Analyze the prevention of supply chain attacks

Abstract: recently has frequent supply chain attacks. Supply chain attacks and ransomware attacks are becoming important means for hackers to make profits, and the resulting social harm is huge. How to effectively prevent supply chain attacks is becoming a problem that software vendors need to think about. Google's SLSA supply chain integrity framework has given us a lot of useful references.

This article is shared from the HUAWEI cloud community " defense against supply chain attacks ", the original author: Uncle_Tom.

1. The largest ransomware attack in history

On July 2nd, the ransomware organization REvil attacked Kaseya, an IT management service provider (MSP) from Sweden.

Kaseya's VSA (Virtual System Management) is a cloud-based management service provider (MSP) platform that provides customers with a new generation of web-based automated IT system management solutions. MSP establishes its own Network Operating Center (NOC) to provide enterprises with 24×7×365 system management services. MSP can realize remote management, real-time monitoring of the customer's IT system, statistics on the operation of the enterprise system, and implementation of patch management.

Kaseya has more than 10,000 customers worldwide, including more than 50% of the world’s top 100 IT management service providers and leading companies from the banking, financial, retail, trading, educational, and government agencies. , Medical institutions and transportation industry. More than 13 million terminals and devices worldwide are managed through Kaseya's software.

After using a zero-day vulnerability (CVE-2021-30116) to compromise the MSP platform, REvil pushed malicious updates to the VSA and deployed ransomware on the corporate network, which led to Kaseya being attacked by the tool chain. REvil claims to have locked up more than one million systems and is willing to negotiate a universal decryptor. The starting price is $70 million, which is the highest ransom so far.

• REvil frequently commits crimes:

  • In May 2020, REvil claimed to have deciphered Donald Trump's elliptic curve cryptography used to protect its data and demanded a ransom of $42 million for the data they stolen.
  • On March 18, 2021, REvil affiliates claimed on the Internet that they had installed ransomware and stole a large amount of data from the multinational hardware and electronics company Acer, and demanded a ransom of US$50 million for this.
  • On March 27, 2021, REvil attacked the Harris Alliance and published multiple financial documents of the Alliance on its blog.
  • In April 2021, REvil stole the plans of Quanta Computer’s upcoming Apple products and threatened to publicly release these plans unless they received a ransom of US$50 million.
  • On May 30, 2021, JBS, the world's largest meat supplier, was attacked by REvil ransomware. The company had to temporarily close all US beef factories and interrupted the operations of poultry and pork factories. In the end, JBS paid REvil a ransom of $11 million in Bitcoin.
  • On June 11, 2021, the global renewable energy giant Invenergy confirmed that its operating system was attacked by ransomware, and REvil claimed responsibility.

2. Supply chain attacks have been frequent recently

• 2020/12, SolarWinds software is used for supply chain attacks
  Founded in 1999, SolarWinds is headquartered in Austin, Texas, and has sales and product development offices in multiple countries. It mainly produces software products for sales network and system monitoring and management, and serves 300,000 customers worldwide. , Covering a large number of important institutions such as government, military, education and more than 90% of the world’s top 500 companies. The list of well-known customers includes: 425 of the Fortune 500 companies in the United States; the top ten telecommunications companies in the United States; all five branches of the US military ; Pentagon, US State Department, NASA, NSA, US Postal Service, NOAA, US Department of Justice and Office of the President; the top five accountants in the United States; hundreds of universities around the world, etc.
  According to analysis, more than 250 US federal agencies and companies have been affected, including the US Treasury Department, the US NTIA, and the US security company FireEye. These can be regarded as the most influential supply chain attacks in 2020.
• 2020/12, hacker organization FIN11 exploited multiple 0day vulnerabilities in AccellionFTA server to attack hundreds of companies around the world
  Hackers used 4 security flaws to attack the AccellionFTA server (FTA server is a file sharing tool developed in the 2000 era that allows companies to share files with employees and customers in a simple way) and installed a webshell named "DEWMODE" , And then used to download files stored on the victim’s FTA device. Accellion stated in a press release, “Of the approximately 300 FTA clients, fewer than 100 victims, and less than 25 of them suffered serious data theft incidents. Among these 25 clients, some of the clients’ After the FTA file sharing server was attacked, a blackmail message was received. The attacker sent an email requesting payment in Bitcoin, or disclosed the victim's data on a website operated by the Clop blackmail group.
• 2021/03, SITA is attacked by the supply chain
  International Aviation Telecommunications Corporation (SITA), a communications and IT manufacturer that accounts for 90% of the global aviation share, suffered a "highly sophisticated attack" on passenger information stored in the company's servers in the United States. The attacked server is located in Atlanta and belongs to the SITA Passenger Service System (SITAPSS). SITAPSS operates the system to process air passenger information and is owned by a number of SITA companies headquartered in the European Union. The airline members of Star Alliance (International Airline Alliance) including Lufthansa, Air New Zealand and Singapore Airlines, as well as OneWorld member states Thai Airways, Finnair, Japan Airlines and Malaysia Airlines have begun to communicate with affected users, and said that Korean Airlines Passenger data of Jeju Air has also been compromised.

