When the Mundane Becomes the Target

Ryan Kelch
Author: Ryan Kelch, CISM, GCFA, Cloud Security Manager, Splunk
Date Published: 4 February 2021

“The enemy is never more unnerving than when he’s invisible.” - K.J. Parker

Cloud security in 2020 was upended from previous years – to say the least. The COVID-19 pandemic fundamentally altered human behavior, and those changes directly impacted the tech industry. In the workplace, water cooler discussions have been replaced with video and chat applications, conferences have been moved to “virtual experiences,” and “no-sites” now stand in place of off-sites. In our personal lives, we use online pick-up orders instead of walking into our local department store. Curbside delivery is in some cases the only way we can support our favorite eateries. Even medical visits and religious services have been shifted online.

All of these changes have strained our infrastructure, put additional pressure on the services we lean on so heavily for day-to-day life, and forced businesses to think about how to support their customers effectively when their employees are no longer in an office building. There has been a lot of discussion over the last year around how to keep ourselves safe through these interactions. What wasn’t being talked about as much was how these rapid changes to companies could be impacting them.

A company being hacked in this day and age is almost pedestrian. So, the fact that something as mundane as an infrastructure monitoring platform (SolarWinds), a CI/CD server (JetBrains TeamCity), a JavaScipt library (twilio-npm), or even a long-trusted browser extension (thegreatsuspender) has been compromised wouldn’t necessarily be so newsworthy on its own. But if you step back and look at these not as individual issues but as a set, there is a pattern. Attackers are now targeting the supply chains and user tools that are not traditional security targets, and this time at scale.

As we understand now, SolarWinds and JetBrains are tied together in what has become an extensive breach of technology vendors, security companies and government agencies by a suspected state-sponsored attacker. What is most alarming is not that it happened, but that the very tools companies are using to monitor and maintain their infrastructure have been leveraged to attack a wide swath of industry verticals, nearly undetected for at least six months and possibly longer. As companies scaled up and scaled out, the requirement to support their users monitoring their infrastructure grew as well. Unbeknownst to them, these tools were being used against them and potentially against the very customers they were working to support.

The Twilio npm package, which is downloaded nearly 500,000 times per week, is a JavaScript-based communications platform-as-a-service client. Many Fortune 500 companies across industry verticals use Twilio to communicate more effectively with their customers. The npm package itself is used to build and support the backend components of that communications infrastructure. Using brandjacking, a malicious actor was able to create a similarly named npm package and weaponize it with the ability to compromise a developer’s machine and establish a persistent connection with remote code execution and reverse shell capabilities. With this type of compromise scenario, many of our traditional security controls have been rendered useless.

In this final example, we get even closer to home – directly in a user’s browser. As the world has become more virtual, our habits have changed with it. We have experienced more software installations to support multiple chat and video communication platforms. We’ve found creative ways to make our experiences more robust. We have leaned even more into using our browser to solve some of these problems. But as our dependency on the browser has grown, so did its resource utilization, and that’s where extensions like The Great Suspender (TGS) come in. The extension’s premise is solid: reduce browser resource consumption on our already-strained computers. That is, until an extension developer maliciously modifies that extension to perform nefarious activities. In the case of TGS, new and obfuscated code was added that enabled silent code execution on the device from third-party sites. In this instance, the code was not identified to be directly malicious, but the opportunity for this to happen again is easy to see. This is also a particularly vulnerable portion of our users’ device security and one that can potentially bypass almost every other security control.

One may liken this type of activity to supply-chain attacks, similar to what companies like Target or Home Depot experienced within the past eight years. In both retail chain cases, and in the examples briefly discussed here, we are relying both on our company’s individual controls as well as a community effort to stay safe. And while it is well understood that large retail spaces need air conditioning to keep customers cool, we rarely think about the technical building blocks behind the scenes that keep the business running. The once-invisible mundane has become visible, and it is now the target.

Editor’s note: For additional cloud resources from ISACA, download our Azure audit program and find out about the new Certificate of Cloud Auditing and Knowledge (CCAK), a credential from ISACA and Cloud Security Alliance.