Story of the Year: global IT outages and supply chain attacks

A faulty update by cybersecurity firm CrowdStrike triggered one of the largest IT outages in history, impacting approximately 8.5 million systems worldwide. This incident serves as a stark reminder of the critical risks posed by global IT disruptions and supply chain weaknesses. With large-scale security crises being one of the most relevant threats worldwide, it’s more important than ever to reflect on past events, assess emerging threats, and, most crucially, explore strategies to prevent future incidents.

As part of Kaspersky Security Bulletin 2024, our “Story of the Year” centers on these pressing issues. We’ll begin by revisiting notable supply chain incidents from 2024, and then explore potential scenarios of more damaging cases and the ways we prepare for them.

Let’s dive in!

Overview of 2024’s supply chain disruptions

CrowdStrike Linux outage

What happened? Just weeks before the Windows incident, CrowdStrike encountered issues with Linux. A software update in April caused problems in a number of distributions, such as Red Hat, Debian and Rocky.

Why does it matter? Linux is the operating system used by many key infrastructure and security facilities. A previous faulty update had already suggested broader problems with CrowdStrike’s security software at the time, though the problem didn’t receive that much publicity.

XZ backdoor to bypass SSH authentication

What happened? In March, the Opensource Software Security project by Openwall (oss-security) reported a backdoor in XZ, a compression utility and popular code library widely used in Linux distributions. Unlike past supply chain attacks on Node.js, PyPI, FDroid and the Linux kernel, which relied on small malicious injections or fake package delivery resulting from supply chain abuse, this was a multi-stage attack that nearly compromised possibly millions or at least hundreds of thousands of SSH servers globally, with attackers employing social engineering tactics and even creating fake community members to win the trust of the XZ Utils maintainer. Kaspersky presented detailed technical analysis of this case in three parts. Kaspersky products detect malicious objects related to the attack.

Why does it matter? As a result of these tactics, attackers covertly implanted the backdoor. This case underscores the serious risk that social engineering and supply chain attacks pose to open-source projects. It emphasizes the importance of implementing stricter security measures, adopting a more vigilant approach to project management, and maintaining careful oversight in regard to projects’ contributors.

Pager attack in Middle East

What happened? Recent incidents in the Middle East involving pagers have illustrated the risks associated with hardware supply chain attacks. A targeted attack exploited a batch of pagers used by Hezbollah, causing widespread chaos and casualties. Media sources reported that explosives had been concealed within the devices.

Why does it matter? This incident demonstrates the possibility of attacks being conducted to cause physical harm, and various threat actors may be leveraging electronic or fully digital components. The infamous Stuxnet attack serves as a stark reminder of this potential. By targeting industrial control systems, Stuxnet demonstrated how a cyberweapon could inflict tangible, real-world damage, underscoring the critical need for vigilance against such threats in both hardware and software systems.

JavaScript abuse leading to major corporations’ websites being compromised

What happened? Around 385,000 websites using Polyfill.io, a piece of remotely hosted programming code, fell victim to a massive supply chain attack when, after the acquisition of the polyfill.io domain, the loaded script was altered to redirect users to malicious and fraudulent sites. The Polyfill.io service provides support and functionality missing in older versions of web browsers. It enables developers to use modern tools even if they are not supported by a particular browser version. As of July 2024, affected hosts included websites associated with major platforms like Warner Bros, Hulu and Mercedes-Benz.

Why does it matter? According to Cloudflare, Polyfill.io was used by tens of millions of websites — approximately 4% of all sites on the internet — which highlights the severity of the incident, whose full impact is yet to be determined.

Cisco Duo supply chain data breach

What happened? No corporation is immune to the threat of supply chain attacks. User data was stolen from Cisco Duo, a service that provides organizations with multi-factor authentication (MFA) and single sign-on (SSO) network access, as a consequence of a phishing attack targeting an employee of a third-party telephony provider. The breach allowed the threat actor to download SMS message logs.

Why does it matter? This incident highlighted the risks of attacks where third-party service providers become the entry point. IT outsourcing is growing in popularity, offering benefits such as time and resource savings. However, delegating tasks also introduces new information security challenges. In 2023, cyberattacks using trusted relationships had already become one of the top three most common vectors, with this trend gaining new momentum in 2024.

