Supply Chain Attacks: Lessons from XZ to Crowdstrike and Future Implications
Globalisation and digitalisation have made many aspects of the world economy heavily reliant on technology such as smartphones and notebooks which in turn are dependent on regular software and security updates from the manufacturers. This intricate network of entities, resources, goods and services forms a supply mesh that enables international trade, travel and commerce as we know it today.
To enable these software updates, a certain level of implicit trust is afforded to a company when it pushes updates to their devices so that they are free of malware and error. This implicit level of trust makes supply chain attacks a tempting prospect for threat actors. By gaining access to a manufacturer’s infrastructure, threat actors are able to inject malware into legitimate software updates, making it potentially one of the most effective and dangerous attack vectors possible. This attack vector is not a new idea, with recent attempts like ShadowPad, CCleaner and ShadowHammer in recent years show that a determined attacker can get to the most protected networks. However, the recent Crowdstrike incident has demonstrated the significance of the supply chain and the unprecedented scale of an impact if something goes wrong, opening up new questions as to the vulnerability of supply chains and our dependency on them today.
Crowdstrike – The Day the Earth Stood Still
Starting on Friday, 19 July 2024, 04:09 UTC for a span of approximately two to three days, the world economy ground to a halt thanks to a content configuration update released by CrowdStrike, a US-based cybersecurity company that is one of the few companies afforded with kernel privileges to the Windows operating system.
“The configuration update for Crowdstrike should have been a routine, a regular update to the protection mechanisms of their Falcon platform, gaining telemetry and detecting possible novel threat techniques for the Windows platform. Unfortunately, this update resulted in a never-ending reboot spiral for over 8.5 million Windows machines across the world,” said Vitaly Kamluk, Cybersecurity expert of Global Research & Analysis team (GReAT) at Kaspersky.
According to the media, critical infrastructure like hospitals, banks, airlines and more including critical government infrastructure such as the United States NASA, Federal Trade Commission, National Nuclear Security Administration, 911 call centres for emergencies, government websites in the Philippines and more that had systems running Windows which were protected by Crowdstrike were affected by the erroneous update and unable to do business. At present, this could be considered the worst outage in history with an unprecedented amount of financial damage.
Affected systems include Windows hosts running sensor version 7.11 and above that were online between Friday, July 19, 2024, 04:09 UTC and Friday, July 19, 2024, 05:27 UTC and received the update. Mac and Linux hosts were not impacted. Ultimately, this scenario was not instigated by any APTs but by an erroneous software update that showed the potential aftermath of a perfectly executed supply chain attack. This however is not the first incident of a supply chain failure as prior incidents have occurred before such as the compromise of the Linux XZ library in a sophisticated operation.
Linux XZ – A Wolf in Sheep’s Clothing Brought to Light
Earlier in 2024, the Linux XZ Utils project, a set of free data compression command-line tools and a library were found to be compromised in a supply-chain nature of attack. The attack was a highly complex and sophisticated backdoor which was masterfully obfuscated and hidden to hook and tamper the logic of OpenSSH, an implementation of Secure Shell (SSH), to enable unauthorised access. SSH is also the name for a cryptographic network protocol to securely operate devices including enterprise servers, IoT devices, network routers, network-attached storage devices and more.
At present, tens of millions of home appliances connected to the Internet of Things (IoT), millions of servers, data centres and network equipment are reliant on SSH which can potentially lead to a catastrophe that would dwarf the Crowdstrike incident. Open-source software company Red Hat noted that this incident is tracked in the NIST National Vulnerability Database as case CVE-2024-30942 with a maximum severity score of 10, acknowledging its potential for exploitation by malicious threat actors.
Forensic analysis revealed that the commits were made by a GitHub user with the username JiaT75 also known as ‘Jia Cheong Tan’ who joined the XZ Utils project team and contributed to the XZ project in 2021. The identity of JiaT75 is a matter of speculation as it could be multiple threat actors working off a single account though it was known that the account operated using a Singapore VPN and, in the UTC,+8 time zone.
Like a wolf in sheep’s clothing, JiaT75 then built trust over time by socialising with other contributors and offering positive contributions to ultimately gain control to maintain the XZ project archive and gain privileges to merge commits. It was discovered that the XZ/libzma build was modified and cloaked with a series of complex obfuscations, becoming a dependency for SSH on some operating systems, essentially allowing unfettered access to infected systems.
This incident was fortunately detected in time and research is ongoing but highlights that social engineering in combination with the nature of open-source software remains another viable avenue for a supply chain attack.
Kaspersky experts conducted a comprehensive analysis of the case, which included examining the social engineering tactics involved.
What Does the Supply Chain Threat Landscape Bode for an AI-Integrated Future?
AI is increasingly becoming integrated into society with aspects of AI being used to optimise infrastructure in smart cities and enhance healthcare, education, agriculture and more. As with any technology, AI is not infallible as it is dependent on learning models and training to derive meaningful input which can be subject to supply chain attacks by injecting malicious input. “Potential avenues of a supply chain attack on AI would be to manipulate the training data and introduce biases and vulnerabilities into the model or modify the AI models with altered versions so that it would produce incorrect outputs,” says Vitaly. He adds that such behaviour could potentially be difficult to detect, allowing malicious activities to go unnoticed for extended periods.
For APTs playing the long game, supply chain attacks can lie quietly waiting for the right target while potentially obfuscating the malware payload, hiding it as a legitimate file and placing extended tools within a trusted company’s infrastructure to facilitate higher level access or ultimately a full system compromise. Far worse is the long-term possibility of bugs or flaws being introduced into supply chain attacks focused on AI that would degrade its capabilities and quality over time, making it the equivalent of a time bomb, impacting crucial systems with a wide reach or critical importance.
Readily available large language model (LLM) AIs such as ChatGPT, CoPilot and Gemini can be manipulated to help in creating convincing spear phishing attacks while AI deepfakes can be used to mimic important personnel, which resulted in the loss of US$25 million in Hong Kong when a threat actor mimicked the image of a company’s chief financial officer to disburse the funds.
For nearly two decades, the specialists at Kaspersky’s AI Technology Research Center have been at the forefront of applying artificial intelligence to cybersecurity and developing Ethical AI. The team’s AI expertise is integrated into various Kaspersky products, improving everything from AI-enhanced threat detection and alert prioritisation to threat intelligence powered by generative AI.
To address this potential threat landscape of supply attacks, organisations have a number of strategies. “In addition to best cybersecurity practices, organisations need to conduct mitigation strategies to manage or minimise the potential impact of a supply chain attack in their infrastructure,” says Vitaly. Among the strategies are rigorous testing before builds go live, thorough tools integrity and strict manufacturing control, model version numbers and model validation to track changes and versions, continuous monitoring for anomalies, digital signatures for builds and regular security audits.
More information about this activity can be found at Kaspersky