#BSidesBelfast: Supply Chain Attacks Will Hit Code Repositories Next

Written by

Supply chain attacks continue to be a reality for businesses, and are easier for adversaries.

Speaking at Bsides Belfast 2019, Cisco Talos security researchers Edmund Brumaghin and Nick Biasini explained that supply chains begin with a raw material that goes to a supplier, a manufacturer and distributor, and with so many people involved in the process, it is easy for an attacker to step in. 

Highlighting cases from the past, including the Gunman project, which revealed the first keylogger created by the Russians in typewriters in US embassies in “the first known interdiction attack.”  

“Hardware attacks today don’t exist, and there are reasons for it,” Biasini said, highlighting circuit boards that have chips and traces, and the hundreds and thousands of people whose job it is to strip chips and layers that it would be “extremely difficult and noisy” to compromise one device, and an attacker would need to interfere with all devices on an assembly line.

Looking at software supply chain attacks, Brumaghin said that this is more of a soft target, and pointed at the NotPetya attack, as it compromised the Ukranian M.E.Doc software, as well as the Ccleaner compromise, where the software was targeted with a malicious version made available as a download.

There are also more current cases, such as altered code in Webmin and PHPear, while Biasini said that “a gigantic target” exists in browser extensions as an attacker “can hit a huge amount of systems and do click fraud with little difficulty.”

Biasini also said that open source has become a massive target, as adversaries realize that they do not need to compromise different systems and can focus on anywhere, writing and sharing code. He also called advertising networks “a disaster as so many systems, domains and processes can be infected along the way.”

In terms of defense, they recommended “covering all of the bases,” including:

  • Asset identification
  • Patching
  • Segmentation
  • User access control
  • File access control
  • User education
  • Threat hunting

Also, the speakers advised to document and validate all network connections, document data sent from the client and “scrutinize incoming network connections” and push security to vendors, “as controls don’t just apply to your environment anymore.”

Biasini concluded by stating that supply chains are where an adversary can come in as “if they cannot get in via the front door, they will come in via the supply chain.”

What’s hot on Infosecurity Magazine?