3. Supply chain attacks

Supply chain attacks are a threat that targets software developers and vendors. Attackers can infect legitimate applications to distribute malware to access source code, build processes, or update mechanisms to attack developers and vendors. the goal of.

The software supply chain can be divided into three major links: development, delivery, and operation. Each link may introduce security risks in the supply chain and be attacked, and security issues in the upstream link will be passed to the downstream link and be amplified.

Hackers often compromise the server of a well-known official website and tamper with the source code of the software provided on the server, so that the software triggers malicious behavior when the software is downloaded and installed by the user. These malicious code-carrying software comes from trusted distribution channels and carries the corresponding supplier's digital signature, which greatly enhances the concealment of malicious programs and makes security detection more difficult.

When the malicious software spread by the attacker through the supply chain attack uses encryption technology to lock the system data and use this to blackmail the enterprise, it constitutes a ransomware attack. Usually when supply chain attacks and ransomware attacks are used together, they cause greater harm.

For example, regarding the Kaseya attack, the security company Huntress Labs published a post on Reddit detailing the working principle of the Kaseya VSA intrusion. The Trojan horse software was released in the form of Kaseya VSA Agent Hot-fix, through Kaseya’s MSP management platform, Distribute the patch to the virtual machine VSA used by Kaseya for customer management to complete the encryption and blackmail of the key information of the customer by the malware.

• Typical attack methods for supply chain attacks
  

"China Cyber Security Report 2020" stated that supply chain attacks have become one of the most influential advanced threats in 2020.

4. Prevention of Supply Chain Attacks

4.1. Google's SLSA Supply Chain Integrity Framework

On June 16, Google published an "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity" blog on the security blog, introducing a SLSA (Sasha (pronunciation salsa)) to detect end-to-end A framework for the integrity of the end supply chain.

• Problems solved by SLSA:

  • Software manufacturers want to protect their supply chain, but don’t know how;
  • Software consumers want to understand and limit their risk of supply chain attacks, but there is no way to do so;
  • Individual artifact signatures can only prevent a subset of the attacks we care about

• The standards developed by SLSA are the guiding principles for software producers and consumers:

  • Software producers can follow these guidelines to make their software more secure;
  • Software consumers can make decisions based on the security status of the software package.

SLSA is a set of safety guidelines that can be gradually adopted, established by industry consensus. SLSA is used to prevent ordinary supply chain attacks, clearly enumerating the possible attacks in each link in the development process, and marking these attack points as 8 attack points from A to H; at the same time, it is used for three output middleware in the development process. : Source, dependency and package reflect the integrity of the supply chain through the division of security levels. The four levels of SLSA are designed to be incremental and actionable, and to prevent specific integrity attacks. SLSA 4 represents the ideal final state, and the lower levels represent milestones with corresponding integrity guarantees.

4.2. Supply chain threats during development

• Supply chain threat map during development
  
• Related definitions in the figure
  

• special case:

  • The zip package containing the source code is a package, not a source. Because this file is generated by other source code builds. For example, a zip file submitted by git.
• Supply chain threat description during development
  

4.3. SLSA security level

The SLSA level of middleware describes the integrity and strength of its direct supply chain, and there are mainly four SLSA levels. SLSA 4 is currently the highest level and represents the ideal ultimate state. SLSA 1–3 provides lower security guarantees, but it is easier to meet the requirements. According to Google’s experience, achieving SLSA 4 may take many years and a lot of effort, so the intermediate milestone is important.

• Level definition
  

4.4. SLSA security level requirements

SLSA defines the implementation requirements for reaching each level, as follows:

4.5. Application examples

The following figure is an example of an application given by SLSA. It can be seen that each delivered middleware has its own definition of hash value and source, so as to ensure the traceability and verifiability of the entire middleware.

5. Summary

• Supply chain attacks are becoming one of the most harmful cyber threats, and their frequency is increasing;
• Supply chain attacks have upstream formal release channels and valid signatures, making it difficult for downstream users to prevent them;
• As a software developer, in addition to managing open source software defects, he must also improve his own risk management capabilities, be able to identify malicious changes in the development process, and trigger investigation and preventive measures;
• Google's SLSA supply chain integrity framework, comprehensively considers the security threats that may be introduced in each link of the supply chain, and provides an effective method to prevent supply chain attacks;
• Google's SLSA supply chain integrity framework can be a good reference for us to prevent supply chain attacks in the development process;

6. Reference

• Microsoft Security Supply Chain Attack
• Google:IntroducingSLSA,anEnd-to-EndFrameworkforSupplyChainIntegrity
• 2021-07-05 The ransomware organization REvil launches a supply chain attack, demanding a ransom of 70 million US dollars
• 2021-03-07 Large-scale supply chain attacks have captured several airlines
• 2020-12-16SolarWinds' software is used for supply chain attack analysis
• Insights into RSA2021 | How to defend against the much-touted "supply chain attack"?
• 5-ways-your-software-supply-chain-is-out-to-get-you-part-5-hostile-takeover
• rsa innovation sandbox inventory-apiiro-code risk platform
• top-5-tips-to-prevent-the-solarwinds-solorigate-attack
• Interpret the 6 most common types of software supply chain attacks

Click to follow and learn about Huawei Cloud's fresh technology for the first time~