There’s an ever-evolving landscape of cybersecurity threats, but one menace is gaining traction: software supply chain attacks.
A supply chain attack is an insidious technique where cybercriminals target organizations by exploiting their third-party vendors or suppliers at any stage of the software development lifecycle. The objective? Gain access, conduct espionage, and potentially sabotage operations.
It’s a broad threat too. Software supply chain attacks can sometimes rely on simple deception techniques but could also be much more complex. Whether adversaries exploit tools, dependencies, shared libraries, or third-party code doesn’t matter – it’s imperative that companies understand what is data security and how software supply chain attacks affect it.
Major Attacks: From SolarWinds to Kaseya
SolarWinds has become an unfortunate poster child for software supply chain attacks. Beginning in 2019, the system management company fell victim to one of the most extensive supply chain attacks in history, with hackers leveraging its Orion IT monitoring platform to install malicious code.
However, SolarWinds is far from the only notable attack in recent years. Kaseya, an IT management company, faced a significant breach in July 2021 when cybercriminals exploited its VSA software to carry out ransomware attacks on several managed services providers (MSPs) and their customers.
Approximately 60 MSPs were affected – which in turn meant 1,500 businesses were impacted by this attack. A few other examples of supply chain attacks include:
- Codecov: In April 2021 its Docker upload scripts had been manipulated in a supply chain attack. The damage was significant, given that Codecov serves over 29,000 enterprise clients.
- British Airways: The company used Magecart, and a supply chain attack on this toolset disrupted BA’s trading system and leaked sensitive information.
- Mimecast: A threat actor hacked the security certificate that authenticated the Mimecast service on Microsoft 365 EWS.
- Atlassian: The company’s applications were found vulnerable to abuse of single sign-on (SSO) procedures. Now comprised, threat actors could take the SSO token to gain entry into applications and take actions on user accounts. It affected thousands of the company’s clients
Supply chain attacks is clearly a common problem affecting a wide variety of companies. It’s pervasive too – even the biggest technology companies are falling victim to supply chain attacks.
Cybercriminals Injecting Backdoors into Open-Source Libraries
So how does a supply chain attack work? One example is where cybercriminals commonly inject backdoors and vulnerabilities into open-source libraries to amplify their attacks. Take the case of FishPig, a UK-based e-commerce software maker.
In August 2022, threat actors breached its distribution server, gaining control of its systems and infecting customers of its Magento 2 open-source WordPress modules. The hackers used Rekoobe, a sophisticated backdoor that camouflaged as a harmless SMTP server.
A similar risk manifested itself in the case of Log4j, a Java-based logging utility. At the end of 2021, Log4j fell victim to a vulnerability, Log4Shell, putting millions of computers at risk. Given the widespread use of Log4j, the effects of the attack were substantial, indicating the inherent vulnerability of the software supply chain, especially with open source software.
Most Companies Suffer Supply Chain Breaches
A 2022 study by security firm BlueVoyant found that 98% of global companies experienced a supply chain breach. Key challenges identified by the survey included raising internal awareness of the cybersecurity role of third-party suppliers and improving third-party cybersecurity compliance.
The report also showed that software supply chains are expanding, with 50% of firms now having over 1000 suppliers across the software development process – and the software that they use, up from 38% in 2021.
Supply chain attacks are therefore a vast risk affecting almost every component of the software chain. The only way to guard against it would be to develop a multi-pronged approach, implementing specific protections against supply chain attacks – but also adopting common cybersecurity principles.
Mitigating The Risks
Preventing software security attacks is challenging due to the vast number of suppliers in the supply chain. However, organizations can take certain steps to mitigate these risks, starting by keeping an updated inventory of all the software assets – through a Software Bill of Materials (SBOM).
That will help companies understand which software components are in use – and respond to any vulnerabilities as these emerge. But consistently guarding against every possible supply chain attack can be tough, and in the main companies should make sure they follow broad cybersecurity principles:
Identity and access management:
A framework to manage digital identities, allowing IT administrators to control access to sensitive information within an organization. It ensures that attackers who enter systems through a supply chain attack are quickly restricted in what they can access.
Data encryption:
A method of converting data into an unreadable format to prevent unauthorized access, making it a crucial part of most security strategies – and preventing attackers from reading data once they gain access.
Data security evaluation:
Regularly identify the weaknesses and potential risks within the organization’s overall security framework through an internal security assessment. Upon finding any security flaws, a company needs to allocate the necessary time and resources to mitigate and correct these issues.
Data Loss Prevention (DLP):
Includes creating data backups at an alternative location, but it also covers preventing the extraction of data by cybercriminals – for example, automatic content analysis to spot sensitive data with alerts in real-time when there’s unusual utilization of sensitive data e.g., when massive amounts of data are being transferred outside the corporate network.
Password hygiene:
Encourages the use of unique, strong passwords and multi-factor authentication to safeguard accounts from brute force attacks. Often, a supply chain attack is just the first step, with attackers intending to move laterally. Passwords can block the path.
Anti-malware, antivirus, and endpoint protection:
It’s crucial to ensure protection against malware on all endpoints using antivirus software. It’s another layer of protection against a supply chain attack.
Cloud security:
An essential part of an organization’s security strategy, cloud security involves protecting cloud infrastructure, workloads, and data in public, private, or hybrid cloud environments against all types of cyberattacks – including supply chain attacks.
In conclusion,
software supply chain attacks present a growing risk in today’s interconnected digital world. As these threats continue to evolve, organizations must remain vigilant, stay informed about the latest cybersecurity developments, and implement best practices to safeguard their systems and data.
