CLOUD THREAT RESEARCH

Unit 42 Cloud Threat Report, 2H 2021

Learn how common supply chain issues undermine security in the cloudRead the reportINTRODUCTION

Understand supply chain attacks to defend against them

Supply chain attacks in the cloud continue to grow as an emerging threat. However, much remains misunderstood about both the nature of these attacks and how to defend against them. To gain insight into this growing threat, Palo Alto Networks Unit 42 cloud threat researchers analyzed data from a variety of public data sources around the world. Additionally, they executed a Red Team exercise at the request of a large SaaS provider against their cloud-hosted software development environment. Unit 42’s findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud.

This report draws on Unit 42’s analysis of past supply chain attacks. It explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices organizations can adopt today to protect their supply chains in the cloud.matt signatureMatthew Chiodi
Chief Security Officer, CloudWatch the videoRead the reportSupply chain attacks are not a new threat

While the SolarWinds incident was the first major software supply chain attack to make international headlines, it wasn’t the first of its kind. Unit 42 researchers have been tracking significant attacks that have occurred to date, including some as early as 2015.

  • September 2015 – XcodeGhost: An attacker distributed a version of Apple’s Xcode software (used to build iOS and macOS applications) that injected additional code into iOS apps built using it. This attack resulted in thousands of compromised apps identified in Apple’s App Store®.
  • March 2016 – KeRanger: Transmission, a popular open-source BitTorrent client, was compromised through the injection of macOS ransomware into its installer. Users who downloaded and installed the program would be infected with malware that held their files for ransom. Attackers injected the ransomware by taking control of the servers used to distribute Transmission.
  • June 2017 – NotPetya: Attackers compromised a Ukrainian software company and distributed a destructive payload with network-worm capabilities through an update to the “MeDoc” financial software. After infecting systems using the software, the malware spread to other hosts in the network and caused a worldwide disruption that affected thousands of organizations.
  • September 2017 – CCleaner: Attackers compromised Avast’s CCleaner tool, used by millions to help keep their PCs working properly. The compromise was used to target large technology and telecommunications companies worldwide with a second-stage payload.

In each of these breaches, attackers compromised software development pipelines. They then used the trust placed in them to gain access to other networks.RESEARCH TECHNIQUESHow to own a cloud supply chain

During a Red Team exercise commissioned by a Palo Alto Networks customer, Unit 42 researchers were able to masquerade as malicious developers with limited access to an organization’s Continuous Integration (CI) environment and attempt to gain administrative rights to the larger cloud infrastructure. This operation demonstrated how a malicious insider could harvest a CI repository and gain access to sensitive information.

  • The Unit 42 team was able to download every GitLab repository from the customer’s cloud software storage location. This allowed them to identify nearly 80,000 individual cloud resources within 154 unique CI repositories.
  • Within the repositories, researchers found 26 hardcoded IAM key pairs. This allowed them to escalate their privileges and access the customer’s supply chain operations.
Supply chain attacks are not a new threat

Read the reportKEY FINDINGS

Caught by the SOC

Why it Matters: The customer’s integration of AWS GuardDuty with a Cloud Security Posture Management platform was essential to the detection of the attack. In this case, they used Palo Alto Networks Prisma Cloud. However, because the customer only configured one of the accounts properly, only a small fraction of the overall malicious activity came to light in the SOC.

IaC security means supply chain security

Insecure configurations in open-source Terraform

Insecure configurations in Kubernetes Helm charts

Vulnerabilities in widely used container images

Read the reportBill of materials visibility is critical

The key takeaway from this report is that gaining visibility into every cloud native workload through shift-left security is critical. Despite much talk in the security community about shifting left, organizations are still very much neglecting DevOps security due in part to a lack of attention to supply chain threats.Get your copy of the full reportGet the infographicTHREAT REPORT

Unit 42 Cloud Threat Report, 2H 2021

Download nowPRISMA CLOUD

See how Prisma Cloud can address the cloud threats in your enterprise.

Learn moreUnlock the cloud security resource kit

Sign up to stay connected with security alerts, cloud security events and Prisma™ Cloud product updates.