Log4J shows: Dangerous Supply chain attacks are becoming increasingly popular with attackers

A mistake like the one at Log4J can have devastating late consequences: A security expert explains how attackers even close the gap and only use it later.

• Supply chain attacks like Log4J aim to manipulate a software element used in widely distributed software.
• These intrusions are very difficult to detect and therefore remain undetected for a long time. Moreover, many companies do not even know that they are affected.
• Directories of suppliers and software elements used can increase the level of security, but are only available in a few companies.

Attackers do not always choose the direct route. Increasingly, they attack companies indirectly through their suppliers. Kaseya and SolarWinds have become famous examples of these so-called supply chain attacks. Log4J is another supply chain attack. Here, a central element of numerous web servers contained a security vulnerability. Security expert Cristian Avram from the security company Bitdefender has dealt extensively with this gap. In the following interview, he explains the context and background. 

He had previously explained technical details in an it-sa insights presentation. For registered users, the presentation (held in German) "Sicherheitslücke Log4Shell - Das Worst-Case-Szenario" is available as a recording.

Mr Avram, you work as a solution architect at Bitdefender, where you develop security concepts for larger companies. Supply chain attacks are currently a big topic, not least because of Log4Shell. What characterises this type of attack?

Attacks on a supply chain are usually difficult to detect. Attackers use software components or libraries that were developed by third parties and integrated by the company into its own product. One would therefore have to explicitly check the integrated software in addition. This is difficult and is usually not done. Checks are usually limited to the company's own software, such as whether performance problems or crashes occur. But what is hidden in external modules is not easy to discover. In addition, if a problem is discovered in them, you have to wait until it is solved by the supplier's programmers, because you cannot solve it yourself. Updating your own software is thus dependent on updating subcomponents.

What makes supply chain attacks so dangerous?

Attacks are often possible in the long term with such gaps because it takes longer before each software is patched due to the dependencies on third parties. The time window for attacks is therefore very large. For example, someone develops software that uses Log4J and a third company uses this software for its solution and also uses the Log4J library in it. Now a problem is discovered in it and an update becomes available. The company only knows that its software uses Log4J, but not that the integrated module also uses Log4J. Therefore, the company only takes care of its software, but the vulnerability in the module remains open until the supplier provides an update at some point.

How do hackers exploit this particular problem?

They set themselves up for it: Because the time window is very large, attackers may quickly install a backdoor and then even patch the vulnerability to remain undetected. When the company checks its software, it will think it is safe because the gap has already been patched, but the backdoor behind it remains undetected. We recently had such a case with one of our clients. A Log4J update was found, but the admins claimed they had not yet installed an update. On closer inspection, we then found a backdoor, so the assumption is that the gap was closed by attackers after they had set up their backdoor.

What different variants of supply chain attacks exist so far?

In the case of Log4J, it was not attackers who installed the vulnerability, but the developers overlooked this gap in their own software. In other cases, attackers have installed malware in components purchased by the affected company. In the case of Log4J, there was no malicious intent behind it, but the problem could be used for attacks. Another way is for attackers to target suppliers whose components are integrated into larger software solutions in order to identify them. The trick with supply chain attacks is that this malware, once installed, is distributed to many customers via the provider of the large software solution and attackers thus find many victims. For this reason, the focus is particularly on software providers who develop widely used software.

You have dealt intensively with the Log4J attack. What special features were you able to determine?

Log4J is a widely used open source solution. Open source has the advantage that the source code is openly accessible and many programmers contribute to it. This makes it easier to detect errors. Many applications today use open source software. That is why Log4J is used on all kinds of platforms and in all kinds of products. Even navigation systems in cars, parking meters, routers, webcams use this module. There are millions of applications and probably hundreds of millions of devices that are equipped with it. Therefore, not all vulnerable systems have been found by a long shot. The problem will certainly stay with us for a while.

In the video lecture, you talk about the Muhstik botnet that is carrying out Log4J attacks - is it still active and do we know who is behind it? Are there other groups using this attack?

We don't know who is behind it yet, but we are looking. Muhstik can be easily recognised by the special payload and the Log4J exploit. The malware loads further scripts, which for example turns the infected server into a bot of a botnet or uses it for crypto-mining. Another group is the Konsary group. I describe the details in the video.

In the video, you demonstrate how an attack takes place. How complex is it to set up this demo environment?

It's not particularly complex if you already have a few machines available, for example an installed Kali Linux and a Windows 10 machine. On Github there are containers with a prepared Log4J web server, which I also discuss in my presentation. Afterwards, however, you usually have to test for a while until everything works properly.

What protective measures would you recommend to arm yourself as a company against supply chain attacks? What security components are important for this?

A company should know what software it uses and also know its components. Software audits are necessary for this. Bills of materials (BOM) are a good way to identify software components. These are directories that can be seen as a software parts list. They record the components used and their origin. If a security vulnerability becomes known, it is very easy to check which systems are affected. 

As a security strategy for companies, an approach called "Defence in Depth" is recommended. "Defence in Depth" is a multi-layered security strategy that consists of at least a firewall solution, endpoint protection and network traffic analysis for lateral movement detection. This makes things visible that may not have been noticed on the endpoints. The core idea is that if a vulnerability was not detected immediately, a malware should be detected at the latest when it tries to do damage.

Software like Bitdefender does a process analysis on each system and detects anomalies. This gives me a picture of the process of an attack. This makes it possible to see where and when, for example, malware was downloaded, where scripts were reloaded and what other steps occur. 

Author: Uwe Sievers