In 2021, Codecov, a software testing platform that generates code coverage reports and statistics, was targeted by a supply chain attack that manipulated Docker upload scripts. Codecov’s environment was compromised without raising any red flags. The damage was enormous since Codecov serves over 29,000 enterprise clients, including IBM, Google, HP, Washington Post, Atlassian, GoDaddy, Procter & Gamble, and the Royal Bank of Canada. The massive breach went on undetected for several months. Despite starting on January 31, 2021, it was not discovered until April 1, 2021.
In another infamous incident, the ubiquitous computer cleaning tool CCleaner had been compromised for more than a month by hackers. Avast, which owns CCleaner, has tainted the software updates users are downloading with a malware backdoor. Millions of computers were exposed, and this incident reinforced the threat of so-called digital supply chain attacks, in which trusted, widely distributed software is actually infected.
Also known as a third-party attack or backdoor breach, a supply chain attack occurs when a hacker infiltrates a business’s system via a third-party partner or vendor that provides software services to that organization. It is called a supply chain attack because the point of vulnerability through which the attack occurs is the software supply chain. These types of attacks are often quite massive in scope and tricky to detect. Cybercriminals often target software supply chains like this because a single breach allows them to compromise thousands of victims at the same time.
With more software suppliers and vendors getting access to sensitive data than they used to, the risk of these attacks has been increasing over the past few years. In fact, there are numerous sources who argue that the number of software supply chain attacks tripled in 2021 compared to figures from the previous year. In May 2021, the Biden Administration listed software supply chain attacks as an area of concern, confirming just how important this issue is.
What are the different types of software supply chain attacks?
Any software company that supplies its services to other organizations is a potential target for a supply chain software attack. An attack requires just one compromised software to spread malware across an entire supply chain. The hackers typically hunt for poorly secured software or unprotected network protocols which they can break into and hide malware in the build or update process of the software. Threat actors can employ a wide range of techniques to execute a supply chain attack.
In most cases, supply chain attacks hide behind legitimate processes in order to get unrestricted access to an organization’s software ecosystem. Attackers typically start by infiltrating the security defenses of a vendor or software supplier. This is usually easier than attacking a victim directly due to the poor cybersecurity practices of many of these vendors.
Once the supply chain malware is injected into the vendor’s software ecosystem, it needs to attach itself to a legitimate digitally signed process. Attackers often leverage software updates as entry points to spread the malware across the software supply chain. Some of the common techniques used in supply chain attacks include:
Compromised software building tools
The process of building modern software applications is quite similar to the physical supply chain: In most cases, applications are built using various ready-made components from various vendors. This includes proprietary code, third-party APIs, open-source components, and so on. It is impossible to build a modern application from scratch, which is why most software developers simply reuse these different components as standard practice.
While this plug-and-play practice accelerates the development process, it introduces the risk of security vulnerabilities, chief of which is supply chain attacks. If a component software is compromised in some way, countless organizations whose application is built with this component become vulnerable to an attack.
Stolen code-sign certificates or signed malicious apps using stolen identity
In this type of attack, the hacker steals a certificate that confirms a company’s product as legitimate and safe. This stolen certificate makes it possible for them to spread malicious code disguised as the product of a legitimate company.
ATP41, a hacker group backed by the Chinese government, uses this method of attack to carry out supply chain attacks. By making malicious code appear legitimate (using stolen code-sign certificates), they’re able to get the code past security controls in the systems they’re attacking. This type of attack is particularly difficult to detect.
A signed malicious app attack is similar to a stolen code attack; in this case, the attacker disguises a compromised software as a legitimate app using the stolen signed identity of the app. This allows it to get past various security measures so an attack can take place.
Compromised code in hardware or firmware components
Every digital device relies on firmware to run smoothly. In most cases, this firmware is a third-party product maintained by another company. Hackers can inject malicious code into the firmware, enabling them to get access to the network or systems of digital devices that make use of these firmware components. This type of attack creates a backdoor into the digital devices powered by these firmware, allowing hackers to steal information and install even more malware.
Hackers sometimes put malicious supply chain malware on hardware devices like phones, Universal Serial Bus (USB) cameras, drives, and other devices. This makes it possible for them to target systems or networks connected to the devices that the infected hardware is used for.
For instance, a USB drive can be used to carry a keylogger which then makes its way to the systems of a large retail company. This keylogger can be used to log the keystrokes of the company’s customers, giving hackers access to information like payment details, customer records, etc.
How to protect against supply chain attacks?
The very nature of supply chain attacks makes it difficult to guide against them. These types of attacks exploit the trust that businesses have in their suppliers to counterattack. While it is difficult to prevent these attacks, the following are some of the things you can do to mitigate their impact or reduce their risks:
Audit your infrastructure
Using software that isn’t approved or overseen by IT (shadow IT) is one of the factors that can predispose your business to supply chain attacks. One of the ways to mitigate these attacks is to perform a comprehensive audit of all the software being used within your organization. This might reveal vulnerabilities that supply chain hackers can leverage to launch an attack.
Keep an updated inventory of all your software assets
Every third-party software you use (regardless of how secure it seems) is a potential point of vulnerability. By keeping an updated inventory of all your third-party software, you can keep track of their updates, upgrades, and security issues better. This also helps to narrow down potential points of attack and deploy necessary solutions.
Rigorously assess vendors and apply a zero-trust approach
Before you use any third-party tool or partner with a new vendor, you need to rigorously check how secure they are. Most times, supply chain attacks occur because vendors fail to follow standard security practices. As part of your risk assessment efforts, you can ask any potential vendor to provide details of their standard security practices to determine their preparedness for supply chain attacks. You can begin by requesting a SOC 2 Type report and ISO 27001 certification from any vendor you intend to partner with. You should also check their security reports and verify certificates for any product before you purchase.
