Modern software applications are made up of multiple components and services interacting with each other. These components and services collectively support various processes, tools, and libraries to form a software supply chain framework. Software supply chain attacks are emerging cyber exploits that impact an entire supply chain by compromising a single component. In these attacks, hackers rely on third-party software and components vulnerabilities to infiltrate a business network and initiate an attack sequence.
This article discusses supply chain attacks, recent attack examples, the impacts of such attacks, and mitigation strategies.
What is a supply chain attack?
Supply chain attacks are orchestrated by injecting malicious payload into a supply chain system via an integrated component of a third-party vendor or supplier. Due to the loosely coupled nature of modern, cloud-native applications and the lack of public awareness of cyber threats, the recent past saw an increase in highly impactful supply chain attacks. Also known as value chain or third-party attacks, supply chain attacks target commercial, off-the-shelf solutions and open-source components that contain known vulnerabilities. It can have impacts ranging from harmless exploits to complete compromise of the supply chain.
Supply chain attacks are generally categorized into:
- Hardware-based – Insecure hardware configuration is used to host and connect an application to users. These may include devices with pre-installed malware and publicly accessible network devices, among others. These attacks are intended to infect gadgets during the initial phases of the deployment stage, which are further exploited for a more profound, network-wide compromise.
- Software-based – These attacks proliferate flaws in the source code, operating system, libraries, and almost every other piece of software used in an application. Inherent vulnerabilities within such software components are further abused to inject malware and malicious code that can surcease an entire supply chain.
- Firmware-based – These supply chain attacks are initiated by injecting malicious code into a device’s boot code. Although firmware supply chain attacks are quick to perform and difficult to detect, firmware-based attacks are one of the most widely abused techniques by cybercriminals to target supply chain systems.
Supply Chain Attack Examples
As software supply chains are large and complex, orchestrating attacks requires high precision and technical expertise. Even though the recent past saw multiple instances of supply chain attacks that impacted both private organizations and federal agencies considerably. Some of such popular supply chain attacks include:
SolarWinds Supply Chain Attack
The SolarWinds hack is a global supply chain attack that targeted the SolarWinds Orion software to access networks of federal government agencies and private companies. The attack was orchestrated by hijacking Orion’s application compilation process to place a backdoor inside valid, digitally signed Orion updates. These malformed updates were sent as Trojan Horse installation packages to client computers over several months without being detected. The SolarWinds hack is considered one of the most impactful supply chain attacks in the recent past, which increased organizational awareness of security risks and triggered collaboration among various entities to tackle rising cyber crimes.
Kaseya VSA Supply Chain Ransomware Attack
In July 2021, Kaseya discovered an active ransomware attack on its VSA-managed service program. VSA is a suite of Kaseya’s cloud services that facilitate updates and security patches. The attack was carried out by the Russian hacker group REvil, which gained entry into the Kaseya system using a known zero-day vulnerability that it was still trying to fix. The attack compromised the data of 60 direct clients and affected 1500 businesses, with the hackers demanding a ransom payment of $ 70 million to unlock the affected devices. While several affected firms were able to restore their systems using backups, others offered to pay individual ransoms in the range of $40,000 – $220,000. A week after the attack, Kaseya claimed to have obtained the master decryption key further offered to affected clients.
Target Data Breach
In July 2013, Target suffered a data breach in which attackers accessed nearly 70 million user accounts and 40 million payment card records. The attack was initiated by maliciously infiltrating Target’s network via credentials leaked from a third-party vendor. These credentials were further used to exploit other vulnerabilities within Target’s infrastructure to access the user database and install a malicious piece of software that exposed customer records, including users’ names, contacts, card numbers, verification codes, and other sensitive information.
It took Target about two weeks to detect and identify the breach. The attack had huge financial repercussions on Target, with the retail giant paying $ 18.5 million to affected users. Target also suffered revenue losses as sales dropped 46% in the months following the attack. Following the attack, the company claimed to improve its abilities to counter cyberattacks and issued secure chip-and-pin cards to reduce the likelihood of card exploits.
Eastern European ATM Malware Attack
Over the years, security researchers of the European Association for Secure Transactions (EAST) have exposed an effort by threat actors to build ATM malware for financial fraud in Eastern Europe. While investigating ATM attacks in Ukraine and Russia, the agency discovered several ATMs affected by ATM malware that captures PIN codes and magnetic stripe data. It was discovered that the attacks targeted vulnerabilities in ATM cards’ transaction processing software and those ATMs that use outdated Windows XP.
