From XZ to Crowdstrike – Impact and Future Implications of Supply Chain Attacks – Adaderana Biz

A supply chain attack can potentially impact and cripple the global economy. What happened with Crowdstrike, the XZ Utils project, and mitigation strategies for organizations facing supply chain attacks

Globalization and digitalization have made many aspects of the global economy heavily dependent on technology, such as smartphones and laptops, which in turn rely on regular software and security updates from manufacturers. This complex network of entities, resources, goods, and services forms a supply chain that enables international trade, travel, and commerce as we know it today.

To enable these software updates, a company places a certain level of implicit trust when pushing updates to its devices, claiming that they are free of malware and errors. This level of implicit trust makes supply chain attacks tempting for malicious actors. By gaining access to a manufacturer’s infrastructure, malicious actors are able to inject malware into legitimate software updates, making it potentially one of the most effective and dangerous attack vectors possible. This attack vector is not a new idea, with recent attempts like ShadowPad, CCleaner, and ShadowHammer in recent years showing that a determined attacker can reach even the most protected networks. However, the recent Crowdstrike incident demonstrated the importance of the supply chain and the unprecedented scale of impact if something goes wrong, opening new questions about the vulnerability of supply chains and our reliance on them today.

Crowdstrike – The Day the Earth Stood Still

Starting on Friday, July 19, 2024 at 04:09 UTC for approximately two to three days, the global economy came to a standstill due to a content configuration update released by CrowdStrike, a US-based cybersecurity company that is one of the few companies granted kernel privileges on the Windows operating system.

“The Crowdstrike configuration update should have been a routine, regular update of their Falcon platform’s protection mechanisms, allowing them to obtain telemetry data and detect possible new threat techniques for the Windows platform. Unfortunately, this update resulted in an endless reboot spiral for over 8.5 million Windows machines worldwide.” said Vitaly Kamluk, cybersecurity expert from the Global Research & Analysis Team (GReAT) at Kaspersky.

According to media reports, critical infrastructure like hospitals, banks, airlines and others, including critical government infrastructure like NASA in the United States, the Federal Trade Commission, the National Nuclear Security Administration, 911 emergency call centers, government websites in the Philippines and others, whose systems running Windows were protected by Crowdstrike, were affected by the erroneous update and were unable to function. At present, this could be considered the worst outage in history with an unprecedented amount of financial damage.

Affected systems include Windows hosts running sensor version 7.11 and above that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC and received the update. Mac and Linux hosts were not affected. Ultimately, this scenario was not triggered by APTs but by a flawed software update that demonstrated the potential consequences of a perfectly executed supply chain attack. This is not the first incident of supply chain failure, however, as previous incidents have occurred before, such as the Linux XZ library being compromised in a sophisticated operation.

Linux XZ – A Wolf in Sheep’s Clothing Brought to Light

Earlier in 2024, the Linux XZ Utils project, a set of free command-line data compression tools and a library, was discovered to be compromised in a supply chain attack. The attack was an extremely complex and sophisticated backdoor that was masterfully obfuscated and hidden to hook and alter the logic of OpenSSH, an implementation of Secure Shell (SSH), to allow unauthorized access. SSH is also the name of the cryptographic network protocol for securely operating devices including enterprise servers, IoT devices, network routers, network attached storage devices, and more.

Today, tens of millions of Internet of Things (IoT) devices, millions of servers, data centers, and networking devices rely on SSH, potentially leading to a disaster that would dwarf the Crowdstrike incident. Open source software company Red Hat noted that this incident is tracked in the NIST National Vulnerability Database as CVE-2024-30942 with a maximum severity score of 10, acknowledging its potential for exploitation by malicious actors.

Forensic analysis revealed that the commits were made by a GitHub user with the username JiaT75 also known as “Jia Cheong Tan” who joined the XZ Utils project team and contributed to the XZ project starting in 2021. The identity of JiaT75 is a subject of speculation as it could be multiple threat actors working from a single account, although the account is known to be operating using a Singapore VPN and in the UTC+8 timezone.

Like a wolf in sheep’s clothing, JiaT75 then built trust over time by socializing with other contributors and offering positive contributions to eventually gain control over the maintenance of the XZ project archives and gain the privileges needed to merge commits. It was discovered that the XZ/libzma version had been modified and hidden through a series of complex obfuscations, becoming a dependency for SSH on some operating systems, allowing unfettered access to infected systems.

This incident was fortunately detected in time and investigations are ongoing, but it highlights that social engineering combined with the nature of open source software remains another viable avenue for a supply chain attack.

Kaspersky experts conducted a complete analysis of the case, which included examining the social engineering tactics involved.

What does the threat landscape portend for an AI-integrated future?

AI is becoming increasingly integrated into society. Aspects of AI are being used to optimize smart city infrastructure, improve healthcare, education, agriculture, and more. Like any technology, AI is not foolproof because it relies on learning and training models to derive useful information and can be subject to supply chain attacks through the injection of malicious information.Potential avenues for a supply chain attack on AI would be to manipulate training data and introduce biases and vulnerabilities into the model or modify AI models with modified versions so that they produce incorrect results,” Vitaly explains. He adds that such behavior could be difficult to detect, allowing malicious activity to go unnoticed for long periods of time.

For APTs betting on the long term, supply chain attacks can hide in wait for the right target while potentially obfuscating the malware payload, masking it as a legitimate file, and planting extensive tools within a trusted enterprise’s infrastructure to facilitate higher-level access or, ultimately, complete system compromise. Worse still is the long-term possibility that bugs or flaws will be introduced into AI-driven supply chain attacks that would degrade their capabilities and quality over time, making them the equivalent of a ticking time bomb, impacting critical systems with broad reach or critical importance.

Readily available AI large language models (LLMs) such as ChatGPT, CoPilot, and Gemini can be manipulated to help create convincing spear phishing attacks while AI deepfakes can be used to impersonate important personnel, which resulted in the loss of US$25 million in Hong Kong when a malicious actor impersonated the image of a company’s CFO to disburse the funds.

For nearly two decades, specialists at Kaspersky’s AI Technologies Research Center have been at the forefront of applying artificial intelligence to cybersecurity and developing ethical AI. The team’s AI expertise is integrated into various Kaspersky products, improving everything from AI-powered threat detection and alert prioritization to generative AI-powered threat intelligence.

To address this potential threat landscape of procurement attacks, organizations have a number of strategies available.In addition to cybersecurity best practices, organizations should implement mitigation strategies to manage or minimize the potential impact of a supply chain attack on their infrastructure,” Vitaly explains. Strategies include rigorous testing before builds are released, rigorous tool integrity and manufacturing control, model version numbers and model validation to track changes and releases, continuous monitoring for defects, digital signatures for builds, and regular security audits.

You will find more information about this activity on Kaspersky