Introduction

Understand supply chain attacks to defend against them

Supply chain attacks in the cloud continue to grow as an emerging threat. However, much remains misunderstood about both the nature of these attacks and how to defend against them. To gain insight into this growing threat, Palo Alto Networks Unit 42® cloud threat researchers analyzed data from a variety of public data sources around the world. Additionally, they executed a Red Team exercise at the request of a large SaaS provider against their cloud-hosted software development environment. Unit 42’s findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud.

This report draws on Unit 42’s analysis of past supply chain attacks. It explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices organizations can adopt today to protect their supply chains in the cloud.

matt signature Matthew Chiodi
Chief Security Officer, Cloud
Watch the video
Short for time? Read the Executive Summary
Supply chain attacks are not a new threat

While the SolarWinds incident was the first major software supply chain attack to make international headlines, it wasn’t the first of its kind. Unit 42 researchers have been tracking significant attacks that have occurred to date, including some as early as 2015.

  • September 2015XcodeGhost: An attacker distributed a version of Apple’s Xcode software (used to build iOS and macOS applications) that injected additional code into iOS apps built using it. This attack resulted in thousands of compromised apps identified in Apple’s App Store®.
  • March 2016KeRanger: Transmission, a popular open-source BitTorrent client, was compromised through the injection of macOS ransomware into its installer. Users who downloaded and installed the program would be infected with malware that held their files for ransom. Attackers injected the ransomware by taking control of the servers used to distribute Transmission.
  • June 2017NotPetya: Attackers compromised a Ukrainian software company and distributed a destructive payload with network-worm capabilities through an update to the “MeDoc” financial software. After infecting systems using the software, the malware spread to other hosts in the network and caused a worldwide disruption that affected thousands of organizations.
  • September 2017CCleaner: Attackers compromised Avast’s CCleaner tool, used by millions to help keep their PCs working properly. The compromise was used to target large technology and telecommunications companies worldwide with a second-stage payload.

In each of these breaches, attackers compromised software development pipelines. They then used the trust placed in them to gain access to other networks.

Download the Infographic Significant Supply Chain Attacks
RESEARCH TECHNIQUES
How to own a cloud supply chain

During a Red Team exercise commissioned by a Palo Alto Networks customer, Unit 42 researchers were able to masquerade as malicious developers with limited access to an organization’s Continuous Integration (CI) environment and attempt to gain administrative rights to the larger cloud infrastructure. This operation demonstrated how a malicious insider could harvest a CI repository and gain access to sensitive information.

  • The Unit 42 team was able to download every GitLab repository from the customer’s cloud software storage location. This allowed them to identify nearly 80,000 individual cloud resources within 154 unique CI repositories.
  • Within the repositories, researchers found 26 hardcoded IAM key pairs. This allowed them to escalate their privileges and access the customer’s supply chain operations.

Supply chain attacks are not a new threat
Download the Infographic Inside the Complexity of a Cloud Supply Chain
KEY FINDINGS

Why it Matters: The customer’s integration of AWS GuardDuty with a Cloud Security Posture Management platform was essential to the detection of the attack. In this case, they used Palo Alto Networks Prisma Cloud. However, because the customer only configured one of the accounts properly, only a small fraction of the overall malicious activity came to light in the SOC.

Why it Matters: Due to the use of Infrastructure-as-Code (IaC) tools that often borrow and reuse multiple layers of third-party resources, supply chain vulnerabilities can quickly snowball. Although the deployed infrastructure in the example below will fully function, the default configurations of the dependent packages may not be secure. If any of them are compromised, millions of connected cloud environments could become vulnerable to attacks – much like those in recent history.

IaC security means supply chain security
Read the report
Bill of materials visibility is critical

The key takeaway from this report is that gaining visibility into every cloud native workload through shift-left security is critical. Despite much talk in the security community about shifting left, organizations are still very much neglecting DevOps security due in part to a lack of attention to supply chain threats.

Download the Summary Infographic Supply Chain Security Findings
THREAT REPORT

Unit 42 Cloud Threat Report, 2H 2021

Download now
PRISMA CLOUD

See how Prisma Cloud can address the cloud threats in your enterprise.

Learn more

Get the latest news, invites to events, and threat alerts