Abstract:Supply chain attacks and ransomware attacks are becoming important means for hackers to gain profits, which will do great harm to the society. How to effectively prevent supply chain attacks is becoming a problem that software suppliers need to think about. Google’s SLSA supply chain integrity framework provides us with a lot of useful references.

This article is shared from Huawei Cloud Community “Supply Chain Attack Prevention”, the original author: uncle_Tom.

1. The largest ransomware attack in history

On July 2nd Rvil, a ransomware group, attacked Kaseya, a Swedish IT managed service providers(MSP).

Kaseya’s VSA(Virtual Systems Management) is a cloud-based management service provider (MSP) platform that provides customers with a suite of next-generation Web-based automated IT systems management solutions. MSP provides 24×7×365 system management services for enterprises by establishing its own Network Operating Center(NOC). MSP can realize the remote management of customer’s IT system, real-time monitoring, enterprise system operation statistics, and implement patch management, etc.

Kaseya has more than 10,000 customers around the world, including more than 50% of the world’s top 100 IT management service providers and leading enterprises from the banking, financial, retail, trade, educational institutions, government agencies, medical institutions and transportation industries. More than 13 million terminals and devices worldwide are managed through Kaseya’s software.

After Rvil exploited zero-day vulnerability (CVE-2021-30116) to exploit MSP platform, it pushed malicious updates to VSA internal, deployed ransomware on enterprise network, and caused Kaseya to suffer tool chain attack. Rvil claims to have locked down more than a million systems and is willing to negotiate a universal decryptor with a starting price of $70 million, the highest ransom ever paid.

  • Revil frequently commits crimes:

    • In May 2020, Rvil claimed to have cracked the Elliptic Curve Cryptography used by Donald Trump’s company to protect its data and demanded a ransom of $42 million for the data they stole.
    • On March 18, 2021, an affiliate of Rvil claimed online that it had installed ransomware and stolen large amounts of data from the multinational hardware and electronics company Acer, and demanded a ransom of $50 million.
    • On March 27, 2021, Rvil attacked the Harris Alliance and published a number of Alliance financial documents on its blog.
    • In April 2021, Rvil stole plans for Quanta Computer’s upcoming Apple products and threatened to release them publicly unless they received a $50 million ransom.
    • On May 30, 2021, JBS, the world’s largest meat supplier, was hit by the Rvil ransomware attack, forcing the company to temporarily shut down all of its US beef plants and interrupt operations at its poultry and pork plants. Eventually, JBS paid Rvil a ransom of $11 million in bitcoin.
    • On June 11, 2021, Invenergy, the global renewable energy giant, confirmed that its operating systems had been hit by a ransomware attack, for which Rvil claimed responsibility.

2. Supply chain attacks are frequent recently

  • SolarWinds was founded in 1999 and is headquartered in Austin, Texas, USA. With sales and product development offices in several countries, SolarWinds manufactures and sells software products for network and systems monitoring and management, serving 300,000 customers around the world. Covering a large number of important institutions such as government, military, education and more than 90% of the world’s top 500 enterprises, the list of well-known customers includes: 425 of the Fortune 500 enterprises in the US; Top 10 U.S. telecom companies; All five branches of the U.S. military; The Pentagon, the State Department, NASA, the NSA, the US Postal Service, NOAA, the Department of Justice and the Oval Office; Top 5 accounting firms in the US; Hundreds of universities around the world. It is estimated that more than 250 US federal agencies and businesses were affected, including the US Treasury Department, the US NTIA and US security company FireEye, making it one of the most influential supply chain attacks of 2020.
  • On December 2020/12, hacker organization FIN11 used multiple 0Day vulnerabilities in AccellionFTA server to attack hundreds of enterprises around the world. Hackers used four security flaws to attack AccellionFTA server (FTA server is a file sharing tool developed in the era of 2000). A webshell called “DEWMODE” was installed, which was then used to download files stored on the victim’s FTA device. “Out of approximately 300 FTA clients, fewer than 100 have been victims, and fewer than 25 of those have been victims of serious data theft,” Accellion said in a press release. Some of the 25 customers received extortion messages after their FTA file-sharing servers were hacked. Attackers send emails demanding payment in bitcoin or expose victim data on websites run by CLOP extortion rings.
  • SITA, the communications and IT manufacturer that accounts for 90% of the world’s airlines, has suffered a “highly sophisticated attack” on passenger information stored on its US-based servers. The compromised server is located in Atlanta and belongs to SITA Passenger Services System (SITAPSS). SITAPSS operates the system to process air passenger information and is owned by a number of SITA companies based in the European Union. Star alliance (international airline alliance) members of the airlines, including Lufthansa, air New Zealand and Singapore airlines, as well as members of the OneWorld cathay, Finland airlines, Japan airlines and Malaysia airlines has begun and the affected user communication, and said that Korean airline jeju air passenger data were also captured.

3. Supply chain attacks

Supply chain attack is a kind of threat targeting software developers and suppliers. Attackers distribute malicious software to access source code, build process or update mechanism by infecting legitimate applications to achieve the purpose of attacking developers and suppliers.

