Palo Alto Networks white logo Palo Alto Networks logo
  • Introduction
  • Supply Chain Attacks
  • Key Findings
  • Recommendations
  • Read the report
CLOUD THREAT RESEARCH

Unit 42 Cloud Threat Report, 2H 2021

Learn how common supply chain issues undermine security in the cloud
Read the report
Introduction

Understand supply chain attacks to defend against them

Supply chain attacks in the cloud continue to grow as an emerging threat. However, much remains misunderstood about both the nature of these attacks and how to defend against them. To gain insight into this growing threat, Palo Alto Networks Unit 42 cloud threat researchers analyzed data from a variety of public data sources around the world. Additionally, they executed a Red Team exercise at the request of a large SaaS provider against their cloud-hosted software development environment. Unit 42’s findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud.

This report draws on Unit 42’s analysis of past supply chain attacks. It explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices organizations can adopt today to protect their supply chains in the cloud.

matt signature Matthew Chiodi
Chief Security Officer, Cloud
Watch the video
Short for time? Read the Executive Summary
Supply chain attacks are not a new threat

While the SolarWinds incident was the first major software supply chain attack to make international headlines, it wasn’t the first of its kind. Unit 42 researchers have been tracking significant attacks that have occurred to date, including some as early as 2015.

  • September 2015 – XcodeGhost: An attacker distributed a version of Apple’s Xcode software (used to build iOS and macOS applications) that injected additional code into iOS apps built using it. This attack resulted in thousands of compromised apps identified in Apple’s App Store®.
  • March 2016 – KeRanger: Transmission, a popular open-source BitTorrent client, was compromised through the injection of macOS ransomware into its installer. Users who downloaded and installed the program would be infected with malware that held their files for ransom. Attackers injected the ransomware by taking control of the servers used to distribute Transmission.
  • June 2017 – NotPetya: Attackers compromised a Ukrainian software company and distributed a destructive payload with network-worm capabilities through an update to the “MeDoc” financial software. After infecting systems using the software, the malware spread to other hosts in the network and caused a worldwide disruption that affected thousands of organizations.
  • September 2017 – CCleaner: Attackers compromised Avast’s CCleaner tool, used by millions to help keep their PCs working properly. The compromise was used to target large technology and telecommunications companies worldwide with a second-stage payload.

In each of these breaches, attackers compromised software development pipelines. They then used the trust placed in them to gain access to other networks.

Download the Infographic Significant Supply Chain Attacks
RESEARCH TECHNIQUES
How to own a cloud supply chain

During a Red Team exercise commissioned by a Palo Alto Networks customer, Unit 42 researchers were able to masquerade as malicious developers with limited access to an organization’s Continuous Integration (CI) environment and attempt to gain administrative rights to the larger cloud infrastructure. This operation demonstrated how a malicious insider could harvest a CI repository and gain access to sensitive information.

  • The Unit 42 team was able to download every GitLab repository from the customer’s cloud software storage location. This allowed them to identify nearly 80,000 individual cloud resources within 154 unique CI repositories.
  • Within the repositories, researchers found 26 hardcoded IAM key pairs. This allowed them to escalate their privileges and access the customer’s supply chain operations.

Supply chain attacks are not a new threat
Download the Infographic Inside the Complexity of a Cloud Supply Chain
KEY FINDINGS

Caught by the SOC

Why it Matters: The customer’s integration of AWS GuardDuty with a Cloud Security Posture Management platform was essential to the detection of the attack. In this case, they used Palo Alto Networks Prisma Cloud. However, because the customer only configured one of the accounts properly, only a small fraction of the overall malicious activity came to light in the SOC.

IaC security means supply chain security

Why it Matters: Due to the use of Infrastructure-as-Code (IaC) tools that often borrow and reuse multiple layers of third-party resources, supply chain vulnerabilities can quickly snowball. Although the deployed infrastructure in the example below will fully function, the default configurations of the dependent packages may not be secure. If any of them are compromised, millions of connected cloud environments could become vulnerable to attacks – much like those in recent history.

