The Digital Supply Chain Breaches of 2022

Attacks on the digital supply chain were one of the most prominent trends in 2022, as cyber criminals evolved their TTPs to break into lucrative digital suppliers that got the cybersecurity community to take notice and take action.

Experts are preparing the industry for this trend to continue as well. According to leading analyst firm Gartner Research, a dire prediction has been made for digital suppliers: by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains – a three-fold increase from 2021.

With purchased credentials from the dark web, sophisticated social engineering, and hacking expertise, cyber criminals can now break into nearly any target undetected and evade the technology that defenders are using to achieve their objectives.

That’s how today’s modern digital supply chain entered the cybersecurity breach news in 2022 and is now taking center stage in 2023.

Third Party Security (or Lack thereof) in 2022

According to IBM’s Cost of Data Breach Report 2022, the average global cost of a data breach reached $4.35M. In the U.S., the average cost rises to $9.44M, due to higher labor costs and compliance fines unique to U.S. operations.

Meanwhile, the report also revealed two other important findings that demonstrate the need for improving third party security in the supply chain:

  • 19% of reported breaches in 2022 occurred because of a compromise at a business partner; and,
  • 13% of reported breaches began with an exploited vulnerability in third-party software.

Considering the costs and potential downstream impacts associated with these types of attacks, it’s important to understand why digital suppliers are being attacked in the first place.

Why would cyber criminals target the digital supply chain?

Because of the ability for cyber criminals to successfully use third party data stolen in cyber attacks, and then combine that stolen data with evolved TTPs, digital suppliers and digital vendors have become the new favorite target for cyber criminals around the world. These digital suppliers work with nearly every online organization today in some capacity.

What’s alarming about this trend are the types of harvested data the attackers are stealing from third-party and fourth-party digital suppliers – and who else would want to use it. These digital suppliers not only attract cyber crime gangs looking for low-hanging fruit or fast profit – they also attract the attention of nation states intent on causing disruption and chaos to modern life.

It’s common for nation states to collaborate with cyber criminals. It’s a win-win scenario. A nation state can provide safe harbor in exchange for stolen data and threat intelligence. Meanwhile, when cyber criminals have safe harbor within a nation state, they can use the nation state’s data centers and internet infrastructure to conduct attacks across borders, such as international phishing campaigns and DDoS attacks. When requested, these criminals share intelligence so they can remain in the nation state’s borders and not be extradited and tried for their cyber crimes. Meanwhile, nation states can use the cyber criminals’ intelligence to affordably attack enemy targets without incurring the expense of a modern national cybersecurity program.

When cyber criminals are stealing API keys and access tokens which can then be used as a vectors to conduct sophisticated attacks against lucrative targets, such as enterprises that support critical infrastructure, healthcare, financial services, and government operations – it’s time to pay attention to how the evolution of cyber crime is changing fast. Because when there is cyber attack on the supply chain, downstream impacts affect local communities, emergency systems, and energy supplies – as demonstrated in the 2021 JBL Pipeline breach. Attacks on the digital supply chain could have similar downstream impacts.

Top Digital Supply Chain Breaches from 2022

The following ten digital supply chain breaches were some of the most impactful breaches in all of 2022. These particular IT security breaches were selected due to the sensitive nature of supplier’s relationship to their customers’ digital infrastructure and code in the CI/CD pipeline.

For example, when popular CI/CD tools such as Travis CI and Heroku incidents led to a breach at GitHub, GitHub stated in a public statement that the attacker selectively targeted organizations for downloading their private repositories. GitHub initially disclosed the security breach on April 15, 2022, when the threat actor accessed GitHub’s npm production infrastructure.

GitHub security researchers confirmed the attack was conducted using OAuth tokens stolen from digital suppliers Travis CI and Heroku: “This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.”

Read on to see if you partner with any of these third party digital suppliers, and the top takeaways and lessons learned that organizations need to know to improve their third party security with vendors and digital suppliers today.

  1. CircleCI
  2. CircleCI, a continuous integration and continuous delivery (CI/CD) platform, disclosed in January 2023 that a threat actor compromised the laptop of one of the employees and deployed malware to steal their two-factor authentication (2FA) credentials.

    The incident report published by the DevOps service provider acknowledged that they became aware of the incident on December 29, 2022, while the machine was compromised on December 16, 2022. The company’s antivirus software failed to detect this malware, and the threat actor was able to access customers’ environment variables, API keys, and access tokens.

