What is Supply Chain Attack in Cybersecurity?

  • February 8, 2023
  • By Cyberarch Admin

Understanding Software Supply Chain

A vast majority of software today are not made in-house. Instead, multiple components such as open-source libraries, developer tools and cloud-based deployment have become integral to software development. Each of these components is a product in a long supply chain, consisting of hardware, source code, software testing, distribution etc. 

The extensive use of open-source libraries have helped in the accelerated delivery of software product that meets customer expectation. However, there is a caveat. Software developers do not have control over the source code anymore, which leaves software, vendors and end-users vulnerable. 

As the supply chain becomes more complex, cybercriminals have found a loophole in the process and are exploiting the same, giving rise to supply chain attacks. 

What is a Software Supply Chain Attack?

A software supply chain attack affects the software vendor as well as one or more end-user. It happens when a cybercriminal infiltrates a software vendor’s network and installs malicious code into it, thus compromising the software. Thereafter, the vendor sends it to the customer.           

Software supply chain attack involves both proprietary software and open-source software. Cyber threat actors exploit existing open-source vulnerabilities such as Log4Shell. They even add malicious files to vendor software update sites online and open source repositories or direct insertion into software, ultimately compromising systems. 

A significant rise in software supply chain cyber-attacks is due to the quick rolling out of software. As businesses concentrate on fast-release cycles to gain competitive advantage, security vulnerabilities remain unaddressed in the applications.

In addition, cybercriminals use this method as it is easy to bypass defence mechanisms and affect an extensive number of systems in one go. Buyers are also encouraged to shop software from trusted sources alone and regularly update the software from authorized sites. Therefore, software supply chain attacks are more dangerous and of major concern as it directly impacts end-users. 

Software Supply Chain Attacks: Brief History

Cybersecurity experts, for a long time, had predicted and anticipated software supply chain attacks. In the year 2014, the first, of its kind supply chain cyber attack was reported, where the Russian threat actors infiltrated web servers used by industrial control and SCADA system vendors. A Remote Access Trojan (RAS) was installed in the SCADA vendor’s products and their updates. 

After the initial success, supply chain attacks continued. In 2017, several incidents came to the limelight including the famous NotPetya attack (Russians compromised a Ukrainian tax product). According to a NIST report, Android, iOS, Python, and JavaScript libraries were targeted too. 

Major Software Supply Chain Attacks in the Last Three Years

  • 2020

November 2020: WIZVERA VeraPort, an integrated installation tool, was breached by Lazarus Cybercrime and malware was installed. 

December 2020: Vietnam Government Certification Authority (VGCA) was attacked by hackers. A backdoor was implanted in the client application.

December 2020: SolarWinds, a well-established name in the enterprise software industry in the US, was attacked by a national APT gang. It was a massive attack and impacted a large number of customers. 

  • 2021

February 2021: A security researcher breached the intranets of top corporations like Microsoft, Apple, and Tesla etc. Vulnerability in the open-source ecological security mechanism was exploited. 

July 2021: Kaseya, the VSA service provider, was implanted with malicious code, leading to many enterprises being infected. REvil, the cybercriminal group conducted massive ransomware attacks on MSPs using Kaseya. 

  • 2022

January 2022: Developer of Npm packages deleted Github codes and updated the package with sham functions. As a result, many applications were affected. This is one of the examples of Protestware. 

May 2022: A penetration testing company in Germany used a series of malicious Npm software packages to affect logistics, media and other companies. 

 Software Supply Chain Attacks: Latest Trends

According to experts, software supply chain attacks will increase in 2023. At the same time, security teams also have changed their strategy for approaching cyber defence. 

As per the recent report from ReversingLabs, supply chain cyber attacks have increased due to the following reasons:

  • Dependence on Cloud-based Infrastructure
  • Fast DevOps practices which rely on third-party open-source modules
  • Excessive reliance on auto-update mechanisms for quick software release cycles

The report also highlights the following latest trends in the last one year:

  • An approximately 280% increase in attacks on Npm and PyPI was observed in the last four year
  • Over 7000 malicious packages were found in Npm between January and October 2022. 
  • Typo squatting Scams have increased. It involves the publishing of malicious packages that are similar to popular libraries.
  • Protestware are those who maintain legitimate applications but use the software for personal or political motives. It emerged in 2022 and is set to grow in 2023. 
  • Cybercriminals are attracted to supply chains as they have realized that organizations leave sensitive data in repositories unintentionally. Open source vulnerabilities such as Log4Shell, Text4Shell etc. open up more opportunities for threat actors. 

If the reports of the last three years are taken into consideration, there is a good chance that supply chain attacks will increase this year. In another report from Sonatype -Annual State of the Software Supply Chain, there has been an exponential rise of 633% in known attacks against open source repositories. Moreover, an annual increase of 742% has been observed in the last four years. 

The open-source software ecosystem such as Java, JavaScript, and Python will reach more than 3 trillion downloads in the next few years. But at the same time, it will have security ramifications. 

A shift in security thinking, scrutiny of code and investment will help in combating it. What else can be done? Find out in the next section.

Security in Software Development Cycle

Software supply chains usually focus only on productivity. However, it is high time that security is integrated into the software development cycle. It will balance out productivity and resilience in a software product. DevSecOps is a result of this approach. 

DevSecOps is more of a philosophy which brings together operations and development, focused on continuity. The main objective is to integrate, test, validate and code delivery continuously. This is the opposite of the “deliver software as fast as possible and adapt” philosophy. 

Modern tools and automation are also vital. Security is a part of all stages of software development with the DevSecOps strategy. Thus, it can boost security before the launch of any new version of the software. 

Businesses should look to hire third-party security professionals or build a security team of their own. It is of paramount importance as the attack surface for cybercriminals expands all over the globe. Experienced security experts can help in making resilient software products and make the software supply chain more robust. 

 

 

 

Recent Articles

Got hacked? Speak to our security consultant.

Get in Touch
Scroll Top

Contact Us

Follow Us