Supply chain attacks in 2021

• 2021-01-02 - Zyxel: Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways (Archive)
• 2021-02-01 - NoxPlayer: Hacker group inserted malware in NoxPlayer Android emulator (Archive)
• 2021-02-09 - npm, PyPI, Rubygems (white-hat): Researcher hacks over 35 tech firms in novel supply chain attack (Archive)
• 2021-02-24 - Accellion File Transfer Appliance: Exploitation of Accellion File Transfer Appliance (Archive)
• 2021-03-28 - PHP (attempted): Changes to Git commit workflow (Archive)
• 2021-04-17 - Codecov: US investigators probing breach at code testing company Codecov (Archive)
• 2021-04-21 - Homebrew (white-hat): Security Incident Disclosure (Archive)
• 2021-04-24 - Passwordstate: Backdoored password manager stole data from as many as 29K enterprises (Archive)
• 2021-07-05 - Kaseya: Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says (Archive)
• 2021-07-16 - cdnjs: Remote code execution in cdnjs of Cloudflare (Archive)
• 2021-10-22 - ua-parser-js: Security issue: compromised npm packages of ua-parser-js (Archive)
• 2021-11-04 - coa: Popular 'coa' NPM library hijacked to steal user passwords (Archive)
• 2021-11-04 - rc: Embedded malware in rc(Archive)

I'll try to keep this list updated for all supply chain attacks in 2021. Send input to blog@[this domain] if I missed something.

In a supply chain attack, attackers gain access to their target not by attacking the target directly, but by attacking one of its suppliers. This type of attack is getting more common.

Modern software development is dependent on large numbers of third-party dependencies. From a security standpoint, this has advantages and disadvantages. For critical functionality like password managers or crypto implementations, this ensures that developers have access to high-quality security libraries and tools, instead of each developer having to create custom implementations with bugs and weaknesses.

However, these dependencies are a very attractive way to hack into downstream users. Getting malicious code into any single dependency may be very hard, but when projects may have thousands of dependencies (common in modern npm based web applications), the statistics favour the attacker as they only need to target the dependency with the weakest defense measures.

Updates are in a similar situation. Updates can and do patch security issues and bugs. However, for most developers it is unfeasable to thoroughly check the integrity of every update which is applied, as that would require reading and understanding the entire diff between the old and new versions. The vast number of dependencies typically used, and the requirement to also look for extremely subtle bugs/backdoors (like goto fail;, or tactics from the Underhanded C Contest make it practically impossible to vet every single update. This makes updates another attractive vector for attacking downstream users.

I wish I had a permanent solution for this current weakness to supply-chain attacks. But some basic prudency can go a long way. Keep the number of used dependencies to a minimum. There's no need to add left-pad as a dependency. Before introducing a new dependency, check if the publisher uses two-factor-authentication, if possible. Don't use NPM.