Do You Really Trust Your Web Application Supply Chain?
Well, you shouldn't. It may already be hiding vulnerabilities.
It's the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web components, JS frameworks, and open-source tools to deliver all the different functionalities that keep their customers happy, but this chain of dependencies is also what makes them so vulnerable.
Many of those components in the web application supply chain are controlled by a third party—the company that created them. This means that no matter how rigorous you were with your own static code analysis, code reviews, penetration testing, and other SSDLC processes, most of your supply chain's security is in the hands of whoever built its third-party components.
With their huge potential for weak spots, and their widespread use in the lucrative ecommerce, financial and medical industries, web application supply chains present a juicy target for cyber attackers. They can target any one of the dozens of components that their users trust to infiltrate their organizations and compromise their products. Software, third-party libraries, and even IoT devices are routinely attacked because they offer a way of gaining privileged access to systems while remaining undetected. From there, attackers can issue Magecart and web skimming attacks, ransomware, commit commercial and political espionage, use their systems for crypto mining, or even just vandalize them.
The SolarWinds Attack
In December 2020, a supply chain attack was discovered that dwarfs many others in terms of its scale and sophistication. It targeted a network and applications monitoring platform named Orion that's made by a company called SolarWinds. The attackers had covertly infiltrated its infrastructure and used their access privileges to create and distribute booby-trapped updates to Orion's 18,000 users.
When those customers installed the compromised updates from SolarWinds, the attackers gained access to their systems and had free reign within them for weeks. U.S. government agencies were compromised prompting investigations that pointed the finger towards a Russian state operation.
This devastating supply chain attack can happen in web environments too, and it emphasizes the need for a comprehensive and proactive web security solution that will continuously monitor your web assets.
Standard Security Tools Get Outmaneuvered
Standard security processes did not help with SolarWinds and they cannot monitor your entire supply chain. There are many potential risk areas that they will simply miss, such as:
- Privacy and security regulations: If one of your third-party vendors releases a new version that does not comply with security and privacy regulations, traditional security tools won't pick this change-up.
- Trackers and pixels: In a similar vein, if your tag manager somehow gets misconfigured, it may inadvertently collect personally identifiable information, exposing you to possible (huge!) penalties and lawsuits.
- External servers: If the external server that hosts your JS framework gets hacked, you won't be alerted.
- Pre-production vulnerabilities: If a new vulnerability appears once you have gone into production, you may not be able to mitigate it.
In these and many other situations, standard security tools will fall short.
The Log4j Vulnerability
Another one of those situations arose when a zero-day vulnerability was discovered in the widely used Log4j Java-based logging utility. Millions of computers owned by businesses, organizations, and individuals around the world use Log4j in their online services. A patch was released three days after the vulnerability was discovery in 2021, but in the words of Sophos senior threat researcher Sean Gallagher:
"Honestly, the biggest threat here is that people have already gotten access and are just sitting on it, and even if you remediate the problem, somebody's already in the network ... It's going to be around as long as the Internet."
The vulnerability allows hackers to take control of devices that are susceptible to the exploit through Java. Again, they can then use these devices for illegal activities such as cryptocurrency mining, creating botnets, sending spam, establishing backdoors, Magecart, and launching ransomware attacks.
After it was disclosed, Check Point reported millions of attacks initiated by hackers, and some researchers observed a rate of over 100 attacks per minute and attempted attacks on over 40% of business networks around the world.
Given that your web application supply chain could have already been compromised via the Log4J vulnerability, the need for a proactive continuous monitoring solution becomes even more urgent.
One of these solutions is a web security company called Reflectiz. Its platform detected the Log4J vulnerability in Microsoft's Bing domain in an early stage, which they promptly patched. Then Reflectiz proactively scanned thousands of websites and services to identify other Log4J vulnerabilities. One significant vulnerability was found in Microsoft's UET component, affecting millions of users on various platforms. Reflectiz notified and collaborated with clients and prospects to mitigate risks, adhering to responsible disclosure procedures by informing Microsoft and sharing their findings. They stress the ongoing nature of the Log4J event and advocate for organizations to secure their websites by addressing third-party vulnerabilities.
Safeguarding your web application supply chain
The interplay of your in-house and third-party web components in your web application supply chain makes for a dynamic environment that's constantly in flux. A continuously changing environment calls for a continuous monitoring solution that alerts you to suspicious behaviors in every element of your web application supply chain. Through rigorous continuous monitoring security teams can:
- identify all existing web assets and detect vulnerabilities in the web supply chain and open-source components
- Monitor web app configurations and third-party code settings
- See full risk visibility of vulnerabilities and compliance issues
- Monitor web components' access to sensitive data
- Validate third-party behaviors
Source: thehackernews.com