Supply Chain Attacks: Lessons from SolarWinds to MOVEit

Supply chain attacks represent one of the most devastating threat vectors in modern cybersecurity. By compromising a single trusted vendor, attackers can gain access to thousands of downstream organizations simultaneously. The progression from SolarWinds through Kaseya to MOVEit reveals an evolving threat landscape that demands a fundamental rethinking of how we manage vendor risk.

A Timeline of Major Supply Chain Attacks

SolarWinds (December 2020)

The SolarWinds attack remains the gold standard for supply chain compromises in terms of sophistication and impact.

What Happened: Russian state-sponsored actors (APT29/Cozy Bear) compromised SolarWinds' Orion software build process. They injected a backdoor called SUNBURST into a legitimate software update that was distributed to approximately 18,000 organizations worldwide, including US government agencies and Fortune 500 companies.

Key Techniques:

• Compromised the CI/CD pipeline to inject malicious code during the build process
• Used domain generation algorithms (DGA) for command and control communication
• Mimicked legitimate SolarWinds traffic patterns to avoid detection
• Remained dormant for two weeks after installation before activating
• Used temporary file replacement during the build to avoid code review detection

Impact:

• 18,000 organizations received the compromised update
• At least 100 organizations were actively exploited
• US Treasury, Commerce, and Homeland Security departments breached
• Estimated cleanup costs exceeding USD 100 million for affected organizations

Kaseya VSA (July 2021)

The REvil ransomware gang exploited vulnerabilities in Kaseya's VSA remote monitoring tool to deliver ransomware through managed service providers (MSPs) to their customers.

What Happened: Attackers exploited zero-day vulnerabilities in on-premises Kaseya VSA servers to bypass authentication and deploy ransomware. Because MSPs use VSA to manage client environments, the attack cascaded to between 800 and 1,500 downstream businesses.

Key Lessons:

• MSP tools represent high-value targets due to their privileged access to client environments
• Zero-day vulnerabilities in widely-deployed management software create systemic risk
• The attack demonstrated how criminal groups, not just nation-states, can execute supply chain attacks
• Kaseya had been notified of the vulnerabilities before the attack but had not yet patched

Log4Shell (December 2021)

While not a traditional supply chain attack, the Log4j vulnerability (CVE-2021-44228) exposed the fragility of open-source software supply chains.

What Happened: A critical remote code execution vulnerability was discovered in Apache Log4j, a logging library used in millions of Java applications worldwide. The vulnerability was trivially exploitable and affected everything from enterprise servers to consumer devices.

Key Lessons:

• Open-source dependencies create hidden supply chain risks
• Organizations lacked visibility into which of their applications used Log4j
• Software Bill of Materials (SBOM) became essential for vulnerability management
• The maintainer burden for critical open-source projects was exposed

3CX (March 2023)

A cascading supply chain attack where attackers first compromised Trading Technologies' X_TRADER software, then used that access to compromise 3CX's desktop application, affecting 600,000 organizations.

What Happened: North Korean threat actors (Lazarus Group) compromised a financial trading application, used it to access 3CX's build environment, and then trojanized the 3CX VoIP desktop client. This attack demonstrated a supply chain attack launched through a previous supply chain compromise.

Key Lessons:

• Supply chain attacks can be chained, multiplying their impact
• Even security-conscious organizations can be compromised through their own software dependencies
• Code signing alone is insufficient when the build environment is compromised

MOVEit Transfer (May-June 2023)

The Clop ransomware gang exploited a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer file transfer application to steal data from hundreds of organizations.

What Happened: Clop exploited CVE-2023-34362, a SQL injection vulnerability in MOVEit Transfer, to deploy web shells and exfiltrate data. The attack affected over 2,500 organizations and exposed data of more than 65 million individuals, including government agencies, banks, airlines, and healthcare providers.

Key Lessons:

• File transfer solutions are high-value targets due to the sensitive data they handle
• Mass exploitation of known software can be as devastating as sophisticated backdoors
• The financial motivation (data theft for extortion) is sufficient to drive supply chain attacks
• Many organizations did not know they used MOVEit through their service providers

Defensive Strategies: Building Supply Chain Resilience

1. Software Bill of Materials (SBOM)

Maintain a comprehensive inventory of all software components, including dependencies:

• Require SBOMs from all software vendors in procurement contracts
• Use automated tools to generate SBOMs for internally developed applications
• Monitor SBOMs against vulnerability databases for emerging threats
• Establish processes to respond when a critical component is compromised

2. Vendor Risk Management Program

Implement a structured approach to assessing and monitoring vendor security:

• Tiering: Classify vendors by criticality and access level
• Assessment: Conduct security assessments proportionate to vendor tier
• Monitoring: Continuously monitor vendor security posture through threat intelligence
• Contractual Controls: Include security requirements, audit rights, and incident notification clauses
• Exit Planning: Maintain contingency plans for rapid vendor replacement

3. Technical Controls

Deploy defensive measures that limit the impact of supply chain compromises:

• Network segmentation: Isolate vendor-accessible systems from critical infrastructure
• Least-privilege access: Grant vendors only the minimum access required
• Behavioral monitoring: Detect anomalous behavior in trusted software
• Application allowlisting: Control which software can execute in your environment
• Integrity verification: Validate software integrity before deployment

4. Build Pipeline Security

For organizations that develop software, secure the entire build and deployment pipeline:

• Implement multi-party code review for all changes
• Use reproducible builds to verify binary integrity
• Secure CI/CD infrastructure with hardened configurations
• Monitor build systems for unauthorized modifications
• Sign and verify all artifacts throughout the pipeline

5. Zero Trust for Vendor Access

Apply Zero Trust principles specifically to vendor relationships:

• Authenticate and authorize every vendor access request
• Monitor all vendor sessions in real-time
• Implement just-in-time access provisioning
• Record and audit all vendor activities
• Revoke access immediately when no longer needed

Conclusion

Supply chain attacks are not a temporary trend. They represent a fundamental shift in how sophisticated adversaries approach their targets. The lessons from SolarWinds through MOVEit teach us that trust in our vendors must be earned continuously, not granted implicitly. Organizations that invest in supply chain visibility, vendor risk management, and technical controls will be significantly better positioned to withstand the next major supply chain compromise.

Concerned about your supply chain security? Contact us for a comprehensive vendor risk assessment.