“regreSSHion” vulnerability in OpenSSH

What happened? A critical vulnerability, named “regreSSHion“, was discovered in OpenSSH earlier this year. OpenSSH is used in a wide range of scenarios where secure network communication is required. It is a critical tool in various fields, including system administration, development, and cybersecurity. The SSH protocol is used by companies across all industries, potentially allowing perpetrators to execute malicious code and gain root privileges.

Why does it matter? Exploiting this vulnerability on a massive scale is improbable due to the significant computational power requirements — as it relies on a race condition, attackers would need to make multiple authentication attempts on the target server. According to Qualys, 10,000 attempts are needed for a successful exploitation which may take from several hours to several days, depending on the target OpenSSH server configuration. However, targeted attacks remain a viable possibility. The issue serves as a reminder of the potential risks inherent in widely used software.

Fortinet firewall vulnerabilities

What happened? In October 2024, critical CVEs in four Fortinet products were reported to be actively exploited. Researchers said over 87,000 Fortinet IPs were likely affected by one of the identified vulnerabilities at the time. This information was disseminated, making the vulnerable systems high-visibility targets for threat actors, especially as Fortinet products are commonly found in government, healthcare, and other critical sectors.

Why does it matter? Fortinet products are integral to many organizations’ network security. When critical vulnerabilities in such widely deployed products are exploited, it opens a pathway for attackers to breach the security of multiple organizations through a single vendor’s software or appliances.

Other notable supply chain attacks in 2024 include:

  • Hackers injected malware directly into the source code of the largest Discord bot platform.
  • Attackers attempted to upload hundreds of malicious packages to PyPI, using names that mimicked legitimate projects.
  • Another set of malicious packages was found in the PyPI repository. The packages imitated libraries for LLMs, whereas in fact they downloaded the JarkaStealer malware to the victim’s system.
  • A threat actor gained control over the Tornado Cash crypto mixer.

Beyond 2024’s supply chain incidents: exploring even greater risk scenarios

The incidents covered above prompt a critical question: what kind of scenarios could lead to more devastating consequences? In the following section, we’ll delve into potential global disruptions.

A major AI provider failure

AI dominated our “Story of the Year 2023” as the adoption of generative tools has already influenced nearly every aspect of our lives back then. This year, the trend deepens with AI being officially integrated with services used by millions. Consider OpenAI, with technologies that are used in a wide range of assistants, from Apple and GitHub Copilot to Morgan Stanley‘s proprietary tools. Businesses also rely on models from Meta (Llama), Anthropic (Claude), and Google (Gemini). On the one hand, this transformation enhances daily experiences, but on the other, it heightens the risks associated with the dependence on few key providers. In fact, this trend creates concentrated points of failure: if one of the major AI companies experiences a critical disruption, it could significantly impact dozens, hundreds or even thousands of services depending on it. In a worst-case scenario, a breakdown in these services could mean widespread operational failures across industries.

Another threat that looms large is data breaches. An incident at any major AI provider could lead to one of the most extensive leaks, as AI-powering systems often gather and store a vast amount of sensitive information. While AI chatbot accounts are already being traded on the dark web as a result of malware activity targeting individuals, an AI provider storage breach affecting clients at the corporate level could result in the compromise of even more sensitive data.

Businesses adopting AI should consider vendor diversification, as well as prioritize infrastructure resilience, careful configuration of access restrictions for integrated AI components, and watch closely, as they normally do, any personnel handling sensitive data. Data breaches might not always stem from external cyberattacks; they could be orchestrated by careless or determined insiders who may leverage AI as a tool for data theft.

Exploitation of on-device AI tools

AI integration is accelerating across both consumer-facing and business-oriented gadgets and tools. For example, Apple Intelligence was recently rolled out in beta for the users of its latest systems. This functionality is powered largely by neural cores, or a “Neural Engine“. These engines, and on-device AI in general, provide a genuinely new experience, optimized for running large language models in everyday tasks.

However, with great user experience come great cyber-risks, and as AI becomes more widespread, the likelihood of it being chosen as an attack vector increases. In the Triangulation campaign, discovered by Kaspersky last year, attackers compromised the integrity of system software and hardware by exploiting zero-day vulnerabilities to load advanced spyware onto devices. Similar software or hardware-assisted vulnerabilities in neural processing units, if they exist, could extend or present an even more dangerous attack vector. In such a scenario, attackers wouldn’t just gain access to the information stored on the targeted device — they could also extract contextual data from AI utilities, enabling them to construct highly detailed profiles of their victims and upscale the potential damage.