Never trust any new software or users by default. Even after confirming their security framework and agreeing to use their services, limiting the activities or permissions, any new tool on your network will reduce your vulnerability.
Use security tools
While antivirus, firewalls, and other security tools are often ineffective against supply chain attacks, they can still help verify code integrity and reduce the risk of an attack. Even if they cannot stop the attack from happening, these tools can still alert you about ongoing attacks. For instance, a firewall can let you know when huge blocks of data are being sent across your network, which is often the case with a malware or ransomware attack.
Secure your endpoints
Supply chain attackers often leverage software vulnerabilities at poorly secured endpoints to launch an attack. Deploying an endpoint detection and response system will help protect your endpoints against malware and ransomware. This way, they can no longer use these endpoints to spread an attack to other parts of your network, stopping the attack before it spreads further.
Deploy strong code integrity policies
Supply chain attacks that leverage app or code integrity can be stopped by deploying strong code integrity policies that only authorize apps based on stringent rules. These code dependency policies will block any app that looks suspicious or raises a red flag. While there may be some wrong calls and false alarms, mitigating supply chain risks this way is still better than suffering an attack. Any app that is flagged can be investigated further and authorized if found to be legitimate.
Have an incident response plan
Given the rising frequency of supply chain attacks, it is best to be prepared ahead of time by creating an incident response plan. Every organization should have plans to protect mission-critical components in case of breaches in order to keep operations intact. You should also have clear response and communication strategies in place to inform partners, vendors, and customers whenever a breach occurs. Your IT team should always be prepared for potential attacks. Appropriate risk management planning includes having incident response drills with your team regularly to assess readiness for potential attacks.
Examples of recent supply chain attacks
The efficiency of supply chain attacks is the major factor that accounts for their prevalence. These types of attacks impact various organizations from larger companies like Target to government agencies. In the past decade, there have been some high-profile cases of supply chain attacks. Some of the most notable supply chain attacks examples include:
In early 2021, air transport data company SITA experienced a data breach that is believed to have exposed the flight records of more than 580,000 Malaysia Airlines passengers.
Frequent flier program. The same data breach also affected Finnair Air in New Zealand and several others. Experts think the point of attack was through a company known as Star Alliance, with whom Singapore Airlines shares data. The attack subsequently spread to the entire supply chain.
ClickStudios, an Australia-based company and the creators of Passwordstate (a password management solution), reported a supply chain attack in 2021. The attack occurred via the software update service which was hosted on a third-party CDN. The malware was automatically downloaded onto the devices of the customers that updated their software during the time of the attack. The malicious software was designed to decrypt all the data stored on the customer’s database and send it as plaintext to the attacker’s external server.
Dependency confusion 2021
This was a deliberate attack to test the spread of supply chain attacks. Alex Birsan, a security researcher breached systems belonging to companies such as Microsoft, Uber, Tesla, and Apple by taking advantage of dependency protocols that their applications used to provide services to end-users. These dependencies made it possible to transmit counterfeit data packets to various high-profile users on the network.
A compromised Mimecast digital certificate led to one of the most talked-about supply chain data breaches of 2021. The digital certificate used for authenticating some of Mimecast’s services on Microsoft 365 Exchange web services were compromised. Investigations revealed the group behind this hack was also responsible for the 2020 SolarWinds attack. The attack affected up to 10% of Mimecast’s customers.
SolarWinds attack, 2020
This is arguably the most high-profile case of supply chain attacks in the past decade. Hackers who are believed to be foreign malicious players attacked several US government agencies through a third-party vendor known as SolarWinds, an IT service provider. Six US government departments are among the 18,000 SolarWinds customers affected by the attacks, including the Department of Energy and the National Nuclear Security Administration, the United States Department of State, the Department of Commerce, the Department of the Treasury, and the Department of Homeland Security.
In 2018, a malicious attack exploited ASUS’ live update software to install backdoor malware on more than one million computers. In this supply chain attack, the hackers leveraged the automatic update feature to introduce malware on users’ PCs. The malware was signed with legitimate ASUS security certificates which made it difficult to detect. Fortunately, the hackers had a limited list of just 600 users, and the thousands of other users that were not on that list were not significantly affected.
In the 2018 event-stream attack, hackers injected malware into a repository within the GitHub system. Since GitHub was a backup service for millions of developers, the attack exposed several users to a potential malware attack. However, the malicious code was programmed specifically to target the Copay bitcoin wallet. If the Copay developers affected by the malware were to run a release build script during the attack, the malicious code would have been bundled into the application and this would have harvested the private keys and account information of Copway users with at least 1000 Bitcoin in their account.
Equifax supply chain attack
Equifax, one of the largest credit card reporting agencies in the world, was hit by a supply chain attack in 2018. The malicious code was delivered via an app vulnerability on the company’s website. More than 147 million Equifax customers were affected by the attack which exposed sensitive personal data including addresses, social security numbers, birth dates, and so on.
If there’s only one thing you need to take from this article this should be it: Software supply chain attacks are an imminent threat. No doubt about that.
Therefore, you cannot trust the signed products and updates of vendors; there may already be modifications or additions to your code. So what can you do to ensure that your system is not infected with malicious files? Make sure each library owner or program vendor provides you with a complete SBOM—find out more about SBOMs here—and ensure that you get what you expect from the vendor or library owner by requesting a trusted attestation.