`

    Software supply chain attacks explained

    By Aravind
    Published on March 21, 2022

    In networking parlance, supply chain refers to the combined effort of resources (hardware and software), storage (on-cloud and on-premises), distribution mechanisms (websites, applications), and management software to create a solution or an application. Also known as third-party attacks, backdoor breaches, or value chain attacks, they exploit the weakest link of a supply chain—vulnerable network protocols—to target the supply chain of an organization. These attacks are detrimental to an enterprise's reputation, security posture, and growth as they enable attackers to compromise multiple areas of a network by inflicting a single triggering event.

    The occurrence of supply chain attacks in 2021 grew by 300% compared to the previous year, according to the 2021 Software Supply Chain Security Report from Argon Security, which was recently acquired by cloud-native security provider Aqua. This alarming statistic indicates the emergence of supply chain attacks as a potent threat.

    How supply chain attacks happen

    To execute a supply chain attack, threat actors ensure that their digital footprint (log information, for instance) is nearly invisible. They look for security gaps that are largely overlooked by the organization's cybersecurity teams. To ensure their attack remains covert, the hackers leverage the implicit trust enjoyed by certain entities within the organization's network, such as valued third-party vendors In some cases where the organizational network is highly secure, the attackers might specifically target the third-party vendors for subsequent exploitation.

    The attackers take advantage of unprotected servers, unsafe cybersecurity practices, vulnerable software packages, and third-party vendors to infiltrate, tamper with source codes, and inject malicious code in the build. One of the major effects of supply chain attacks is the advanced persistent threat (APT) attack, which allows intruders to maintain an extended stay within the network to carry out post-exploitation activities for a prolonged period.

    The malware can reach the customers if attackers target the delivery end of the supply chain, which can lead to a widespread infestation. By attacking the MSPs of an organization, threat actors gain wider access to multiple customer networks, thereby making the transmission of malware reach across every endpoint associated with the supply chain.

    Supply chain attack examples

    Supply chain attacks have gained notoriety among organizations for their stealth nature and widened scope of infestation. Some prominent cases include:

    Backdoor attacks

    In 2020, a United States-based software company fell victim to a nation state attack that led to a major data breach that affected over 3,000 email accounts and impacted government agencies and several corporations. The attack, known as Sunburst, was responsible for embedding backdoor code into the targeted organization's platform software, which was used to access customer and public networks.

    Compromise of code integrity

    A code integrity issue happened to a software testing organization that specializes in code coverage and reporting. The attack involved attackers exploiting an error to gain unauthorized access and perform modifications to the organization's uploader script, which was specifically designed for CI/CD platforms. This operation enabled attackers to export confidential customer information and divert it to an attacker-controlled server outside of the organization's network.

    Ransomware attack

    A software solutions provider that caters to MSPs was exploited by the ransomware group REvil on a single product that caused a ripple effect that infected over 1,000 customers. REvil demanded a ransom of $70 million in exchange for publishing a universal decryptor that would recover the affected files.

    Third-party attack

    In 2014, a retail giant suffered a massive data breach after attackers accessed its customers' sensitive information through an email phishing attack on its third-party HVAC vendor. The attack compromised the personal information of over 70 million customers, and over 40 million credit and debit cards.

    Compromise of IoT security

    In 2021, a vulnerability was detected in the technical component manufactured by a company that provides remote access to audio and video streams over the internet. The component became part of the supply chain of surveillance cameras and the flaw enabled attackers to gain unauthorized access to confidential audio and video feeds.

    Mitigation and prevention of supply chain attacks

    To thwart supply chain attacks, it is important for organizations to have a supply chain risk management (SCRM) strategy in place to identify, examine, and mitigate potential risks. The Cybersecurity Supply Chain Risk Management (C-SCRM). program devised by NIST helps organizations with the necessary tools and techniques required to address supply chain vulnerabilities, whether they are foreseen or not.

    Implementing honeytokens- that include fake email addresses, fake databases and executable files—next to business-critical digital assets helps expose the covert presence of cybercriminals. Using markers (spurious information) as bait, threat actors can be lured into accessing them, and the compromised marker can be used to track and eliminate the threats.

    Before roping in third-party vendors, parent enterprises must ensure that they are certified to proven compliance standards. Risk management strategies and mitigation should also address the cybersecurity needs of third-party vendors. An inclusive approach to remediation is the key to ensuring supply chain security.

    To prevent the compromise of code, it is essential to have code integrity policies in place. Deployment of such regulations prevent the execution of untrusted or malicious code within a supply chain network.

    Organizations and third-party vendors must incorporate efficient patch management and auto update features as a part of their mitigation strategies and software development lifecycle.

    Perceived insider threats must be addressed by implementing UEBA and SIEM-based tools that map user and device behaviors so that any signs of unusual activity can be detected and escalated.

    As shadow IT proves to be a significant attack vector to carry supply chain attacks, endpoint security and authorization must be ensured by introducing Zero Trust Network Architecture (ZTNA) and Secure Access Service Edge (SASE), which concentrates its cybersecurity services to the edge of a network, i.e., the endpoint devices connected to the cloud. Additionally, SASE adopts least privilege access by providing minimal and granular access to users.

    Users must be wary of malicious messages and social engineering techniques adopted by threat actors to initiate supply chain attacks and the resultant lateral movement As they are prone to becoming the weakest link of the supply chain, users should be trained to apply safe cybersecurity practices to thwart supply chain attacks.

    Related Stories

    2020 Zoho Corporation Pvt. Ltd. All rights reserved.