By Stuart Phillips & Geraint John
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government and commercial organizations to patch vulnerable software and IT systems more rapidly in response to a flurry of malicious attacks against the cyber supply chain.
Last week, CISA issued an emergency directive requiring all federal civilian agencies using VMware’s Workspace ONE Access and other products to either patch or disconnect these systems by 5 p.m. ET this past Monday.
Separately, CISA also warned that hackers were actively targeting unpatched versions of F5 Network’s BIG-IP systems used to manage network traffic.
These new alerts join several others issued in recent weeks regarding cyber supply chain risks.
Earlier this month, CISA and other national cybersecurity agencies warned that managed service providers and their customers were at a heightened risk of attack. In late February, CISA issued a wide-ranging “Shields Up” advisory in the wake of Russia’s invasion of Ukraine, warning that malicious cyber activity was likely to increase.
VMware and F5 vulnerabilities exposed
Commenting on one of these vulnerabilities, CVE 2022-22954, cybersecurity firm Mandiant said: “An attacker could exploit this vulnerability to perform a server-side template injection… An attacker would need to send a specially crafted request to the vulnerable system. A failed attempt at exploitation could potentially cause a crash of the application, resulting in a denial-of-service condition.”
On April 13, VMware confirmed the exploitation of this vulnerability in the wild. On April 25, The Hacker News reported that a threat actor known as “Rocket Kitten” actively exploited this vulnerability to deploy the Core Impact penetration testing tool on vulnerable systems.
Mandiant Threat Intelligence wrote that they consider this “a high-risk exposure due to the potential for arbitrary code execution with no user interaction required.”
VMware issued patches for this and other vulnerabilities in April and released additional fixes last week. CISA’s emergency directive suggests that many organizations have not quickly updated their systems.
And it’s not just government agencies that are at risk from these supply chain risks.
“We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks,” CISA said late last week.
Vulnerabilities extend into the cyber supply chain
There are many reasons why organizations fail to update their software and hardware fast enough, but budget and staffing shortages are primary.
Proactive Chief Information Security Officers (CISOs) can quickly discover if they have an installed vendor with security issues and schedule patches or updates to mitigate the problems.
The real challenge is knowing whether their cyber supply chains have critical suppliers or partners using compromised systems and then taking steps to address those vulnerabilities.
An analysis of Interos’ global relationship mapping platform data reveals the scale of the challenge:
- 1,239 companies were identified using VMware’s Workspace ONE Access or F5’s BIG-IP products.
- 88 of these companies use both vendors.
- Of the top five direct buyers, more than half (58%) were U.S.-based and more than one-quarter (29%) were in the IT software and services sector.
- The U.K., Canada, Australia, and India are also home to major direct buyers, with banks, consumer services firms, and healthcare providers.
Looking further upstream into the extended cyber supply chain:
- The 1,239 companies using the affected VMware and F5 products directly supply more than 98,000 customers in the U.S., U.K, Germany, Canada, and other countries.
- These 98,000-plus firms, in turn, do business with more than 600,000 firms at Tier 2.
Mandiant’s 2022 M-Trends report, published last month, found that supply chain intrusions were the second most prevalent form of attack in 2021.
Almost one-fifth (17%) of intrusions involved a supply chain compromise – up from just 1% in 2020. The vast majority of these attacks were related to the SolarWinds breach.
Last week, cybersecurity firm SentinelOne published an analysis of a new supply chain malware attack against the Rust development community.
CISOs must monitor supply chain risks
Predicting the next supply chain cyber-attack or disruption is a dark art. However, being aware of all your suppliers and their connections may give you a better chance to understand weaknesses in your cyber supply chain and mitigate risks.
Gone are the days when sending a survey to a supplier every two years and asking only about cyber risk was a practical approach.
The best CISOs actively contribute to operational resilience by continuously monitoring their entire supply chains for multiple types of threats – including vendor financial weakness – using a risk mapping and scoring solution such as the one developed by Interos.
To learn more about Interos, visit Interos.ai.