What is a Supply Chain Attack? Types and Examples

A supply chain attack is when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. The external party will grant the rights to use and manipulate areas of your network, your applications, or sensitive data. The attacker only has to either penetrate the third party’s defences or program a loophole into a solution offered by a vendor to infiltrate your system.

Supply chain attacks are diverse, impacting large companies, as was the case with the Target security breach and typically dependable systems. Like when automated teller machine (ATM) malware will use to steal cash. They will also use against governments, as with the Stuxnet computer worm designed to infiltrate Iran’s nuclear facilities.

Sources of Supply Chain Attacks

Some of the most common sources of supply chain attacks are commercial software, open-source supply chains, and foreign products.

Commercial Software Products

Because hundreds or even thousands of companies may use the same software vendor and solutions, if a supply chain attacker can penetrate a software company’s system or compromise the integrity of their product, they can gain access to a significant number of targets.

If hackers can install malicious code into software that companies purchase, they do not have to go through hacking the company’s system. Hackers may also try to gain access to penetration tools that software security providers give their clients and use these to gain a foothold in their network.

One way attackers have been able to compromise software is by using compiler attacks. Similarly, a compiler translates code written in one language into a different programming language. In a compiler attack, the compiler will use to insert malicious code into the translation it produces.

Open-source Supply Chains

With open-source software solutions, anyone can contribute to the development of a program. Unfortunately, hackers have programmed vulnerabilities into open-source solutions using this free access, making it easy to introduce threats to companies that use the software. 

Even though other members of the development community can see and evaluate the solution produced by perpetrators, they may not know what to look for, allowing hackers to introduce a variety of vulnerabilities.

Foreign-sourced Threats

In countries like China, where the government can exercise profound, granular control over what private companies produce, software products may contain malicious code that the government demands the producer to include.

The inclusion of these threats does not have to sanction by the government, either. Malicious actors can infiltrate companies and sneak their code into otherwise legitimate products. When these will purchase by other countries, hackers on the other side of the border can have full access to sensitive systems.

How Do Supply Chain Attacks Work?

Hackers have to insert malicious code into software or find ways to compromise network protocols or components for a supply chain attack to work. Once they discover a hacking opportunity, they take advantage of it, gaining access to critical digital resources.

Many of the attackers’ products come from trusted vendors, making it easier for supply chain attackers to penetrate their targets’ systems. They may do so using an application or one of its updates, which, ironically, will often design to close security loopholes.

Types of Supply Chain Attacks

There are several kinds of supply chain attacks involving creating or taking advantage of security weaknesses in solutions companies trust. They include:

1. Stolen certificates. Suppose a hacker steals a certificate used to vouch for the legitimacy or safety of a company’s product. Then, they can peddle malicious code under the guise of that company’s certificate.
2. Compromised software development tools or infrastructure. Hackers leverage the tools for building software applications to introduce security weaknesses in the development process. Even before the operation, it will use to create an application.
3. Malware preinstalled on devices. Hackers put malware on phones, Universal Serial Bus (USB) drives, cameras, and other mobile devices. Malicious code will introduce when the target connects it to their system or network.
4. Code included in the firmware of components. Digital hardware will control by firmware that helps it run smoothly and interface with users and other systems. Unfortunately, hackers can include malicious code in firmware to access a system or network.

Examples of Recent Supply Chain Attacks

Hackers’ attacks on supply chains have recently resulted in several high-profile incidents. In each of the following supply chain attack examples, the systems or software of trusted vendors were compromised.

Dependency Confusion, 2021

A security researcher was able to breach Microsoft, Uber, Apple, and Tesla. The researcher, Alex Birsan, took advantage of dependencies that applications use to provide services to end-users. Birsan transmitted counterfeit yet harmless data packets to high-profile users through these dependencies.

Mimecast, 2021

In the Mimecast attack, hackers compromised a security certificate that authenticates Mimecast’s services on Microsoft 365 Exchange Web Services. While only a relative few will impact, about 10% of Mimecast’s customers use apps that rely on the certificate that will compromise.

