Supply Chain Attack: Difference between revisions
No edit summary |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
'''[[SolarWinds]]''' <br/> | '''[[SolarWinds]]''' <br/> | ||
''SunBurst Attack'' <br/> | ''SunBurst Attack'' <br/> | ||
SolarWinds customers | In March 202, SolarWinds customers began experiencing a Russian-state-sponsored cyberattack that inserted a vulnerability called Sunburst into the Orion Platform (versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1). It allowed the attackers to compromise the servers running Orion products. The code was used in a targeted way to the extent that its exploitation required manual intervention. SolarWinds worked with [[CrowdStrike]] and [[KPMG]] to identify a component of Sunburst called Sunspot, which was responsible for injecting the Sunburst malicious code into the Orion Platform during the build process. Other components of the Sunburst malware chain include Teardrop and Raindrop.<ref>[https://www.solarwinds.com/sa-overview/securityadvisory#anchor2 Security Advisor, SolarWinds]</ref> | ||
''''Asus'' & '''CCleaner'''<br/> | |||
In July 2017, security analysts discovered Barium (aka ShadowHammer, ShadowPad, Wicked Panda), which is a Chinese hacker group that uses supply chain attacks as their core tool. They seed infections to many victims and then sort them to find espionage targets. This group infiltrated Asus and infected users through software updates and infected other users through CCleaner.<br/> | |||
''' Maersk'''<br/> | |||
In June 2017, NotPetya, a Russian hacker group's malware, spread by disguising itself as a legitimate software update. First, it hijacked Ukrainian accounting software and then seeded a worm that caused a record-breaking US$10 billion in damages around the world, including at the shipping company Maersk, which spent over a week on manually recovering its active directory.<ref>[https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/petya.html Petya vs NotPetya, McAfee]</ref><ref>[https://www.semperis.com/blog/notpetya-flashback-the-latest-supply-chain-attack-puts-active-directory-at-risk-of-compromise/ NotPetya Flashback, Semperis]</ref> | |||
'''Target''' | |||
At Target, 70 million credit and debit card accounts were impacted between Nov. 27 and Dec. 15, 2013.<ref>[https://corporate.target.com/press/releases/2013/12/target-confirms-unauthorized-access-to-payment-car Unauthorized Access Confirmed, Target Press Release]</ref> The hacker, identified as “Profile 958,” was likely Ukrainian Andrey Hodirevski, and he used [[Scan4You]] to avoid detection by Target's mainstream virus-detection service. The files tested in Scan4You were also used to figure out where payment information was stored.<ref>[https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html Hacker Linked to Target breach gets 14 years, Washington Post]</ref> | |||
==References== | ==References== |
Latest revision as of 15:37, 26 July 2021
A Supply Chain Attack is when a threat actor makes use of unsecured network protocols, unprotected server infrastructures, or unsafe coding practices. The supply chain attacker breaks in, changes source codes, and hides malware in build and update processes.[1]
Recent Attacks
Recently, criminals have targeted the following software vendors and IT services companies to infect their clients:
Kaseya
On July 2, hackers breached this Florida-based IT management software company. Kaseya specializes in monitoring and controlling the computer networks of “managed service providers” that sell their IT and cybersecurity services to hundreds of thousands of small- and medium-sized businesses. After the hackers infected 50 of Kaseya's managed service providers, they were able to enter the systems of those companies' 1,500 clients. The hackers encrypted the victims’ data and demanded US$50 million in exchange for the key.[2]
SolarWinds
SunBurst Attack
In March 202, SolarWinds customers began experiencing a Russian-state-sponsored cyberattack that inserted a vulnerability called Sunburst into the Orion Platform (versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1). It allowed the attackers to compromise the servers running Orion products. The code was used in a targeted way to the extent that its exploitation required manual intervention. SolarWinds worked with CrowdStrike and KPMG to identify a component of Sunburst called Sunspot, which was responsible for injecting the Sunburst malicious code into the Orion Platform during the build process. Other components of the Sunburst malware chain include Teardrop and Raindrop.[3]
''Asus & CCleaner
In July 2017, security analysts discovered Barium (aka ShadowHammer, ShadowPad, Wicked Panda), which is a Chinese hacker group that uses supply chain attacks as their core tool. They seed infections to many victims and then sort them to find espionage targets. This group infiltrated Asus and infected users through software updates and infected other users through CCleaner.
Maersk
In June 2017, NotPetya, a Russian hacker group's malware, spread by disguising itself as a legitimate software update. First, it hijacked Ukrainian accounting software and then seeded a worm that caused a record-breaking US$10 billion in damages around the world, including at the shipping company Maersk, which spent over a week on manually recovering its active directory.[4][5]
Target
At Target, 70 million credit and debit card accounts were impacted between Nov. 27 and Dec. 15, 2013.[6] The hacker, identified as “Profile 958,” was likely Ukrainian Andrey Hodirevski, and he used Scan4You to avoid detection by Target's mainstream virus-detection service. The files tested in Scan4You were also used to figure out where payment information was stored.[7]