Our research into Operation Triangulation also revealed the first of its kind case reported by Kaspersky — the misuse of on-device machine learning for data extraction, highlighting that features designed to enhance user experience can also be weaponized by sophisticated threat actors.

These risks underscore the importance of proactive measures for vendors, like conducting security research and rigorous testing, to build stronger defenses against emerging threats.

Cyberattacks on communications satellites

Satellites play a critical role in everyday life, supporting navigation, media broadcasting, emergency response, communication infrastructure and many other services, though their presence often goes unnoticed by ordinary people. As our reliance on satellite-based technologies increases, these systems are becoming attractive targets for threat actors. In 2024, for instance, an APT actor targeted the space industry with backdoors. In another case, an actor reportedly caused satellite-related issues to Finnish utility Fortum.

While these incidents did not lead to severe global disruptions, they highlight the growing risks for satellite infrastructure. A potentially more impactful threat lies in the satellite internet access supply chain. For example, consider Starlink and Viasat — these companies offer high-speed satellite internet connectivity globally, especially in remote areas. At the same time, traditional internet service providers tend to partner with satellite-based ones to extend their reach, which could be a fertile field for malicious campaigns.

Satellite internet access is an important component of the global connectivity chain. It can provide temporary communication links when other systems are down; airlines, ships, and other moving platforms rely on it to provide onboard connectivity and more. Here come cyber-risks: a targeted cyberattack or a faulty update from a leading or dominant satellite provider could cause internet outages and potential communication breakdowns, impacting individuals, businesses and critical infrastructure.

Physical threats to the internet

Following connectivity, the internet is also vulnerable to physical threats. While satellites are rapidly advancing as a means of communication, 95% of international data is transmitted through subsea cables. There are roughly 600 such cables in operation globally, varying in quality and capacity. In addition to these cables, the internet relies on nearly 1,500 Internet Exchange Points (IXPs), which are physical locations, sometimes within data centers, where different networks exchange traffic.

A disruption to just a few critical components of this chain, such as cables or IXPs, could overload the remaining infrastructure, potentially causing widespread outages and significantly impacting global connectivity. The world has already witnessed instances of such disruptions. For example, in a recent case, two undersea cables in the Baltic Sea were reported to be affected, which is further proof that the importance of physical security, including the protection of hardware, continues to grow as a critical concern for the coming years.

Kernel exploitation in Windows and Linux

The two major operating systems power many of the world’s critical assets, including servers, manufacturing equipment, logistics systems and IoT devices. A kernel vulnerability in each of these operating systems could expose countless devices and networks worldwide to potential attacks. For example, in 2024, several kernel vulnerabilities were reported, such as the Linux kernel privilege escalation vulnerability. On the Windows side, in 2024 Microsoft disclosed the CVE-2024-21338, which was a new “admin to kernel” elevation-of-privileges vulnerability used in the wild.

Such vulnerabilities create a high-risk situation where global supply chains could face significant disruptions. These risks underscore the importance of vigilant cybersecurity practices, prompt patching and secure configurations to safeguard the supply chain continuity.

Last but not least: how the risks associated with supply chains could be mitigated

While the scenarios and cases described above may seem alarming, awareness is the first step towards preventing such attacks and mitigating their consequences. Despite the diverse nature of supply chain risks, they can be addressed through several unified strategies. These require a multifaceted approach that combines technological, organizational and workplace cultural measures.

From a security standpoint, regular updates should be rigorously tested before deployment, and vendors must adopt the principle of granular updates to minimize disruptions. AI-driven anomaly detection can enhance human review by reducing alert fatigue. On the user side, patch management and timely updates are vital to maintaining a secure environment.

From a resilience perspective, diversifying providers reduces single points of failure, enhancing the system’s robustness. Equally critical is fostering a culture of responsibility and integrity among personnel, as human vigilance remains a cornerstone of security and stability.

Together, these measures form a strong framework to enhance supply chain resilience, safeguard against potential disruptions, and guide global systems and economies toward a brighter, safer future.

Source:: Securelist