In today’s complex infrastructure, there are a lot of software and hardware dependencies. As a vendor, you are not always in control of all dependencies, but leverage them for your product or service to work properly.
Using third-party dependencies and integrating external components into your product opens up potential vulnerabilities and attack vectors. Attackers might exploit weaknesses in the supply chain to gain unauthorized access to customers’ networks and compromise the data.
That is what happened with the recent SolarWinds supply chain attack, a malware activity done by hackers. This article goes deep on supply chain attacks and how you can protect your infrastructure in the best way.
Let’s break down the fundamentals first.
What is a Supply Chain Attack?
Imagine you are a vendor offering your software product to your customers. In order to provide product updates, you use third-party components because it is more convenient to utilize something that is already in the market rather than developing it from scratch.
You are in control of your product and you ensure it is developed and tested by following software development best practices. However, the product you use for distributing updates on the customer side is under the control of another supplier or vendor.
Now, attackers – are sneaky, unethical people. They exploited that third-party product, found vulnerabilities, and gained remote access to your customer network. That is what a supply-chain attack is. It involves attackers targeting your customers through third-party dependencies or components you use to make your product fully functional.
That is precisely what occurred in the fairly recent SolarWinds attack, the IT management platform. The attacker injected malicious code into an update of SolarWinds and gained remote access to thousands of servers, affecting both private and government institutions.
An interesting sidenote is that the attackers injected their code into the actual build pipeline, so that when the new version was signed as being an official SolarWinds update, it also contained the malicious code.
What is a Supply Chain Attack?
A supply chain attack can occur through one of the most common methods, phishing. Phishing is a malicious practice used by hackers to deceive individuals into opening malicious links or attachments, with the aim of tricking them into revealing sensitive data.
It is mostly delivered via email but also can be delivered via SMS or voice. One of the ways where people get tricked is via QR scams. Here is all you need to know about QR Code Scams.
We conducted an analysis of the impact of different malware activities and published it in our Cyber Security Report 2023 and Ransomware Attacks survey.
There are four phases of how a supply chain attack occurs, including compromising the vendor, injecting malicious code, distributing it to customers, and data theft. Here is the flow.
- Compromising the vendor. Hackers compromise vendors by exploiting third-party dependencies and external update components.
- Injecting malicious code. Hackers inject malicious code into an external component used for distributing updates. The code acts as a backdoor to connect to remote machines.
- Distributing it to customers. The injected update will be distributed to customers’ sites in the next update cycle.
- Data theft. Now, when the update is distributed, attackers can access remote systems and make compromises and data theft.
Examples of Supply Chain Attacks
There are several supply chain attacks that occurred in the past few years that helped us as cybersecurity professionals to learn, but also provided opportunities for vendors to strengthen their security. In this section, we will list some examples of recent supply-chain attacks.
One of the latest supply-chain attacks occurred just recently, in July 2023. British Airways, BBC, and UK pharmacies (along with nearly 500 other companies) suffered a supply chain attack after attackers exploited MOVEit, managed file transfer software. British Airways spokesperson confirmed it in one of their public statements told to The Register „We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.”
In 2019, hackers injected malicious code into Asus’ software ASUS Live Update Utility and infected over one million users worldwide. ASUS Live Update Utility comes by default installed on Asus machines and helps to update hardware and software (BIOS, drivers, etc.).
We already mentioned the SolarWinds attack; it occurred in 2019 by compromising the update process.
Some other supply chain attacks happened to Kaseya (2021), Mimecast (2021), Event-stream (2018), NotPetya (2017), CCleaner Backdoor (2017), and XcodeGhost (2015).
Let’s approach the same issue with a positive outlook. Thanks to some cybersecurity researchers, they discovered vulnerabilities in a few products and communicated them with vendors to prevent supply chain attacks.
In 2020, security researchers discovered chained vulnerabilities in Atlassian apps connected through SSO (Single sign-on). It affected Jira, Confluence, GetSupport, Partners, Developers, and Training.
In 2021, cybersecurity expert Alex Birsan breached Microsoft, Apple, Tesla, and Uber, injecting harmless code and distributing it to end users. He did this to demonstrate supply chain vulnerabilities.
All vendors managed to fix the vulnerabilities and communicated them to their customers.
Diverse Sources of Supply Chain Attacks
Software dependencies
There are different components used in software development, for example, third-party frameworks and libraries. Attackers may exploit them and inject malicious code to gain remote unauthorized access.
Now, if we extend it a bit further, we come to software development environments and tools. An attacker may compromise source code repositories, compilers, Integrated Development Environments (IDEs), version control systems, package managers, build tools, Continuous Integration/Continuous Deployment (CI/CD) tools, testing tools, issue tracking systems, documentation tools, collaboration tools, code review tools, and others. As you can see, the potential weaknesses in all these layers are huge.
Hackers might have compromised the software or hardware update mechanism, injecting a malicious piece of code, and pushing it to end users in the next update cycle. Remember, this is what happened to SolarWinds Orion.
Hardware dependencies
Physical machines are built with various hardware components manufactured by different vendors. Let’s imagine a server, it has a Dell motherboard, an Intel CPU, Broadcom and NVidia Ethernet adapters, and a Titanium power supply. These components all come from different vendors but are incorporated into a single physical unit. An attacker may target any of these hardware components and exploit them.
