AppSec predictions 2021: Supply chain attacks are a greater threat to all industries

This is the final post in a three-part series of AppSec predictions for 2021.  You can read the complete series here.

Every year(ish), I publish our AppSec predictions about three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks. This year our predictions are informed by our augmented Threat Intelligence Service, which is a part of Barracuda Advanced Bot Protection. In short, we have significantly more data informing our conclusions.

Supply chain attacks spread further and become a bigger threat across industries

Supply chain attacks are basically attacks against the software supply chain. This takes many forms, but in this webinar we talk about the attacks against web applications. These attacks were first discovered around 2018 and dubbed Magecart because they were primarily targeted at Magento-based online shops. The attackers first identified third-party JavaScript that was popularly used in checkout pages. Once they did this, they hacked these source files and inserted their card-skimming code. When a user loaded the site, the now malicious JavaScript was loaded, and it stole the user's credentials.

Through 2019 and 2020, there were a number of large attacks by this group, and they hit some high-profile targets like British Airways. At this point, thousands of compromised shops have been identified, and many cybercriminal groups are operating with this attack. Some of these compromised scripts are quite advanced — when you run a web vulnerability scanner, they don’t execute their malicious code and pretend to be working normally, preventing detection. So there are some fairly advanced and organized groups working on this. You also have the Inter Skimmer, which has become the most popular tool for attackers wanting to execute this type of attack. Like bots, there are actual support channels, with proper research and development behind the products, and there is an underground economy.

This is an example of a skimmer that Visa detected in August 2020. As you can see, the creators went to great lengths to avoid being discovered and removed from sites that were using the vulnerable JavaScript.

The difficulty in securing against these attacks is that these scripts are added to applications without too much checking. Once they are part of your website, they are downloaded directly from the source — which in many cases you do not control, like GitHub — and executed on the browser. The tendency for these attacks to go undetected for a long time is quite high, and the quality of exfiltrated data is also quite high. If you look at the defenses that are in place today, typically they depend on Content Security Policies that are difficult to operationalize and prone to false positives. There is a very good chance that your CSP configuration is prone to misconfiguration by being very permissive due to a large number of false positives. The other option is site scanning, but these malicious tools are built to detect and avoid such scanners. The code on these scripts are obfuscated, implement anti-bot techniques, and wait for specific patterns of user actions (like mouseup) to actually execute. There are custom solutions being built to defend against these attacks, and a number of them came onto the market in 2020.

This graph from HTTP Archive shows the breadth of the problem — about 80% of the scanned sites used vulnerable third-party JavaScript.

Supply chain attacks like this are still not very well known, but expect to see them grow slowly and then be a massive problem all of a sudden!

AppSec in 2021 continues to be interesting

When it comes to bots and reselling, we see that legislators are getting involved. For example, in the UK, they are attempting to block resale above the MSRP of products. There is precedent for this. In 2015, the U.S. passed a law against ticket scalping, after a massive surge in complaints about scalpers. Whether these new laws work or whether the bot makers continue their behavior of poking holes in parental rules to get their cookies remains to be seen.

 An interesting thing we are seeing is financial institutions looking to make their customers (vendors who own e-commerce shops) use solutions that block these attacks. We’ve seen a couple of tentative inquiries on this. Additionally, these attacks are going far beyond credit card data into other PII and becoming much more dangerous, and with laws like GDPR and CCPA and the like, securing against such attacks becomes much more important.

2021 applications security predictions: Bot, API, and supply chain attacks
Watch the webinar here