The European Union Cybersecurity Agency (ENISA) warns of increasing supply chain attacks in 2021 as advanced persistent threat actors (APTs) employ more sophisticated techniques exceeding targeted attacks.
ENISA is the body responsible for EU-level coordinated actions on cybersecurity and emerging technologies like artificial intelligence and 5G.
The agency studied 24 supply chain attacks from January 2020 to July 2021 and found that strong security protection is no longer effective in defending against these forms of cyber-attacks.
The European agency found that half of the supply chain attacks experienced during the past 18 months originated from well-known advanced persistent threat actors, including APT29, APT41, Thallium, UNC2546, Lazarus, TA413, and TA428.
In almost two out of three (62%) recorded supply chain attacks, threat actors exploited supplier trust to infiltrate their victims.
Similarly, in 66% of the cases, the attacks focus on the suppliers’ code to infiltrate customers’ networks, while 20% target the victims’ data and 12% aim at the suppliers’ internal processes. In 62% of the attacks recorded, the threat actors employed malware.
More than half (58%) of the attacks intended to gain access to data, while 16% aimed to access people, and 8% to access financial resources.
“This shows that organizations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated,” the report stated.
The agency also advised customers to identify and document suppliers and service providers, define a risk criterion for various suppliers and services, and manage suppliers during the whole product lifecycle.
The agency also advised suppliers to ensure that their product development lifecycles apply cybersecurity best practices, monitor internal and external security vulnerabilities, including third-party components, and maintain an inventory of assets for easy tracking and patch management.
“There is a clear trend to exploit misconfigured CI/CD pipelines and vulnerable cloud deployments,” says Ilia Kolochenko, Founder, CEO, and Chief Architect at ImmuniWeb. “Amid the pandemic, countless organizations rapidly moved their IT infrastructure to a cloud, while trying to save money on training and cloud-specific security hardening. Combined with legacy IT infrastructure, third-party managed servers, and software, the digitalization in 2021 made organizations a low hanging fruit for cybercriminals.”
Most supply chain attack vectors remain unknown
ENISA report found that in two-thirds (66%) of the supply chain attacks, suppliers did not know or were not transparent on how they were compromised.
Contrarily, less than 9% of customers compromised through the supply chain attacks failed to understand how the attacks happened. The difference highlighted a cybersecurity incident reporting gap between suppliers and customers.
The authors posited that considering that most compromised suppliers operate in the technology sector, there is either a poor level of maturity in protecting suppliers’ infrastructure or an unwillingness to disclose information. They warned that the lack of transparency posed serious risks to the supply chain.
“Cyber-gangs are much better organized compared to the cybersecurity industry,” Kolochenko added. “They meticulously plan and coordinate their attacks, leverage division of labor, and eventually attain impressive efficiency. Contrasted to cybersecurity teams, bad guys are never on holidays or sick leave, and will even purposely conduct swift raids while the victim organizations are the most unprepared.”
Not all vulnerabilities are supply chain attacks
ENISA warned that not all vulnerabilities detected on the suppliers’ end qualified as supply chain attacks. The agency noted that many vulnerabilities initially believed to be deliberately introduced for future compromise turned out to be mere accidental errors.
Such vulnerabilities failed to qualify as supply chain attacks because they didn’t involve the compromise of a supplier.
The report highlighted three attacks initially believed to be software supply chain attacks. The first incident involved an attacker uploading malicious packages in the RubyGems repository.
Similarly, a security researcher uploaded malicious NPM packages, while the third case involved attackers impersonating a well-known package on the NPM repositories in a brandjacking attack.
ENISA said the three attacks failed to qualify as software supply chain attacks because the attackers did not “compromise existing packages nor the software repositories themselves.”
Supply chain attacks save the time, effort, and resources needed to compromise individual victims. Additionally, it guarantees an exponential number of victims. It has the potential to become the preferred exploit method.