When you make partnerships with suppliers, you need to ensure that they follow the best security practice that helps guard against any type of attack. If that is not the case, hackers may take advantage of their weak security. And ultimately, you also need to be aware of your supplier’s suppliers, because there can be many different levels of suppliers for a single finished hardware (or software) product.
Today many software products are sold via marketplaces. Attackers might penetrate a marketplace and inject malicious code into the software before users download and install it on their network. Once installed, the network gets compromised.
Effective Strategies and Countermeasures to Prevent Supply Chain Attacks
You can harden your infrastructure by implementing proper IT Security measures. However, there are different layers we need to keep an eye on.
Firstly, you should ensure that all third-party and external components are fully patched. Install the latest available updates for every single product that plays any role in your infrastructure.
During the code development process, it is essential to promote and use secure development practices among software developers. That includes implementing secure coding guidelines, validating inputs, and encoding outputs – just to name a few.
You can also use Software Composition Analysis (SCA) to analyze third-party components and libraries for known security vulnerabilities.
After completing your code, it is crucial to conduct a thorough code review and use static analysis. Static analysis helps identify potential security vulnerabilities and common coding errors.
Additionally, make sure to implement continuous security testing to maintain the highest level of security in your development process.
How to get there? Besides implementing software and hardware security layers, security awareness training is a must-have. You should ensure that your IT teams are properly trained, with an emphasis on continuous education. Non-trained stakeholders are a threat to any organization.
Monitoring helps you stay proactive, while logging provides insights into failed and successful attempts.
Build trust with your suppliers and ensure that they strictly follow security and software development practices. Verify if they are ISO certified.
Develop a security incident response plan. Be ready just in case a supply-chain attack happens. This will help you to react and have honest communication with your partners and customers.
Securing Your Chain: Methods for Detecting Supply Chain Attacks
Detecting a supply chain attack is a challenging process since it includes not only your product but also other third-party components that are not fully in your control.
The first thing you should implement is proper monitoring. Monitoring helps you stay proactive by detecting any suspicious activities, unauthorized access, and changes in your infrastructure. Usually, monitoring goes hand in hand with SIEM (Security Information and Event Management) – which is the next important factor.
If you utilize SIEM in your infrastructure, you will be able to collect logs from different systems and analyze them accordingly. By using monitoring and SIEM, you can detect patterns in anomaly behavior.
Additionally, monitoring and SIEM, help you to analyze end-user behavior, perform network traffic analysis, and anomaly detection, and assess all potential layers of your infrastructure.
You also should implement Digital Signature Verification. That technology will help you to maintain the authenticity and integrity of software components and updates through signatures and certificates.
Remember, we mentioned security awareness training in the previous section!? The best way to get trained in IT is by experiencing things firsthand. So, you should simulate supply chain attacks in your network and challenge your organization. This practice ensures that you are well-prepared, well-educated, and able to implement security testing and enhancements.
You should definitely collaborate with cybersecurity companies, professionals, and the wider community to stay informed about supply chain attacks. In the beginning, we mentioned cybersecurity researchers who discovered supply chain vulnerabilities. Having someone like Alex Birsan as your contact is of great value.
As you can see, there are various proactive approaches, and it takes utilizing all of them to stay safe and effectively mitigate potential risks from supply-chain attacks.
For an overall look at cybersecurity risks gained from analyzing 25 billion emails, see our free Cyber Security Report 2023.
To properly protect your cyber environment, use Hornetsecurity Security Awareness Service to train your employees in deterring cyber threats and securing your critical data.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
At Hornetsecurity, we are dedicated to ensuring your safety from both security and backup perspectives. We highly recommend exploring The Backup Bible, our comprehensive backup guide.
Wrap Up
Any software or physical product has different dependencies that are not under the control of a single vendor. Imagine a physical server where the mainboard is manufactured by Dell, but other components such as CPU, and Ethernet cards are developed by other vendors.
It is the same with software products. To develop it, you use a third-party development environment and tools developed by other vendors.
An attacker may exploit these third-party components and gain unauthorized access to your customer’s infrastructure and steal sensitive data. One of the recent supply chain attacks happened to SolarWinds. The attackers injected malicious code into the update mechanism of SolarWinds Orion, distributed it to customers in the next update cycle, and infected thousands of customers.
In this article, we covered fundamental information to get into the topic, stay safe, and mitigate it.
FAQ
What is supply chain phishing?
A supply chain attack occurs when a cybercriminal targets a trusted vendor (company or platform) to carry out cyberattacks throughout the supply chain. In such instances, they might introduce malware to shared systems or cleverly launch phishing attacks through the vendor, exploiting their trust. These attacks highlight the importance of maintaining strong security measures within your systems and across the partners you collaborate with.
Which is an example of a supply chain attack?
An example would be the following – consider a scenario where a keylogger is strategically placed on a USB drive. If this device finds its way into a major retail company, it could surreptitiously record keystrokes to gain access to sensitive account passwords. Supply chain attacks deliver viruses or malicious software via a vendor or a supplier.
What is the famous supply chain attack?
One of the most famous supply chain attacks is the SolarWinds attack, also known as the SolarWinds supply chain attack, which was perpetrated by a Russian state-sponsored hacking set called APT29 or Cozy Bear. This group is thought to be related to the Russian Foreign Intelligence Service (SVR).
How to protect against supply chain attacks?
There are several steps you can take to protect yourself from supply chain attacks. This includes implementing security awareness training, monitoring third-party activities, using digital signature verification, constantly updating and patching software and hardware, and working closely with vendors and third-party vendors to ensure they employ appropriate security practices.
