What is a supply chain attack? Third-party software risks

Anton P. | November 28, 2022

A supply chain attack means unauthorized access to systems through outside partners. It exploits trust between entities, partners, and software vendors.

For instance, websites might go down or get hacked because of WordPress flaws. Thus, your provider is the one hacked, but clients get targeted with follow-up attacks.

As a result, these malicious tactics are highly difficult to detect since the danger comes from within trusted entities.

What is a supply chain attack?

A supply chain attack means criminals hijack your system using flaws in outside partners with access to your systems. So, perpetrators attack a third-party entity closely associated with or connected to the actual targets.

By compromising one software provider, hackers can taint their multiple products with malicious code.

Harming devices or networks through linked services has become one of the common attack vectors. Weak links in a company’s supply chain can lead to incidents like data breaches involving exposure of confidential information.

How are supply chain attacks possible?

Nowadays, very few companies rely solely on in-house tools. Instead, they turn to various software vendors, like cloud-based or developer solutions.

And these products usually require access to sensitive information like client data or software source code. Thus, even if providers build strong defense systems against hacking, they cannot vouch for the software they use.

So, supply chain attacks happen when criminals figure out vulnerabilities in software connected to true targets.

Private Christmas & a safe New Year!

OFF

How do supply chain attacks work?

The supply chain attack undermines the trust users and companies have in their partners. It is one of the modern cyber threats that can be difficult to detect and prevent.

For instance, all software vendors providing services to other companies are potential targets. And while commercial software is one of the attack vectors, supply chain attacks can occur through open-source assets.

Let’s see how a supply chain attack could look, taking into account the previous incidents:

Criminals find software vendors and examine their services for potential security flaws, unpatched vulnerabilities, etc.
Through the detected security gap, hackers inject malicious code into the legitimate service. For instance, criminals could release fake software updaters that deliver malware to clients.
Supply chain attacks targeting big corporations or government agencies can be after their data. In other cases, malware could disrupt services through cyber threats like ransomware.

Types of supply chain attacks

Hackers can infiltrate systems through various means. However, the biggest threats are software attacks.

Software supply chain attacks

Software-based attacks mean that criminals taint vendors’ software with malicious code. Then, the harmful package gets delivered to clients in several ways:

Malicious software updaters can be put as bait to get clients to install malware into their systems.
Phishing letters could reach clients’ inboxes containing fake invoices or requests for data.
Malware-ridden software packages mean the main software download gets compromised to carry viruses.
Stolen code-signing and SSL certificates allow hackers to taint the private keys that authenticate users.

Hardware supply chain attacks

Hardware-based attacks suggest criminals infect devices, circuit boards, or USBs. For instance, a tainted USB could infect corporate devices as soon as it gets injected. This type might be less widespread as it might require physical access to products.

However, it highlights the need to trust manufacturers and ensure that they do not add unwanted components.

Firmware supply chain attacks

Firmware-based attacks occur when a device gets booted. Thus, the virus is immediately active, compromising the targeted system. Experts also suggest that firmware security frequently gets overlooked.

Previous research indicates that Wi-Fi adapters, network cards, and USB hubs might not have proper public or private keys. Furthermore, firmware infections can persist through reboots and OS reinstallations.

SolarWinds attack and other supply chain hacks

In 2020, the SolarWinds hack showcased how devastating supply chain attacks can be. Attackers compromised this vendor by inserting malicious code into the Orion system. Thus, this attack impacted 18,000 clients, including top cybersecurity companies and government agencies.

However, supply chain risks are nothing new. Kaseya and NotPetya ransomware infections both exploited legitimate services for distribution.

A source of the formjacking Magecart attack against British Airways also began as a supply chain hack. Essentially, hackers compromised one of the airline’s vendors, eventually affecting companies like British Airways and Ticketmaster.

Unfortunately, supply chain attacks have become more frequent in recent years. According to CrowdStrike’s Global Security Attitude Survey 2021, more companies experience hacks due to suppliers and vendors:

45% of respondents indicated having suffered a supply chain attack in the last year.
84% of IT experts believe that supply chain risks will continue increasing over the next three years.
59% of companies who suffered supply chain attacks did not have an appropriate detection and response plan.

Main risks of supply chain attacks

Supply chain hacks are usually after monetary gain, devastating impact, or confidential data.

Data breaches mean that criminals steal information either belonging to clients, employees, or corporate inside data. Such information can be later available for sale or published in underground forums.
Supply chain hacks frequently aim to distribute viruses and malware to vendors or suppliers’ clients. Infections could include adware, ransomware, Trojans, keyloggers, spyware, and more.
Financial gains mean using social engineering tactics to steal money from businesses. Confused employees could make payments believing they are legitimate.

Detect a software supply chain attack

While companies are usually the main targets, supply chain risks are relevant to all internet users. Let’s see how consumers and organizations should protect their systems from supply chain attacks.

Users need more awareness and security tools. Endpoint detection tools like antivirus, firewalls, and VPNs can help mitigate threats.
Detection and response plans from companies are essential. Companies need integrity controls to guarantee trusted partners and techniques like multi-factor authentication.

Supply chain attacks continue to be difficult to detect

Supply chain dangers represent an emerging threat that companies and users do not have direct control of. Thus, behavior-based attack detection becomes critical in this case. Machine learning might also play an important role in detecting supply chain attacks.

Furthermore, businesses rely on numerous providers these days, making it difficult to keep track. And when vendors release software, they might be unaware that hackers have infected it with malicious code. For instance, it is crucial to maintain WordPress security and pay attention to patches and concerns.

As a result, software vendors need to invest in penetration, detection, and response testing. Clients themselves could invest in in-house solutions, minimizing external risks.

Zero-trust principles can also be critical in taming supply chain attacks. These techniques provide as little information and access privileges as possible. Thus, hackers might not be able to gain access to more sensitive assets.