I started my previous post with this sentence: “With the Kaseya attacks, we have another blockbuster supply chain attack like SolarWinds.” However, I pointed out that I would discuss the attack in a subsequent post. Here it is.
After I wrote the previous post, I
began to question whether this really was a supply chain attack. It certainly
wasn’t, if you take the view (which I took until a day or two ago) that a
supply chain attack on software had to be the result of a deliberate insertion
of malware or a backdoor into a software product, which is of course exactly
what happened with SolarWinds.
The fact that the Russian
attackers (this time part of the Russian state, not the fast-growing Russian
hacking industry, although it’s in fact very hard to tell the difference
between the two) were able to plant the malware in the SolarWinds Orion builds
means there was some deficiency on the part of SolarWinds that let them do
that. And if the supplier might have prevented the attack through their actions
(even though it might have been hard to do), that’s a supply chain attack.
By this view, if an attacker simply
takes advantage of a vulnerability in a software product after it is installed,
that isn’t a supply chain attack – it’s simply a garden-variety attack on
software. Those attacks happen all the time. If the supplier has good
vulnerability management and patching policies, they can’t prevent new
vulnerabilities from emerging – only patch them quickly when they emerge or
take other mitigation measures if they can’t be patched quickly. And they can
make sure their developers understand secure software development principles,
so that new vulnerabilities don’t spring up more than they need to (there’s no
way to write software that’s guaranteed never to develop vulnerabilities, as
researchers are continually discovering new ways in which seemingly innocuous
lines of code actually constitute a vulnerability).
Then why do I say the Kaseya
attack was a supply chain attack? It’s because the vulnerability was a
zero-day, and the attackers may have learned of it through eavesdropping on
Kaseya’s communications with the Dutch firm that discovered the vulnerability
and notified them of it. But, if it’s not the case that their communications
were breached (and this is just speculation in something I read), how could
Kaseya possibly be responsible for the fact that they were subject to a
zero-day vulnerability?
And here’s where it gets subtle: There
are ways that a software supplier can learn of zero-day vulnerabilities,
including maintaining good relationships with the security researcher (i.e.
white hat) community and offering bug-bounty programs. Moreover, they can move
very quickly to patch any zero-day that they learn about, vs. following the
natural inclination to think “This isn’t publicly known yet, so we have at
least a little time to deal with this.”
Did Kaseya have any of these
policies in place? I don’t know about the relationships with security
researchers or bug bounty programs, but I do know that they hadn’t been able to
produce a patch for the vulnerability (and still may not have, according to the
report I read in the Wall Street Journal today), despite being told
about the vulnerability at least a few days before the successful attack. That’s
why I say the Kaseya attack was a supply chain attack.
However, there’s another “level”
to this attack. The reason that so many organizations (1,500, by the last
estimate I read) were compromised by ransomware was because at least some of
Kaseya’s own customers were MSPs. The attackers were able to compromise an MSP’s
customers because they had compromised the MSP itself. So this was a true two-level
supply chain attack, the first I’ve heard of. What’s next?
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s Software
Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment