The surge in supply chain attacks, and how to avoid them

Supply chain attacks have become increasingly common in recent years, and have been used in some high-profile cyberattacks. The aim is to exploit weaknesses in the vendor’s security measures to gain unauthorised access to the company’s network.

According to the Anchore 2022 Software Supply Chain Security Attacks report, 62% of organisations surveyed were impacted by these threats. Additionally, Gartner estimates that by 2025, 45% of organisations worldwide will experience attacks on their software supply chains.

What is a supply chain attack?

A supply chain attack primarily targets software developers and service or technology providers with the goal to infiltrate a company’s infrastructure through a third-party supplier with access to sensitive data.

Malicious actors use these attacks to gain access to source code, development processes or update mechanisms. Then they distribute malware by infecting legitimate programmes.

Supply chain attacks are a very successful method of introducing malicious software into targeted organisations. They rely on the trusted relationship that exists between a manufacturer or supplier and a client.

How supply chain attacks work

The most common scenario for a supply chain attack is when a third party, partner or supplier has access to critical data or a part of the internal IT infrastructure. With these rights, hackers compromise the third party’s security mechanisms and gain legitimate access to the resources granted to the third party vendor.

The main entry points that cybercriminals focus on when launching supply chain attacks are:

• Email servers – cybercriminals compromise the email infrastructure dedicated to sending legitimate emails to customers.
• Software update infrastructures – attackers introduce malware into legitimate software releases and upgrades via updates or patches.
• Social engineering tactics – they use phishing emails or phone calls to trick vendors into revealing sensitive information to gain access to the company’s network. A phishing email to a vendor may appear to be from the company requesting login credentials or other sensitive information.
• Pre-installed malware – this can be on devices such as cameras, USB sticks or phones.
• CI/CD pipelines – CI/CD pipelines have become the backbone of modern DevOps environments and a crucial component of most software companies’ operations. CI/CD has the ability to automate secure software development with scheduled updates and built-in security checks. By hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely.

Some notorious supply chain attacks

The SolarWinds hack

The SolarWinds supply chain attack in December 2020 targeted multiple organisations, impacting over 100 companies, including US government agencies, telcos and Fortune 500 companies.

Adversaries installed malware on the software company ‘SolarWinds’ through a third-party vendor. They used a Remote Access Trojan (RAT) as the main attack vector to compromise SolarWinds’ Orion management platform. They then inserted a malicious code into the software, which was distributed to SolarWinds’ customers through a software update. When customers installed the update, the malware was able to infiltrate their systems, allowing the attackers to gain access to sensitive data and steal valuable information.

The SolarWinds hack is believed to have been conducted by a Russian state-sponsored group. The attack was highly sophisticated and the attackers remained undetected for several months. IronNet’s 2021 Cybersecurity Impact Report highlights that this incident cost affected companies on average 11% of their annual revenue.

The CCleaner supply chain attack

CCleaner, one of the most well-known tools for software maintenance, was at the centre of a supply chain attack in 2017. Attackers initially compromised an unattended workstation of one of the CCleaner developers, which was connected to the network.

The malicious version of CCleaner had a multi-stage malware payload designed to steal data from infected computers and send it back to an attacker-controlled command-and-control server. The attackers replaced the official version of the CCleaner programme with their backdoored version, which was pushed to millions of users. The malware was only detected after it had been distributed through the company’s official website for more than a month, affecting over 2.3 million devices. 

The FishPig security breach

FishPig, a UK-based maker of e-commerce software used by almost 200,000 websites, suffered a security breach of its distribution server in 2022. It allowed cybercriminals to surreptitiously infect customer systems using FishPig’s fee-based Magento 2 modules with malware called Rekoobe.

Rekoobe masquerades as a benign SMTP server and can be activated by covert commands. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

The Kaseya ransomware attack

The Kaseya ransomware attack occurred in July 2021 and was a large-scale supply chain attack that affected hundreds of global companies. The attack leveraged vulnerabilities found within the Virtual System Administrator (VSA) remote management software of US technology company Kaseya Limited.

Specifically, the incident exploited flaws within VSA’s latest update, allowing the hackers to replace it with ransomware and hack into 50 managed services providers that used Kaseya’s products. Before Kaseya was able to issue warnings to its customers, the ransomware’s malicious payload had affected approximately 1,500 organisations. REvil, a Russian-speaking criminal group, was responsible, but they mysteriously disappeared from the internet.

The Target data breach

The 2013 Target data breach was the result of a supply chain attack. Hackers gained access to Target’s network through a vendor that provided HVAC services. The attack resulted in the theft of sensitive customer data, affecting more than 40 million Target customers. Once inside, the attackers were able to move laterally across the network and install malware on Target’s point-of-sale (POS) systems.

How to prevent supply chain attacks

There are several security protection measures that can be taken to prevent supply chain attacks:

1. Secure software development

Ensure that software applications developed within the organisation or by third-party vendors are secure. This involves identifying mitigating, and eliminating vulnerabilities within the software code to prevent attackers from exploiting known software vulnerabilities.

• Network segmentation

The network can be segmented to isolate the critical systems and sensitive data from the rest of the network. This makes it harder for an attacker to move laterally from a non-critical system to a critical system.

• Multi-factor authentication

Multi-factor authentication (MFA) can be implemented to provide an additional layer of security to access the systems. MFA requires two or more forms of ID, such as a password and a one-time code before gaining access.

• Least privilege

Least privilege means granting the minimum access necessary for an employee or system to perform their job functions. If an attacker gains access to an account or system, they can only access what is required to complete their tasks.

• Continuous monitoring

You can implement continuous monitoring to detect and respond to suspicious activities in real time. This involves collecting and analysing data from various sources to detect any anomalies or potential threats.

• Vendor risk management

It is essential to have a robust vendor risk management programme to ensure that suppliers and vendors adhere to security standards and best practices. This includes regular security assessments, security audits and security awareness training.

• Incident response plan

If an attack was to occur, organisations should have an incident response plan in place. This should include a clear process for reporting incidents, isolating affected systems and restoring operations as fast as possible.

Conclusion

Unfortunately, cyberattacks will continue to pose a significant risk to the supply chain, particularly in software development environments. Organisations must develop risk mitigation methods that focus not only on protection from external threats, but also threats originating from a customer or supplier network.

Additionally, third party suppliers must maintain adequate security measures and network segmentation strategies to help prevent businesses falling victim to supply chain security breaches.

For more information on how Securus can help, contact one of our security professionals on 03451 283457.