Contents:
A supply chain attack, also sometimes called value chain, third-party attack, or backdoor breach is when threat actors hack an organization’s supplier or third-party vendor that has access to a company’s data to eventually infiltrate the targeted organization’s network. This usually happens by inserting malicious code into a vendor’s legitimate software.
How Does a Supply Chain Attack Work?
A supply chain attack works this way: hackers look for network protocols that are not secure. They also look for vulnerable server infrastructures and also for unsafe coding practices. Once they infiltrate, perform changes on the source code followed by injecting malware in software builds and update processes of suppliers or vendors.
Then, the vendors who will release and sign that software will not be aware of the fact that this might encompass malicious code, so the software goes live signed and certified. This way, customers who buy this compromised software are infected with malware once the software runs on their endpoints, as the malicious code will be launched owning the same permissions as the software it runs along with.
Managed Service Providers (MSPs) are often preferred by hackers when developing a supply chain attack due to their extended access to their customer’s networks. So, if hackers hack the MSP, they will eventually get access to the customers’ network.
However, supply chain attacks are not only related to compromising software, hardware supply chain attacks might also happen: when a manufacturer installs a compromised microchip into a circuit that serves for creating network components and servers’ purposes. This infiltrated chip lets threat actors eavesdrop on critical information or even achieve remote access to the business network.
Supply Chain Attack Examples
SolarWinds Supply Chain Attack
A famous supply chain attack example is that of SolarWinds back in 2020. Threat actors hacked the software company, managing to infiltrate malicious code in Orion’s updates, its IT management tool. Thus, hackers achieved access to over 18 000 networks, because corporate and government production servers were left exposed. Hence, the customers who deployed those updates packed with malicious code faced data breaches.
What made the SolarWinds attack stand out was the fact that the remote control was not initiated by threat actors straight away. Instead, they left the malware pending for 2 weeks before the communication to a C2 server was established.
Kaseya VSA Supply Chain Attack
Kaseya, the famous software company, was targeted by Revil ransomware operators. Over 1000 customers were compromised with ransomware. In exchange for the decryption key, a ransom of $70 million was demanded. However, according to a statement the company published in July 2021, Kaseya did not pay the ransom.
Hackers used the same technique as in the SolarWinds’ case, as they hacked the Managed Service Provider (MSP) Kaseya VSA to further compromise its customers.
Supply Chain Attacks Techniques
CISA described in their paper called “Defending Against Software Supply Chain Attacks” three common techniques threat actors use to perform supply chain attacks. These are:
The Hijack of Updates
Software receives updates on a regular basis to address emergent vulnerabilities, these updates being distributed from centralized servers to customers by software vendors. What threat actors do at this point is to infiltrate the vendor’s network and hijack such an update. They either compromise the update with malware or alter it to achieve control over the software’s functionality.
Codesigning Is Undermined
Another popular supply chain attack technique is undermining codesigning. Codesigning is useful for two reasons: it says the code’s author is who they say they are and also validates the code’s integrity. Self-signed certificates, broken signing systems, and incorrect account access rules are all ways for attackers to disrupt codesigning. Thus, cybercriminals manage to hijack an update because they pose as a trusted vendor so eventually malicious code is inserted into that update.
The Compromise of Open-Source Code
This usually takes place when hackers insert malicious code into code libraries that are available online. And this could become a problem for developers who search for free code blocks that help them build their own third-party code.
How to Prevent Supply Chain Attacks
Assess Your Vendors
To help you get started, below I’ve listed a few suggestions on how to assess your vendors before closing a partnership:
- ask them to do a security self-assessment (what security tools they are using, what privileged access management policy they have in place, if they keep up with their patches and updates, what code verification methods they use, etc.).
- perform audits on your provider and run your own penetration tests on them. You can perform audits through formal certifications like HIPAA Business Partner Agreement or a PCI audit. You must ensure that your vendors’ own security procedures are both validated and certified.
- if needed, you may even advise your vendor to acquire cyber insurance.
- assess your vendors periodically: you must ensure on a regular basis that your vendors are still safe because they can be safe at the beginning and then on the road become compromised.
In short, make sure your vendors are transparent and let you understand exactly how they secure their organization and that they are always open to suggestions and improvements.
Enforce the Principle of Least Privilege to Limit Privileged Access
Privileged access to critical data within a company should be restricted through an automated privileged access management tool and controlled closely by applying the principle of least privilege (POLP). POLP ensures that everyone has access only to the resources they need to perform their tasks and nothing more, working thus on reducing excessive access. Vendor access can also be restricted this way.
Restricting access to high-privileged accounts helps also prevent lateral movement across the network, which is a popular method in supply chain attacks.
You can use Heimdal Privileged Access Management to benefit from just-in-time access for privileged sessions (limited access time per session), zero-trust security (everything is checked without exception before granting permissions), and enforce the principle of least privilege. It will be easier for your organization to automate the privileged access management process and ensure efficient escalation and de-escalation of privileged access.
Use a Good Email Security Tool
Email fraud can be the primary vector in most supply chain attacks. Let’s take Business Email Compromise: threat actors send emails to key employees in the name of the CEO to ask them to pay an invoice or transfer money. This comes with a sense of urgency too.
Heimdal Email Fraud Prevention together with Heimdal Email Security will help your business stay safe from supply chain attacks.
Have Your Patch Management Strategy Always On
Make sure you let the newest patches be deployed in your system as soon as they are released. This can be achieved through an automated Patch & Asset Management tool that keeps your software updated.
Use Endpoint Detection and Response
With Endpoint Detection and Response, you have thorough visibility into your endpoints as well as threat prevention for that device.
Focusing on endpoint protection also helps with safeguarding developer workstations and environments that are often targeted in supply chain attacks because these have permissions to the CI/CD pipeline. EDR software provides for identifying suspicious behavior so that security teams can immediately respond to threats.
Use eXtended Detection and Response/ SOC Service
SOC teams help proactively address threats in your network. Heimdal eXtended Detection and Response service lets environment monitoring become efficient because you receive alerts on infection in real-time and the response to attacks is fast and efficient.
The major difference between EDR and XDR is that while the first is limited only to endpoints, the second covers a broader area: endpoints, cloud computing, emails, etc.
Employees’ Cybersecurity Education Is a Must
I can’t stress enough the importance of cyber security training. All employees, no matter if they’re working for you or for your vendor, should be able to identify the signs of cyber-attacks and threats. So, cyber security awareness training is crucial and it certainly makes up a strong layer of defense for both your organization and your vendor. Every aspect related to security should be covered, such as common password mistakes, how to identify phishing attacks and spear-phishing attempts, what is business email compromise (BEC) and vendor email compromise (VEC), how to identify types of malware, and what processes to follow if they are ever faced with any of these threats or notice anything suspicious going on inside the organization.
Implement Powerful Code Integrity Policies
Through code dependency policies, rules on whether an app has or not permission to run are established. What happens when an app code triggers a red flag is that the system also blocks it. Putting in place code integrity policies can of course work on supply chain attack prevention.
Wrapping Up
Organizations of all sizes, as well as their vendors and partners, can easily become victims of supply chain cybersecurity attacks if they don’t apply at least some basic protection measures. It’s crucial that all companies understand the risks that can live inside their supply chain and foster a culture of organization-vendor cross-collaboration to be able to prevent and minimize the risks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
This article was initially written by Bianca Soare in 2020 and rewritten by Andra Andrioaie in 2022.