To avoid attacks on the supply chain, organizations should check all software updates before installing, according to the European agency ENISA.According to the European Union Agency for Cybersecurity (ENISA), half of all attacks on the supply chain were carried out by “well-known APT groups”, so it is necessary to stimulate “new methods of protection” against them.
Of the 24 supply chain cyberattacks studied by ENISA since January 2020 (including attacks on Accellion, SolarWinds, Kaseya, Fujitsu ProjectWeb, Bignox Noxplayer Android emulator), 12 were carried out by APT groups, and 10 were not attributed to anyone.
The ENISA study was conducted as a tutorial on supply chain attacks, which typically involve attacks against B2B software vendors with a large customer base. Once a vendor is compromised, attackers move into customer networks, usually with the intent of stealing data and deploying ransomware.
ENISA criticized vendors for either not knowing or publicly disclosing how they were compromised.
The UK is using Brexit to reduce EU incident reporting requirements, and perhaps the EU will follow UK’s example.
Regarding all said above, ENISA has proposed its own unique taxonomy for analyzing attacks on supply chains. According to the agency, the MITER ATT & CK and Lockheed Martin Cyber Kill Chain frameworks are “too generic.”
While the advice given by the agency seems reasonable at first glance, it is not so easy to follow.
The loudest attack on the supply chain in recent years has been the compromise of SolarWinds Orion software. Attackers compromised the systems of the SolarWinds provider in order to implement a backdoor in the update of the Orion network management and monitoring software. The ultimate goal for SolarWinds customers was to install a malicious update so that attackers could eventually gain access to the networks of the victims of interest.
The malicious update was installed by 18 thousand SolarWinds clients. The update was installed via the official channel, and the backdoor was hidden in a signed .dll file, so no one suspected anything. There is little or no chance that a typical organization that is a client of a software vendor would somehow have guessed that there was a backdoor in the update.
However, it is not possible to oblige every organization to develop disassemblers, source editors, and network and memory analysis tools, and to have staff capable of using them to test every update, whether open source or closed source.
Let me remind you that we wrote that, for example, US government reclaims most of Colonial Pipeline ransom.
User Review( votes)