It has been reported that hackers are using a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.
These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information. In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.
Commenting on the news are the following security experts:
Trevor Morgan, product manager at comforte AG says: As the previous year wound down, many vendors and their experts made predictions about growing trends in 2022. Two of the most cited trends involved supply chain attacks and the cloud as an increasingly viable attack vector. In the attack (identified by Unit42) on a cloud video hosting service, which has compromised dozens of real estate sites relying on the infected cloud service, we see both of these elements combined into a single strategy.
As these types of attacks continue to evolve in sophistication and cleverness, enterprises need to remain focused on the basics: develop a defensive strategy incorporating more than just perimeter-based security, don’t assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after. Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get ahold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain.
Javvad Malik, lead security awareness advocate at KnowBe4 concludes: Supply chain attacks come in many shapes and forms. While most of the headline-grabbing attacks are often targeted against large organisations, there are many instances where criminals will cast a wider net to infect as many organisations as possible.
Many industries will use shared services of some sort, such as document sharing platforms, videos, photos, and so forth. These are often most susceptible to attack and can go undetected for longer. It's why organisations should carefully vet third parties and have in place their own monitoring controls to check for any unexpected behaviour. Unfortunately, there isn't an easy fix for supply chain attacks, and it involves all concerned parties to do their part in ensuring everyone remains secure.