To exploit the vulnerability, attackers installed the ATM malware using a dropper file known as isadmin.exe whose binary contained a data resource with the malicious code. After the malware was detected in at least 20 different ATM attacks belonging to multiple vendors, EAST advised all vendors to update their computing infrastructure and take corrective actions to mitigate the vulnerability.
Impact of a compromised supply chain attack user leak
The reusability of software components in modern application delivery extends the attack surface that can be exploited repeatedly in an attack sequence. This is typical because exploiting a weakness in one component opens the door to a chain abuse of an entire supply chain. Impacts of supply chain attacks include:
- Malware infections – Attackers rely on third-party software vulnerabilities to inject malicious code and programs into the application development pipeline. The effect of an attack eventually varies based on the malware’s level of sophistication and the data hosted by the target system.
- Data disclosure and breaches – Malicious actors rely on supply chain vulnerabilities to install data exfiltration tools into software development pipelines. Any information that passes through the exfiltration tool, including user and system-level data, is sent to an attacker-controlled host.
- Financial loss – Supply chain attacks targeting e-Commerce systems, payment card vendors, and retail outlets often result in direct loss of finances due to identity fraud. Organizations that experience data breaches due to supply chain attacks are also subjected to huge penalties from regulatory authorities and eventual lack of reputation.
Managing supply chain risk and vulnerability
Due to supply chain vulnerabilities in third-party vendor systems, they are often difficult to control. Depending upon the type of vulnerable workload and the components it is directly integrated with, mitigating attacks based on such vulnerabilities relies on a combination of different approaches.
Approaches to Identify Supply Chain Vulnerabilities
Although different use cases may require specialized approaches to suit their deployment framework, here are two of the most common methods to identify supply chain vulnerabilities:
Continuous vulnerability scanning
Developers and security teams should collaborate to implement automated, continuous vulnerability scans to detect potential weaknesses along an entire supply chain. An ongoing scanning process helps identify the components at risk of exploits, including source code, processes, and services. An advanced supply chain vulnerability assessment should produce a record of all components used in the deployment, including component-level threats, and a vulnerability rating for all third-party software.
Following identifying third-party security risks, developers and QA teams should test each vulnerability to simulate the most probable attack sequence that malicious actors can potentially carry out. Teams should also set up a honeypot of dummy data and functionalities for ethical hacking and pen-testing. These honeypots can further be rigged with endpoint detection solutions to ensure observability and the detection of vulnerable endpoints. Comprehensive penetration tests help simulate attack patterns while providing insightful information on how malicious actors may leverage supply chain risks for successful exploits.
Preventive Strategies to Mitigate Supply Chain Attacks
Techniques to mitigate cyber attacks in vulnerable supply chains include:
Leverage Robust Identity and Access Management (IAM) Controls
An IAM dashboard enables the central management of the account and data access controls. By managing permissions through a centralized service, administrators can quickly mitigate and block privilege escalations or other post-compromise activities of a hacker.
Zero-trust cybersecurity infrastructure
Security teams should enforce a zero-trust environment, which assumes all users and applications could be malicious actors. Critical services and workloads should additionally be protected through multifactor authentication and reauthorization controls to block unintended requests for data access.
Enforce network segmentation
It is recommended to enforce targeted restrictions for third-party software and service providers on the access of certain components/services of the software deployment pipeline. Microservices and segmentation to break down the network into different subnets based on functionality are considered efficient approaches. In such instances, even if a future supply chain attack breaches part of a network, the rest of the deployment is kept secure.
The primary purpose of a supply chain attack sequence is mostly to deploy malicious software into a susceptible framework. Although considered a reactive approach, the adoption of forensic and anti-virus tools helps detect the presence of malware in an existing supply chain system. Malware protection also offers an early detection opportunity, allowing security teams to respond to a compromise before the malware proliferates to the entire supply chain.
What are the most significant risks to the supply chain due to a lack of security controls?
Some of the major supply chain risks in modern software include:
- Vendor fraud
- Insecure data exchange
- Lack of visibility and data governance
- Open-source vulnerabilities
Is Log4j a supply chain attack?
Log4j is a logging utility that most cloud services and enterprise networks use to access servers. The flaw affects enterprise Java applications and is found in nearly 20,000 Java packages that use Log4J through dependencies. Log4j flaw is one of the recently identified supply chain vulnerabilities that paves the way for many attacks, including remote code execution, local code execution, and data breaches.