrity checks, occasionally checks fail. This means that software updates stay an open channel into an organisation’s network and can be compromised. Security researchers have explored these cascading effects in the past. Given the REvil attack, the adversaries have adopted to turn this research are into a mainstream tool for generating their revenue.
If you have ideas how to counter these attacks or help affected companies to spot vulnerabilities of this kind before the compromise happens, then let us know. The DeepSec call for papers is still open.