IaC security means supply chain security

Insecure configurations in open-source Terraform

Why it Matters: Unit 42 researchers used Bridgecrew’s Checkov to analyze 4,055 Terraform templates and 38,480 Terraform files in popular open-source Terraform repositories. The owners of these templates can be a CSP, a vendor, or any open-source developer. Checkov is an open-source static code analysis tool for infrastructure as code. Overall, 63% of the Terraform templates contain one or more insecure configurations. Likewise, 49% of the templates contain at least one critical or highly insecure configuration. Considering the number of times each module has been downloaded, 64% of the downloads result in at least one high or critical insecure configuration.

Insecure configurations in open-source Terraform

Insecure configurations in Kubernetes Helm charts

Why it Matters: Unit 42 researchers analyzed 3,155 Helm charts and 8,805 YAML files in Artifact Hub using helm-scanner. Overall, 99.9% of the Helm charts contain one or more insecure configurations, while 6% of Helm charts contain at least one critical or highly insecure configuration.

Insecure configurations in Kubernetes Helm charts

Vulnerabilities in widely used container images

Why it Matters: Unit 42 researchers analyzed the container images (1,544 distinct images) used in the Kubernetes Helm charts. These container images were hosted in various public registries such as Docker Hub, Quay and Google Container Registry (GCR). Overall, the team found known vulnerabilities in 96% of the images and at least one critical or high vulnerability in 91% of the images.

Vulnerabilities in widely used container images
Read the report
Bill of materials visibility is critical

The key takeaway from this report is that gaining visibility into every cloud native workload through shift-left security is critical. Despite much talk in the security community about shifting left, organizations are still very much neglecting DevOps security due in part to a lack of attention to supply chain threats.

Download the Summary Infographic Supply Chain Security Findings
THREAT REPORT

Unit 42 Cloud Threat Report, 2H 2021

Download now
PRISMA CLOUD

See how Prisma Cloud can address the cloud threats in your enterprise.

Learn more
register brochure
Get your copy now!
By submitting this form, you agree to our Terms. View our Privacy Statement.

Your guide is ready for download!

We hope you find this research insightful as you work to scale your cloud adoption and security.
Download the report
guide brochure
prisma logo

Executive Summary: Unit 42 Cloud Threat Report, 2H 2021

Read the high level overview of research detailed in the latest Unit 42 cloud threat report.
Executive Summary
prisma logo

Infographic: Secure the Software Supply Chain to Secure the Cloud

What are the risks to the security of your organization’s software supply chain? More importantly, how can you protect against them? These are the questions answered in Unit 42’s Cloud Threat Report, 2H 2021, “Secure the Software Supply Chain to Secure the Cloud.” Get a high-level overview of Unit 42’s research and recommendations in this infographic to understand how to secure your organization from this growing threat.
Infographic
prisma logo

Explore Prisma Cloud: On Demand Demo

Check out the features and benefits of Prisma Cloud, the industry’s only comprehensive Cloud Native Security Platform.
Explore Prisma Cloud

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

black youtube icon black twitter icon black facebook icon black linkedin icon
  • USA (ENGLISH)
  • AUSTRALIA (ENGLISH)
  • BRAZIL (PORTUGUÉS)
  • CANADA (ENGLISH)
  • CHINA (简体中文)
  • FRANCE (FRANÇAIS)
  • GERMANY (DEUTSCH)
  • INDIA (ENGLISH)
  • ITALY (ITALIANO)
  • JAPAN (日本語)
  • KOREA (한국어)
  • LATIN AMERICA (ESPAÑOL)
  • MEXICO (ESPAÑOL)
  • SINGAPORE (ENGLISH)
  • SPAIN (ESPAÑOL)
  • TAIWAN (繁體中文)
  • UK (ENGLISH)

Popular Resources

  • Blog
  • Communities
  • Content Library
  • Cyberpedia
  • Event Center
  • Investors
  • Products A-Z
  • Tech Docs
  • Unit 42
  • Sitemap

Legal Notices

  • Privacy
  • Trust Center
  • Terms of Use
  • Documents

Popular Links

  • About Us
  • Customers
  • Careers
  • Contact Us
  • Manage Email Preferences
  • Newsroom
  • Product Certifications
Report a Vulnerability
Create an account or login

Copyright © 2023 Palo Alto Networks. All rights reserved