SolarWinds, 2020

The SolarWinds attack was orchestrated by injecting a backdoor, known as SUNBURST, into the Orion IT update tool. In contrast, the backdoor had been downloaded by 18,000 customers.

ASUS, 2018

According to Symantec researchers, the attack on ASUS took advantage of an update feature and impacted as many as 500,000 systems. In the attack, an automatic update uses to introduce malware to users’ systems.

Event-stream, 2018

In the event-stream attack, a repository within the GitHub system was injected with malware. An unknown number of applications accessed the dependency in the malware repository. While not open-source, GitHub serves as a backup service to the public and users are encouraged to share their solutions with others.

Best Practices to Counter Supply Chain Attacks

Companies can integrate several techniques to fight supply chain attacks, ranging from addressing their general cybersecurity infrastructure issues to ensuring endpoints are secured against infiltration.

Audit Unapproved Shadow IT Infrastructure

While with shadow IT, the services used by employees are not overseen by the IT department. These can range from security software to communication tools and more. Auditing these may reveal vulnerabilities that supply chain hackers can take leverage.

Have an Updated and Effective Software Asset Inventory in Place

Regardless of how useful it is, each software asset introduces a potential vulnerability. With an updated inventory of all the software your company uses. You can keep better track of which apps, updates, and upgrades may present security issues. You can also narrow down the number of potential attack vectors by categorising your solutions according to how safe they are.

Assess a Vendor’s Security Posture

If you ensure each vendor provides a complete description of their security measures. You can get an idea of how safe their products are. You can also have a cybersecurity professional examine the information vendors provide to see if what they have in place is adequate.

Treat Validation of Supplier Risk as an Ongoing Process

A supplier may be safe in Q1 but the source of an attack in Q2. Therefore, evaluate the risk presented by each supplier continuously, periodically verifying the safety of each one.

Use Client-side Protection Tools

In a client-server model, users download data provided by a server. With client-side protection tools, you will filter download content, looking for and stopping malicious code before installing it on a machine on your network.

Use Endpoint Detection and Response Solutions

Supply chain cyberattacks often take advantage of inadequately secured endpoints. With an endpoint detection and response (EDR) system. Many supply chain attacks can be prevented. As a result, the endpoint also will not use to spread an attack to other areas of your network.

Deploy Strong Code Integrity Policies to Allow Only Authorized Apps To Run

Code dependency policies consist of rules that dictate whether or not an application will allow running. For example, if the application code raises a red flag, the system blocks it. Similarly, strict code dependency policies can limit the number of supply chain attacks your company encounters. 

While in some cases, setting up strict rules may cause legitimate apps to Flagg. But it is always better to be safe than sorry. So invest a little extra time investigating flagged apps.

Maintain a Highly Secure Build and Update Infrastructure

To ensure the builds and updates of your system are secure, have a plan in place for regularly installing security patches for your operating systems and the software you run. Also, only trusted tools can be run on your system. Finally, require multi-factor authentication (MFA) for admins.

Build Secure Software Updates as Part of the Software Development Life Cycle

To ensure secure updaters are a vital element of your life cycle, you can:

1. First, make secure sockets layer (SSL) encryption mandatory.
2. Requires that everything sign with a digital signature, including scripts, files, packages, and Extensible Markup Language (XML) files.
3. Do not let software accept generic, unsigned input or commands.

Develop an Incident Response Process

Your incident response process should be systematic and incorporate honest and transparent information dissemination. This includes letting internal stakeholders and customers know promptly. Then, the cause and steps are taken to mitigate the problem when something happens.

Protecting Against Supply Chain Attacks with Offensive360

Supply chain attackers take advantage of a lack of monitoring within an organisation’s environment. While here, Offensive360 Harmony Endpoint helps an organisation protect against these threats by monitoring suspicious behaviour applications that might point to compromise.