A supply chain attack is a cyberattack against a well-known third-party vendor that provides critical supply chain services or software. Software supply chain attacks inject malicious code into an application to infect all users of the application, while hardware supply chain attacks destroy physical components for the same purpose.
Historically, supply chain attacks have referred to trust attacks, where untrusted suppliers in a chain are attacked to gain access to their largest trading partners.
Breaking into the software supply chain
That’s exactly what happened during the 2013 attack on Target when attackers gained access to an HVAC contractor to break into Target’s systems. The biggest concern today, however, is an attack on the software supply chain.
Software supply chains are particularly vulnerable because today’s software is not built from scratch, but includes many standard components such as third-party APIs, open-source code, and software vendors’ proprietary code. Today, the average software project has 203 dependencies.
Additionally, the software can be reused, so vulnerabilities in applications may persist beyond the life cycle of the original software. Software that lacks a large community of users is especially vulnerable since a large community is more likely to find bugs faster than a project with a small following.
How does the supply chain attack take place?
- Supply chain attacks work by delivering viruses or other malicious software through a vendor or vendor. For example, a keylogger hosted on a USB drive could log into a large retail company, which then records keystrokes to determine passwords for specific accounts. Cybercriminals can then gain access to sensitive business information, customer records, payment information, and more.
- Attackers look for insecure network protocols, insecure server infrastructure, and insecure encryption methods. They inject, modify source codes, and hide malware in build and update processes. Because the software is built and released by a reputable vendor, these apps and updates are signed and certified.
- In a software supply chain attack, vendors may be unaware that their applications or updates are infected with malicious code when they are released. The malicious code then runs with the same trust and permissions as the application. The number of potential victims is significant given the popularity of some apps.
Prevention of Supply Chain Attacks
- Deploy strong code integrity policies that allow only authorized applications to run.
- Use endpoint detection and response solutions that automatically detect and remediate suspicious activity.
- Maintain a highly reliable build and update infrastructure.
- Instantly apply security patches to your operating system and software.
- Implement mandatory health checks to make sure only trusted tools work.
- Regulation of multi-factor authentication for administrators.
- Build secure software updates across the software development life cycle.
- Implementation of SSL to update channels and certificate blocking.
- Sign everything, including configuration files, XML files, and packages.
- Check digital signatures and prevent software updaters from accepting generic inputs and commands.
Examples of Supply Chain Attacks
Attacks are constantly evolving and you should be aware of the latest developments. While these are mostly cyber-attacks, it is also important to consider threats such as fraud, theft, and insider information.
If software update files are hosted on insecure websites or sent through insecure channels, hackers can replace the genuine update file with a file containing malware. Malicious software updates can also be caused by a compromised update server.
This type of supply chain attack is launched before a software update is deployed to a company’s internal network. Once the infected software reaches the company, the malware in it is released to infect other IT systems on the company’s internal network. An example of a supply chain attack related to this method is the SolarWinds attack, in which malware is deployed as part of an update from its servers and then digitally signed with a legitimate certificate bearing its name.
Another example of a supply chain attack using software updates is the NotPetya attack, in which hackers breached a server used to update an accounting program called MeDoc. They then used the app’s auto-update feature to send malicious updates to users of the software on three separate occasions. These updates open backdoors that allow cybercriminals to gain access to infected computers and remotely install NotPetya malware.
Sometimes you may need to permit third-party partners to access your organization’s internal system. Despite this, there is no way to guarantee that third-party partners will keep your credentials safe. If these credentials accidentally fall into the wrong hands, they can allow attackers to easily gain access to your sensitive data.
Direct Stealing Credentials
Another example of a supply chain attack is the attack on Target, where hackers used stolen credentials from a supplier that maintained HVAC systems at Target stores to gain access to the retailer’s network and then go to the systems that stored customer payment information. Attackers sometimes break into a software vendor’s development infrastructure and then add malicious code to an application before it is compiled and released.
Manipulation into Installation
An example of this supply chain attack is when hackers compromised a PDF editing application so that users who installed the application would also install a cryptocurrency miner. The application itself was not compromised, but its supply chain was compromised.