Hindsight is a wonderful thing. It helps us steer clear of past mistakes and prepare to get stronger. When it comes to cybersecurity lessons, Sunburst is one of the biggest examples the industry can learn from, writes Stuart Taylor Senior Director, Security Labs at the cyber security, firewall and data loss prevention product firm Forcepoint.
It was a complex malware which was veiled inside genuine software updates. Recorded as the biggest supply chain attack to date, the data exfiltration affected many US government organisations and large enterprises including Microsoft, Deloitte and FireEye as well as thousands of smaller companies.
The malware infiltrated a trusted software update called SolarWinds Orion, which was delivered to more than 18,000 public and private organisations. The sophisticated malware laid dormant for 14 months before it began to execute the exfiltration. Even though we have a patch available for this malware, it is still not completely understood and there is still a threat of malware in dormant state somewhere.
However, this was not the first time genuine software has been infiltrated by malware. Attackers have used similar techniques in the past, such as Petya and Asus Live Update. People have also been downloading malware for a long time through phishing emails tricked by software update lures.
Successful attacks pave the way for more copycats to replicate. As a result, more attacks are inevitable. We have already witnessed a similar attack on Kaseya which happened after Sunburst. Here, an Irish IT solution provider saw its remote-monitoring tool infiltrated with malware, allowing attackers access to multiple end-customers.
In 2022, we expect to see a significant rise in criminal copycats delivering a variety of malware via software updates.
Growing open-source projects imply more supply chain attacks
It is increasingly evident that nation-states groups and hackers will continue to attack supply chain providers across a wide range of industries. ‘Technical debts’ can make organisations vulnerable, but there are several other factors to be considered while analysing these attacks. Studying software attack vectors can help understand how and where these bad actors launch new attacks.
As open-source projects continue to grow exponentially, supply chain attacks are increasing at an alarming rate. Innovative and open-source software is developed and rolled out at a rate of knots and sadly vulnerabilities are a part of development. As vulnerabilities are uncovered, organisations need to patch at the same pace. According to the 2021 State of Software Supply Chain report, Sonatype estimates 12,000 attacks on open-source projects, representing a 650 per cent increase year over year. Businesses and government agencies of all size are adopting and deploying open-source projects at an ever-increasing rate. Moving fast and shortening time-to-market when it comes to introducing new software projects is great for competitive innovation, but, from a cybersecurity aspect, the risk that comes along with this fast-paced technology implementation cannot be ignored.
While Sunburst and REvil group’s ransomware attacks on Kaseya grabbed mainstream headlines, it’s also worth noting that there have been a number of lesser known attacks too, such as the four OMIGOD vulnerabilities in 2021, which affected the Open Management Infrastructure (OMI) software agent on Azure Linux machines. Organisations should pay extra attention to ensure the security of open-source at every stage of a project. This means multiple layers of code, not only at the start of a project, but throughout the development and deployment process. This is easier said than done, and what makes it more complicated is that keeping bad actors out from these infrastructures requires resources from both in-house and external resources working on these projects.
Building future-proof defences
As mentioned above, one of the key weapons in the fight against malicious software updates is addressing ‘technical debt’. Technical debt is essentially the difference in ‘price’ (time, people, external resources) which an organisation is prepared to pay, and the ‘price’ that the perfect development of a piece of software may require. Software which is fit for purpose but not perfect is often rolled out, with a plan to fix any minor flaws later – however on occasion this debt has to be tolerated for long periods of time due to other business requirements.
The subject of technical debt has been a regularly discussed amongst the software development industry, however with businesses currently operating in an increasingly interconnected and digitally transformed world, technical debt is an urgent issue to be addressed. As investments deplete, products can easily fall behind in terms of timely updates resulting in flaws and gaps in the software infrastructure giving rise to vulnerabilities. It is very likely that financially motivated criminals or nation-state malicious actors may output malware through software updates, and hence, it is imperative for IT administrators to keep on top of applying patches and updates in real time – and cut down on that debt!
With the increase in hybrid working, end users now need to take more responsibility to patch and update their systems at home. The problem with this is that this could lead to updates not happening at all, or updates being accepted by those unused to the task, meaning something suspicious could be accepted which can cause huge issues. With this in mind, businesses must ensure regular cybersecurity training is rolled out to ensure employees act as a first line of defence. Next year, mass market malicious software updates are certainly going to be on the rise. However, through a mix of strong patch management systems, educational programs and security solutions and architectures which take account of potential supply chain attacks, organisations have a better chance of spotting attacks before they get through.