  3. Slack
  4. Slack is a popular instant messaging platform used majorly for team communication in workplaces. On December 29, 2022, the platform was notified of suspicious activity on its GitHub account. The threat actor had stolen access tokens for some of the company’s employees. These access tokens were then used to access the platform’s externally hosted GitHub code repository.

    The subsequent investigations found that private code repositories were also downloaded on December 27, 2022. The attacker could not access Slack’s primary codebase and customer data. However, the security update posted on Slack’s website notes that this attack resulted from a third-party vendor compromise.

  5. Auth0 and Okta
  6. Okta is a US-based identity and access management service provider. The company faced three security breaches in 2022. In one of these incidents, the hackers published screenshots of Okta’s internal network, Jira ticketing system, and Slack. The company later issued a detailed statement explaining the incident.

    The hackers, the Lapsus$ extortion group, gained access to a customer support engineer’s account at Sykes. Sykes is one of Okta’s third-party vendors responsible for customer support services. More than 300 corporate customers were affected due to this incident. The company admitted to the breach two months after the hackers gained access to its network.

    Auth0 is an Okta-owned company which was acquired in May 2021. A third party had informed Okta in August last year that they had copies of specific Auth0 code repositories from October 2020 and before. However, Auth0 announced in September that they did not identify any intrusion into their IT environment.

  7. LastPass
  8. LastPass, a popular password manager, suffered a data breach in 2022 that compromised users’ personal data and their passwords. The company published a blog post in August 2022 that was updated multiple times throughout the last year.

    The hacker gained access to customer information such as username, company name, email, phone number, billing address, and IP address. Furthermore, the hacker also stole encrypted data stored with LastPass, including users’ usernames and passwords for all the sites they have stored in their vaults. However, in all these updates to the above-mentioned blog post, the company did not disclose the actual number of users actually affected.

  9. Travis CI
  10. Travis CI is another CI/CD platform used for building and testing software projects on GitHub, Apache Subversion, Bitbucket, and Perforce. In June 2022, researchers found that Travis CI API exposed tens of thousands of user tokens, allowing any interested party to access clear-text logs.

    About 770 million logs of their free-tier users were available, from which one could extract access tokens, secrets, and other relevant credentials. This information allows perpetrators to launch massive cyberattacks and move laterally in their cloud environment. It is reported that the same issue had been reported twice to Travis CI in 2015 and 2019; however, it has never been addressed fully.

  11. Heroku
  12. Heroku facilitates cloud developers to build, run, and operate applications entirely in the cloud. Around April 2022, the threat actor stole OAuth tokens issued to Heroku, a third-party OAuth integrator. After that, private GitHub repositories were accessed through the stolen tokens.

    These tokens are used by platforms like Heroku and Travis CI for deploying cloud-based applications. The hacker could also access Heroku’s internal database and exfiltrate hashed and salted passwords for user accounts. The initial investigation had not revealed that customer data was affected. However, Heroku later sent password reset emails to their affected customers.

  13. Twilio & Authy
  14. Twilio provides communication APIs for voice calls, video calls, SMS, and authentication. An incident report published on Twilio’s website acknowledges that hackers used social engineering techniques to trick its employees into sharing their login credentials. With the help of these credentials, the hackers gained access to the service provider’s internal database, which includes customer information.

    This security incident involved a smishing campaign where Twilio’s current and formal employees received a message that their Twilio password had expired. This message contained a link to a website that replicated the company’s sign-in page for employees. However, it was unclear how the threat actor matched employee names from sources with their phone numbers.

    Authy is a Twilio-offered 2FA service that provides an additional one-time code to log in, along with the account password. Twilio also disclosed that 93 Authy users were affected, a tiny fraction of their user base of 75 million users. The company’s statement did not clarify if the perpetrator had explicitly targeted these 93 customers.

  15. Signal
  16. Signal, the end-to-end encrypted messaging platform, was one of the companies affected by the Twilio incident. Twilio is a third-party vendor for Signal that provides phone number verification services. Signal published an article on its website clarifying that users’ message history, contacts, blocked contacts list, and other personal data were unaffected.

    The Twilio incident only impacted about 1,900 users, as the attacker could have attempted to re-register their number to another device. Out of these users, the attacker specifically searched for three numbers, and the hackers successfully re-registered one of the user accounts out of these three.

  17. Cloudflare
  18. Around the same time as the Twilio incident, Cloudflare faced a similar smishing attack. In less than a minute, 76 employees of Cloudflare received an SMS asking them to check their Cloudflare schedule via the given link. The attackers hosted a login page on this link similar to Okta’s.

