Threat actors know that attacking the supply chain is not just a smart strategy but also a winning one.
When American store Target found a Trojan designed to steal card details on its POS (point-of-sale) systems in 2013, no one expected that the route into its secure environment was its heating, ventilation, and air conditioning (HVAC) supplier, Fazio Mechanical Services. Because a smaller, less secure company like Fazio has access to a bigger, more secure company's system, attackers took the path of least resistance to install malware and steal credentials. As a result, 40 million credit and debit card details were stolen, and Target spent a total of $202 million to recover from the hack.
This attack was a watershed moment in securing against supply chain attacks.
What is a supply chain attack?
A supply chain attack is, essentially, another way for attackers to compromise their target company. Instead of them attacking their target—which systems might be secured to the bone—directly, they go for the weakest link in that company’s supply chain: a vendor that may not have as secure a system as their main target. Several threat actor groups, including those that use ransomware, have been pivoting to this attack scheme before 2013, and occurrences of such attacks have only gone up exponentially through the years.
Many high-profile attacks that happened during the last two years have been supply chain attacks. A sophisticated hacking group was in SolarWinds' production environment as early as 2019 before affecting 18,000 of its clients, which include private companies like FireEye and Microsoft and several US federal agencies, via an embedded backdoor to updates of its network monitoring software, Orion.
A malformed software update also affected Kaseya's clients in 2021. VSA, the company's remote monitoring and management software, distributed a patch that pushed REVil ransomware onto the systems of several managed service providers (MSPs), which then further infected their clients' systems.
Breaches on SolarWinds and Kaseya are examples of what can be generally termed as a software supply chain attack, wherein a weakness in software was found and exploited by threat actors to affect and reach as many organizations as they can using only a single point of entry. This type of attack is very difficult to detect as it exploits the trust that organizations have in the software they use coming from their legitimate suppliers. Attackers who typically go this route usually have a strong technical aptitude and the means to pull such an attack off, such as advanced persistent threat (APT) actors.
Software supply chain attacks have three common techniques, according to CISA (Cybersecurity and Infrastructure Security Agency):
- Hijacking updates
- Undermining code signing
- Compromising open-source code
The Target breach, on the other hand, can be classed as, in MITRE terms, a "trusted relationship" attack, wherein attackers infiltrate a less secure third party in the supply chain to abuse an established connection between the third party (in this case, Fazio) and the target company (Target).
If there are software-based supply chain attacks, there are also such attacks based on hardware. A hardware supply chain attack is very rare as it's difficult to pull off and can require millions of dollars in investment. As the name suggests, this type of attack can be carried out by tampering with physical and hardware components like network devices, servers, and any portable computing device, such as laptops, mobile phones, tablets, or smartwatches.
A hardware supply chain attack was reportedly unveiled by Bloomberg in 2018. Dubbed by the news outlet as "the most significant supply chain attack known to have been carried out against American companies," China's military had reportedly implanted a microchip "no bigger than a grain of rice" on the motherboards of Supermicro, a world supplier in the industry. According to investigators that Bloomberg journalists spoke with, the microchip is used to provide long-term access—a backdoor, if you will—to organizations that bought the servers. Immediately following the bombshell report, multiple companies that had previously relied on Supermicro's technology, and Supermicro itself, denied the veracity of the claims. A few years later, Bloomberg stood by its reporting with an additional piece that dug deeper into the history of China's alleged cyber-espionage.
For the purpose of this blog, we're excluding hardware supply chain attack mitigations. We're also focusing on risks to businesses from their vendors, not risks passed on to their customers.
Securing your supply chain
Here's how you can protect your organization from risks your suppliers might pose:
1. Know who your vendors are.
It all starts here because if organizations aren't aware of who their suppliers are and how their own supply chains work, they won't be able to look for possible risks and/or vulnerabilities in the chain that threat actors might exploit.
2. Incorporate a holistic approach to securing your systems.
Any threats coming from the internet must be stopped at the endpoint. Securing these endpoints isn't optional if you want to fight off supply chain attacks. So think about investing in an effective endpoint detection and response (EDR) system and a way to monitor suspicious activities in the network like a managed detection response (MDR) solution.
Segmenting your network limits attackers from moving laterally in your network and preventing unauthorized access to more sensitive data.
3. Develop an incident response (IR) plan/disaster recovery plan.
Putting an IR together may seem intimidating and overwhelming, but it doesn't have to be overly complicated. Thankfully, there are ready frameworks an organization can adapt that would suit its needs. If you don't know what framework to build upon, have a look at this incident handling guide from NIST (National Institute of Standards and Technology).
Include transparent and timely communication between your stakeholders and customers when something happens, so your business can provide steps to mitigate the problem if needed.
4. Have a plan for patching.
Come up with a patching strategy in your organization. For example, before a downloaded patch is scheduled for deployment in production, have an expert or a group of experts assess the risks and test the patch first before signing off. And while approval is pending, a separate group creates offline backups of essential files that are needed in the event of an error and affected systems need restoring.
5. Create and test offline backups
Speaking of backups, never assume they work. To be sure they do, you have to test them, which means doing a full restore into another environment.
6. Apply the principle of least privilege.
Not every supplier requires administration access to your business environment and systems. That said, businesses should look into all their supplier/vendor privileges and decide whether they should grant them less (or more) access. When in doubt, granting them the least amount of privilege should be a good start.
7. Make multi-factor authentication (MFA) a norm.
Supply chain attackers have been known to use stolen credentials to usher themselves into systems they usually have no right to. They know business systems trust credentials, regardless of who uses them. To further protect systems from credential abuse and misuse, require MFA access, especially to resources and services that are deemed too sensitive for anyone in the office to have access to.
8. Train your employees.
Gaps in security hygiene practices can open up opportunities that threat actors can take advantage of. This potentially stems from a lack of awareness of supply chain attacks. It is important to keep employees and partners aware of possible risks and the red flags associated with them so organizations can be alerted easily and something can be done quickly.
9. Use a code signing service.
77 percent of businesses in the US use open-source software. But as we've seen in several use cases of software supply chain attacks, open source is both a blessing and a bane. Many businesses struggle to come up with ways to vet code, ensuring it is safe to deploy and not introduce problems in the supply chain.
Enter Sigstore, a free tool for signing and verifying code—a first step to securing the integrity of open-source code. Think of it as Let's Encrypt for code signing. Sigstore is a product of collaboration among big names in the industry, including OpenSSF, Chainguard, Linux, and GitHub.
To learn more about software supply chain attacks in general, we interviewed Kim Lewandowski, founder and head of product at Chainguard, on our Lock and Code podcast.
Supply chain attacks are here to stay
We can see that software is everywhere to the point that, as one of the most notable venture capitalists put it in 2011, it's eating the world. But the hyper-digitized businesses of today have already been eaten up by software—and at such a fast pace, too. They cannot function normally without technology, systems, and open-source code anymore. Securing these components has become a must.
The risk to the supply chain is already on the uptick and will only grow, and as long as organizations continue to rely on them, the risk is here to stay. It is essential for businesses and their suppliers to work together to harden their defenses to minimize the risk of having their supply chain compromised. It is also high time for policymakers to start improving the baseline of software security for all organizations and coming up with more ways to secure code.
Lastly, while companies are attempting to keep up with the pace of addressing modern-day supply chain attacks, it won't hurt to look into other areas where supply chain attacks could take place, such as the cloud and firmware. On our podcast, Lewandowski also spoke about the need for more automated tools to look into code and stressed the importance of training.
"I really think the solution sort of lies in the tooling and the best practices and making that so easy that no one has an excuse not to adopt it in their own systems," she said.
We don't just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.