Packagecloud logo

What Kaseya and REvil ransomware gang teach us about Software Supply Chain Attacks


Gone are the days where criminals storm banks with automatic weapons, taking hostages and shouting ransom demands. These days, sophisticated software supply chain attacks allow criminals to infiltrate multiple billion-dollar corporations simultaneously demanding huge ransoms, all from the comfort of their homes.

The most recent software supply chain attack of Florida-based IT company Kaseya managed to infiltrate more than 1,000 businesses, including 200 US-based companies.

Russia-linked REvil ransomware gang, one of the largest international cyber-crime organizations, is believed to be responsible for the attack. The gang was also responsible for an FBI hack in May 2021 and the Texas local government hack in 2019.

What is a Software Supply Chain Attack

A software supply chain attack (also referred to as a supply chain attack) is a cyber-attack where hackers find vulnerabilities in software or systems in a supply chain to gain access to a larger organization or network of servers and businesses.

Supply chain attacks are highly sophisticated and often elaborately planned. In some cases, criminals will plan for months or even years to infiltrate a target.

For example, criminals might infiltrate a software manufacturer and plant untraceable malware. Any person or organization installing that software installs the malware too.

Through the infected software, cybercriminals gain access to thousands, if not millions, of servers and devices. Instead of attacking a single device, hackers infiltrate the supply chain to access a network of businesses and individuals.

Cyber-criminals don’t necessarily have to hack into systems either. Some supply chain attacks happen as a result of devices being tampered with at the source.

In 2008, criminals managed to infiltrate a factory and tamper with credit card machines made in China. The credit card machines were used by grocery stores across Europe, giving criminals access to thousands of customer’s credit card details.


Types of Supply Chain Attacks

Supply chain attacks are as complex as the software and devices they aim to infect. Every piece of software or device has vulnerabilities hackers can infiltrate.

These are some common types of supply chain attacks:

  • Third-party software providers
  • Package manager attacks
  • Third-party data centers
  • Watering hole attacks
  • Stolen code-signing certificate attacks
  • Pre-installed malware on devices (cameras, USB, phones, etc.)


Third-Party Software Providers

One of the most common supply chain attacks is via legitimate third-party software providers. Criminals prefer this method of attack because the malware is installed at the source and thus incredibly difficult to detect.

The scary reality is that even when a software provider is identified as the possible source of a supply chain breach, finding the malware requires inspecting every piece of software and hardware to find the trojan.


Package Manager Attacks

Similar to third-party software attacks are package manager attacks. Packages are coding tools used by developers to build software, games, and other applications.

Package manager attacks can be exponentially more threatening than regular software attacks because hackers can access any software or app utilizing the package.

Luckily, package handlers like packagecloud allow developers to manage and deploy packages securely. We’ll discuss package managers more later in the article.


Third-Party Data Centers

Two of the most significant software supply chain attacks in recent history have come from third-party data centers and IT providers.

The most recent attack being the Kaseya ransomware attack and the infamous SolarWinds that gave cyber-criminals access to more than 18,000 organizations.

In a statement from Kaseya CEO Fred Voccola, third-party data centers know that “it’s not a matter of if but when a breach will happen. These companies have to monitor threats continuously and revise software to block malicious attacks.

Cyber-criminals are constantly working on new ways to infiltrate IT and data centers because of the vast network of businesses they manage. It’s only a matter of time before a vulnerability is exposed or a new piece of software is developed by criminals to penetrate IT infrastructure.


Watering Hole Attacks

With a watering hole attack, criminals will target a website or application frequented by individuals from an industry or company—for example, a message board for stockbrokers.

Cybercriminals will try to find a poorly secured “watering hole” and inject malicious code, usually Javascript or HTML. The hackers will replace a familiar link or popup with an infected replica. Thus when a user clicks on the link, a malicious payload is downloaded onto their computer or device.