The software supply chain can be divided into three major links: development, delivery and operation. Each link may introduce supply chain security risks and thus be attacked. The security problems of the upstream link will be transferred to the downstream link and amplified.

Hackers often break into the server of a well-known official website, tampering with the source code of the software provided on the server, causing the software to trigger malicious behavior when downloaded and installed by users. These malicious software comes from trusted distribution channels and carries the corresponding supplier’s digital signature, which makes the malicious program more concealment and security detection more difficult.

A ransomware attack occurs when an attacker spreads malicious software through a supply chain attack that locks system data with encryption and uses it to extort money from businesses. Often when a supply chain attack and a ransomware attack are used together, the damage is greater.

For the Kaseya attack, for example, security firm Huntress Labs published a Reddit post detailing how the Kaseya VSA hack works, with the Trojan software published as a Kaseya VSA Agent hot-fix, Through Kaseya’s MSP management platform, the patch was distributed to Kaseya’s VSA, a virtual machine used by Kaseya for customer management, so as to complete the encryption and blackmail of the critical information of customers by malicious software.

  • Typical attack methods of supply chain attacks

The China Cybersecurity Report 2020 says supply chain attacks have become one of the most influential high-level threats in 2020.

4. Supply chain attack prevention

4.1. Google SLSA Supply Chain Integrity Framework

On June 16, Google posted a post on its security blog, “Introducing SLSA, an End-to-End Framework for Supply Chain Integrity,” A framework called SLSA(pronounced SALSA) for monitoring end-to-end supply chain integrity is introduced.

  • Issues addressed by SLSA:

    • Software makers want to protect their supply chains, but don’t know how.
    • Software consumers want to understand and limit their risk of supply chain attacks, but there is no way to do so;
    • Individual artifact signatures protect against only a subset of the attacks we care about
  • The standards developed by SLSA are guiding principles for software producers and consumers:

    • Software manufacturers can follow these guidelines to make their software more secure;
    • Software consumers can make decisions based on the security status of a software package.

SLSA is a set of step-by-step security guidelines established by industry consensus. SLSA is designed to prevent common supply chain attacks. It clearly lists the possible attacks in each link of the development process, and marks these attack points as A to H, A total of 8 attack points. At the same time, three output middleware in the development process: source, dependency and package are divided into security levels to reflect the integrity strength of the supply chain. The four levels of SLSA are designed to be incremental and actionable, and to protect against specific integrity attacks. SLSA 4 represents the desired end state, and the lower level represents the milestone with the corresponding integrity assurance.

4.2. Supply chain threats in the development process

  • Develop process supply chain threat map
  • The relevant definitions are shown in the figure
  • Special case:

    • The zip package containing the source code is a package, not the source. Because this file was generated by another source build. For example, a Git committed ZIP file.
  • Development process supply chain threat description

4.3. SLSA security level

The SLSA level of middleware describes the integrity strength of its direct supply chain, and there are four SLSA levels. SLSA 4 is the current highest level and represents the desired end state. SLSA 1-3 provides lower security guarantees, but is easier to meet. In Google’s experience, implementing SLSA 4 can take many years and a lot of effort, so intermediate milestones are important.

  • Level definition

4.4. SLSA security level requirements

SLSA defines the implementation requirements for achieving each level as follows:

4.5. Application examples

Below is an example of an application given by SLSA. You can see that each delivered middleware has its own hash value and source definition, thus ensuring traceability and verifiability of the entire middleware.

5. To summarize

  • Supply chain attacks are becoming one of the most harmful network threats, and the frequency of occurrence is increasing;
  • The supply chain attack is difficult to prevent as the downstream user because of the upstream official release channel and effective signature.
  • As a software developer, besides managing the defects of open source software well, it is necessary to improve their own risk management ability to identify the malicious changes in the development process and trigger tracing and prevention measures.
  • The SLSA supply chain integrity framework of Google comprehensively considers the security threats that may be introduced in every link of the supply chain, and provides an effective method to prevent supply chain attacks.
  • Google’s SLSA supply chain integrity framework can be a good reference for our development process to prevent supply chain attacks;

6. Reference

  • Microsoft Secure Supply Chain Attack
  • Google:IntroducingSLSA,anEnd-to-EndFrameworkforSupplyChainIntegrity
  • Extinction group Rvil launches supply chain attack, demanding $70m ransom
  • Massive supply chain attack hits several airlines
  • SolarWinds software is being used for supply chain attack analysis
  • Insights into RSA2021 |’s much-sought-after “Supply Chain Attack” How to Defend?
  • 5-ways-your-software-supply-chain-is-out-to-get-you-part-5-hostile-takeover
  • RSA Innovative Sandbox Inventory – Apiiro – Code Risk Platform
  • top-5-tips-to-prevent-the-solarwinds-solorigate-attack
  • Explore the six most common types of software supply chain attacks

Click on the attention, the first time to understand Huawei cloud fresh technology ~