Software Supply Chain Attack Methods Behind Solarwinds, Kaseya, and Notpetya and How to Prevent Them

Beyond Identity Blog | Thursday, October 28, 2021

In the last few years, supply chain attacks have become a top-of-mind security concern for many organizations. The 2020 SolarWinds attack demonstrated to many organizations the potential impact of a supply chain exploit. If attackers can insert malicious code into the source code of a trusted vendor’s products, then many companies lack the visibility and defenses needed to protect against this.

Software supply chain attacks are enabled by the rapid speed of modern agile development methodologies. A failure to integrate security into every stage of the development process not only increases the number of vulnerabilities that exist in production code but also creates opportunities for attackers to inject malicious code into trusted products. 

Here are the stories of the most famous software supply chain attacks to date and how the cybercriminals behind them were able to pull them off.

Solarwinds

The SolarWinds attackers exploited access to the company’s network and poor internal security policies to plant a backdoor so they could update code in the company’s Orion product. Orion is a network monitoring tool used by some of the largest private and public organizations in the US. Orion’s visibility into traffic flowing over these networks provided the attackers with access to emails and other sensitive information.

The SolarWinds attackers exploited a series of security holes (including the very weak password of “solarwinds123”) to gain access to the company’s development environment. Once inside, they targeted a plug-in called SolarWinds.Orion.Core.BusinessLayer.dll, which is shipped with every update to the Orion tool.

The attackers inserted malicious code into this DLL inside of the development pipeline and before code signing occurred. SolarWinds overlooked the modifications to the code and digitally signed the backdoored version and pushed it out with the next update. The Orion software receiving this update trusted it - due to its valid digital signature - and installed it, providing the attacker with backdoor access to their environments.

SolarWinds was the most significant cyberattack of 2020. An estimated 18,000 organizations were impacted by the attack, including both public companies and US government organizations. On average, the cost of the attack to each impacted company is estimated at $12 million.

Kaseya

Kaseya’s Virtual System Administrator (VSA) is designed to allow Managed Service Providers (MSPs) to remotely monitor and manage the networks of their clients. In July 2021, Kaseya revealed that an attacker had identified and exploited a vulnerability in the VSA. This exploit allowed the attackers to deploy the REvil ransomware to the MSPs and their customers that were managed using VSA.

The attackers exploited an authentication bypass vulnerability in VSA’s web interface. This allowed the attackers to gain authenticated access to VSA systems and to upload malicious payloads and execute commands by exploiting an SQL injection vulnerability. 

By exploiting a VSA server in an MSP’s network, the attacker was able to send malicious updates out to MSP client customers' systems. This led to the REvil ransomware being installed on devices. Since Kaseya VSA agents’ folders are exempt from antivirus inspection, the malware was installed and executed without interference.

While the Kaseya attackers gained access to a relatively small number of MSPs’ environments, they were able to leverage that access to infect between 800 and 1,500 small to medium-sized businesses with REvil ransomware. The ransomware gang demanded a $70 million ransom from Kaseya, but the company received a universal decryption key from a trusted third-party that enabled them and their customers to recover from the attack.

NotPetya

NotPetya was a malware wiper deployed primarily against Ukraine in 2017. Its name came from its resemblance to the Petya ransomware. However, unlike Petya, NotPetya was not designed to save the encryption keys used to encrypt target systems, making it impossible to decrypt the data and recover.

NotPetya was a targeted supply chain attack against organizations in Ukraine. The attackers gained access to the accounting firm MeDoc and injected malicious code into their software. This software was widely used by Ukrainian businesses for tax reporting, enabling it to infect many Ukrainian businesses. 

NotPetya was one of the most devastating cyberattacks in history. The ransomware wiper caused an estimated $10 billion in damages due to its infection of multinational corporations such as Maersk.

Preventing Software Supply Chain Attacks

Software supply chain attacks are made possible by companies leaving security until the end of the development process. Malicious code injected into the development pipeline is considered trusted because the release as a whole is digitally signed at the end of the process.

Preventing software supply chain attacks requires shifting security left and validating the provenance of code before incorporating it into production releases. Instead of validating and signing code at the end of the process, code should only be accepted into release candidates if it is known to originate from a reputable source.

Beyond Identity improves code security and defends against supply chain attacks by moving code signatures from the end of the development process to the beginning. Code commits are digitally signed using keys tied to a particular developer and device before being accepted by code repositories. Learn more about improving your software security and protecting against supply chain attacks with Beyond Identity Secure DevOps.