    Okta is the identity solution provider for Cloudflare. Cloudflare acknowledged on its blog that individual employees fell for these messages; however, the attackers could not access their internal systems. This was successfully prevented as the login process used by Cloudflare relies on security keys rather than temporary one-time passwords (TOTPs).

  19. Mailchimp
  20. In August 2022, the email marketing giant became a victim of a sophisticated social engineering attack. The hackers compromised the credentials of one of its customer support staff and gained access to Mailchimp’s internal tools.

    More than 200 customer accounts were affected, and the impacted organizations were mostly cryptocurrency and finance-related companies. In another identical incident, the company published a blog post detailing the second social engineering attack in less than six months.

    The hacker used compromised credentials of Mailchimp customer support staff to gain access to the account data of 133 customers. WooCommerce and Digital Ocean are a few of those companies impacted by these incidents at Mailchimp.

Mitigating the Risks of Digital Supply Chain Breaches

Security and risk management leaders cannot work in isolation anymore. They must partner with other departments to prioritize digital supply chain risk and put pressure on the suppliers to demonstrate security best practices.

Apart from continuously monitoring an organization’s security mechanisms under its direct control, security experts recommend the following best practices for security teams to mitigate third party security risks in their supply chain.

  1. Create an inventory of third-party tools
  2. Security teams must create a third-party security inventory for managing and monitoring third-party tools used throughout the organization. For all the tools listed in the inventory, a security team must be up to date on vulnerability disclosures and security breaches and prioritize remediation actions when necessary.

  3. Limit the suppliers’ remote access
  4. Suppliers shall not be given unlimited remote access to the organization’s IT network or a part thereof. A security team must monitor suppliers by restricting their remote access. This should be strengthened by incorporating additional layers such as identity access management and multifactor authentication (MFA).

  5. Conduct due diligence exercise
  6. A well-defined procedure must be in place for conducting due diligence exercises for a prospective vendor. The due diligence exercise will involve understanding the vendor’s security practices, standards they comply with, and applicable laws. Security teams can define higher standards for vendors with access to crucial corporate resources or highly sensitive data. A security team must ask the vendor to provide certification from a trusted third-party organization that validates the efficiency of the vendor’s security controls.

  7. Enhance monitoring tools and techniques
  8. Digital supply chain attacks involve multiple attack techniques to maximize the damage on the affected company. As seen in the attacks discussed earlier, the primary target of adversaries is to gain authenticated access through sophisticated social engineering attacks. This enables them to blend into normal activities and avoid detection. This means identity infrastructure hygiene, multifactor authentication, and continuous monitoring and detection are key defenses.

    Security teams must consider seeking investments in specialized anomaly detection technologies such as endpoint detection and response (EDR), network detection and response (NDR), and user behaviour analytics (UBA). They can complement the broader scope covered by security analysts on centralized log management tools such as Security Information and Event Management (SIEM).

  9. Segment the network
  10. After gaining authenticated access by compromising employee credentials through a social engineering attack, the hackers rely on lateral movement and privilege escalation to get access to the most valuable resources of their target organization. A security team must work with network administrators to segment the network to minimize the impact of undetected attacks. A properly segmented network makes it harder for adversaries to move laterally or execute privilege escalation techniques by providing the organization with additional protection for high-value data.

How can you ensure a secure digital supply chain?

Organizations can engage a certified penetration testing provider capable of testing third parties and assessing vendors to secure third-party access within their network and systems. If your organization undertakes this proactive activity, you can build a cyber resilient digital supply chain. Regular vendor assessments of your digital suppliers allow you to use established standards to meet vendor due diligence requirements defined by security teams. This also helps streamline third-party security risks in your organization’s risk management program.

BreachLock’s comprehensive third-party penetration testing services are combined with the power of the BreachLock cloud platform:

  • Log into the BreachLock client portal for complete visibility, web scanning, easy-to-export reports, and more.
  • Get complete visibility to your pentest and reduce your third party security risks within a single pane of glass
  • Integrate DevOps ticketing for seamless vulnerability management, CI/CD security, compliance and risk management, and DevSecOps remediation.

See how BreachLock’s vendor assessment and security testing services work by booking a discovery call today.

Penetration Testing

Penetration Testing Service

Cloud Penetration Testing Services

Network Penetration Testing

Application Penetration Testing

Web Application Penetration Testing

Social Engineering

background image