While watering hole attacks are rare, many companies take precautions like limiting Internet access or blocking unfamiliar emails.


Stolen Code-Signing Certificate Attacks

Stolen code-signing certificate attacks are also rare, but the consequences can be severe and far-reaching.

Ironically, a code-signing certificate verifies that a software’s code has not been altered or corrupted. If a hacker can breach a code-signing certificate, they can use it to validate their malware, effectively corrupting the gatekeeper designed to keep them out.

Most code-signing certificate attacks rely on human error where developers either store or publish private code-signing keys in the public domain.

The most famous example is from electronics manufacturer D-Link who published their code-signing keys in open-source firmware.


Pre-Installed Malware on Devices

Another increasing software supply chain attack is malware pre-installed on devices, particularly cheap Android devices. The malware is usually hidden in third-party apps that come pre-installed with mobile phones.

Andriod is an open-source operating system that makes it easy for anyone to manufacture mobile devices. Unfortunately, it also means that cyber-criminals can design apps that take advantage of Android’s vulnerabilities.

In 2018, malware was found on mobile devices made by budget phone manufacturers ZTE and Archos. This malware is complicated to remove from a device because it’s built into the firmware.

To avoid these sorts of attacks, Google urges users only to purchase devices or download apps that are Google Certified. Customers should also avoid grey imports and brands not certified by their government.


The Increasing Threat of Package Manager Attacks

Package manager attacks are on the rise! At the beginning of 2021, Sonatype, a software supply chain management platform, reported that “…a vigilante actor flooded PyPI and npm repositories with nearly 5,000 dependency confusion packages.”

These dependency confusion packages use typosquatting to confuse users into thinking they’re downloading a package from a legitimate source.

For example, a copy of Amazon’s NPM package amazon would be named amzn, which is the company’s stock ticker, thus would appear legitimate. Many leading brands have been targeted, including Zillow, Lyft, and Slack.

Because anyone can upload packages to these platforms, monitoring and removing malicious packages is complicated, especially when 5,000 of them arrive within 24 hours.


PayPal’s Dependency Confusion

Another package vulnerability is when companies use public and private dependencies in the same application.

During the summer of 2020, ethical hacker Alex Birsan discovered that PayPal was using a mix of public and private dependencies. The names of the private dependencies did not appear on NPM, so Alex created packages under these names to see if PayPal’s internal projects would default to NPM. And the packages did just that!

If a package of the same name exists in a public repository (like NPM in this case) and is privately hosted (by a PayPal server), the application will give the public package priority.

While this sort of supply chain attack is extremely rare, it does expose the risks of public package managers.


Using packagecloud to Create a Secure Private Package Repository

Companies must take every measure to protect their applications and end-users. Creating a private package repository allows developers to reduce points of entry for a possible supply chain attack.

GPG Signatures

Developers must sign every package and include GPG signatures on repository metadata. The GPG package signatures should always be signed before the package is uploaded.

Packagecloud helps minimize human error. If you happen to accidentally upload your GPG secret key, packagecloud will discard the secret key data and store only the public key.


Packagecloud Read-Only Tokens

With packagecloud, you can issue read-only tokens, which cannot be used to modify the repository. We recommend using one read token per node to maximize isolation.


ALL Package Types on One Repository

Another great feature is that ALL package types can coexist in the same packagecloud repository. For example, you would have to use four different repositories if you have packages for Debian, RPM, RubyGem, and Python. With packagecloud, you only need one repository for all four.


Public & Private Repositories

Packagecloud allows you to create both public and private repositories. You can create unlimited public repositories while public repositories are limited by plan.



packagecloud also allows users to push packages to and yank packages from your repositories and promote packages to other repositories.

Software supply chain attacks are on the rise. Companies must take measures to mitigate risks at every touchpoint. To keep your packages and your software supply chain fully secure, use packagecloud. You should sign up for your packagecloud free trial here.

You might also like other posts...