Kaspersky says supply chain attacks an emerging cybersecurity threat

An inadvertent software update by US-based cybersecurity company Crowdstrike on 19 July 2024 onto PCs utilised by their clients brought a bluescreen of death to over 8.5 million devices with a reboot death loop that brought the world to its knees for days.

At the recent Kaspersky Cybersecurity 2024 summit in Sri Lanka, Kaspersky shared more about what happened with Crowdstrike, the potential avenues and impact of supply chain attacks and what it bodes for the future including how AI can factor into increased risks of supply chain attacks.

Supply Chain Attacks – What can happen – Crowdstrike, XZ Utils and more

On account of the erroneous Crowdstrike update, critical infrastructure like banks, hospitals, airlines and more were unable to function for 2-3 days, causing an unprecedented amount of financial damage and is, to date, the worst outage in history.

Based on official reports, affected systems include Windows hosts running sensor version 7.11 and above that were  online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC and received the update. Mac and Linux hosts were not impacted.

Vitaly Kamluk, Cybersecurity expert of Global Research & Analysis team (GReAT) at Kaspersky

“The configuration update for Crowdstrike should have been a routine, a regular update to the protection mechanisms of their Falcon platform, gaining telemetry and detecting possible novel threat techniques for the Windows platform. Unfortunately, this update resulted in a never ending reboot spiral for over 8.5 million Windows machines across the world,” said Vitaly Kamluk, Cybersecurity expert of Global Research & Analysis team (GReAT) at Kaspersky. 

Another potential avenue for a supply chain attack that was thwarted in time was the discovery of a backdoor in the Linux XZ Utils project which involved a sophisticated and obfuscated backdoor that would tamper with the logic of OpenSSH, an implementation of Secure Shell (SSH) to enable unauthorised access to potentially millions of devices, servers, data centres and more.

Forensic analysis revealed that the XZ/libzma build was modified, allowing for unfettered access to infected systems. The commits were made by a GitHub user who performed a patient social engineering attack, gradually gaining higher privileges to maintain the targeted XZ Utils project to merge commits.

Named JiaT75 also known as ‘Jia Cheong Tan’ , the threat actor joined the XZ Utils project team and contributed to the XZ project from 2021. The identity of JiaT75 is a matter of speculation as it could be multiple threat actors working off a single account though it was known that the account operated using a Singapore VPN and in the UTC+8 timezone.

From a more theoretical standpoint. with the growing integration of AI into critical systems, Kaspersky shared the potential of executing a supply chain attack by injecting malicious input to create the desired results including emplacing malware and obfuscating it so that it looks like a legitimate file, implementing bugs or flaws for supply chain attacks on other systems reliant on AI and even degrading its capabilities over time when it affects systems of critical importance seeing the rowing interdependency of systems today.

“Potential avenues of a supply chain attack on AI would be to manipulate the training data and introduce biases and vulnerabilities into the model or modify the AI models with altered versions so that it would produce incorrect outputs,” says Vitaly. He adds that such behaviour could potentially be difficult to detect, allowing malicious activities to go unnoticed for extended periods.

To address this potential threat landscape of supply attacks, organisations have a number of strategies. “In addition to best cybersecurity practices, organisations need to conduct mitigation strategies to manage or minimise the potential impact of a supply chain attack in their infrastructure,” says Vitaly.

Among the strategies are rigorous testing before builds go live, thorough tools integrity and strict manufacturing control, model version numbers and model validation to track changes and versions, continuous monitoring for anomalies, digital signatures for builds and regular security audits. For more on Kaspersky, check out their official page at www.kaspersky.com