Software supply chains are driving digital innovation, yet they also became a ripe target for cybercriminals. The new malware seeks to infiltrate the source code of the unsecured network protocols, server infrastructures, open-source libraries, and more. As a result, end-users of the supply chain download the software from a trusted vendor or install signed and certified updates being unaware of the infected code hidden deep inside.
According to the latest research, in 2021 this type of attack grew 650%, with a primary focus on open source suppliers. The most notable cases of the previous year include Mimecast, Dependency confusion, and SolarWinds breach.
Detecting and remediating such attacks can be extremely challenging. Below you will find an explanation of the main threats caused by software supply chain attacks, along with a few scandalous examples and suggestions about the prevention methods.
Why So Dangerous?
Software supply chain attacks are on the rise, especially after the recent discovery of a critical vulnerability in Log4J, an open-source logging library for Java applications. The main concern is that Log4J is used by multiple applications, often even without enterprises knowing about them. In this case, one patch is incapable of remediating all the instances and it can take some time to find them all. The quickest decision can be leveraging solutions like SOC Prime’s Detection as Code platform, which provides up-to-date behavior-based detection content as well as a set of tools to proactively identify possible intrusion into the corporate infrastructure, tune up the defense, and make threat detection faster and more efficient.
Besides supply chain attacks abusing public code libraries, malicious code can also be secretly injected before or during the installation of a patch or hotfix. This malware can affect all customers of the supply chain, from individuals to enterprises and governments.
Recent Software Supply Chain Attacks
Let’s take a brief look at the recent and most devastating software supply chain attacks to see the common attack vectors used by hackers.
Dependency confusion, 2021
This novel attack technique was investigated by security researcher Alex Birsan. As a result, the holes in the cyber defense of tech giants like Apple, Microsoft, Tesla, and Uber were compromised.
Alex explored the dependencies installing procedure, which is commonly applied in programming languages like Python. Since these installers are typically tied to open source code repositories, it is possible to install whatever is inside those packages, including malicious injections.
Although Birsan didn’t include any harmful code in his packages, this same vector of attack can still be used when targeting software supply chains, highlighting the issue of open source authentication.
Despite the expertise in the field, cybersecurity software is also susceptible to attacks. The recent Mimecast attack illustrates that even signed certificates from a trusted vendor may not always guarantee full protection.
The attackers that targeted Mimecast injected malicious code into a certificate used by the company to authenticate its services on Microsoft 365 Exchange Web Services. Numerous clients of Mimecast can potentially use applications that rely on the compromised certificate, which makes this breach especially dangerous and hard to detect.
The notorious backdoor called Sunburst was injected into the Orion application’s update tool, used by 33,000 SolarWinds’ customers, according to SEC filings. The big deal is that among these thousands of customers were top vendors like Microsoft, Cisco, Intel, FireEye as well as government agencies of the US. Hackers used this backdoor for installing even more malware, including spyware which was running undetected for months.
Media outlets report that the US Government suspects Russia of executing this espionage campaign and is ready to impose sanctions.
Actions to Prevent Software Supply Chain Attacks
Since critical vulnerabilities can occur at the initial stages of creating the software, it is necessary to be able to exclude any potential weak points as early as possible. Therefore, security best practices should start from the source code and especially package creation, then continue into the build system and repositories.
Next, developers need to secure the privileged access management to prevent attackers from moving laterally within the network and compromising privileged accounts. It is also advised to encrypt all internal data with the Advanced Encryption Standard (AES) algorithm. By doing this, the security team will make it much more difficult for attackers to install backdoors and establish a foothold.
It’s also important to thoroughly analyze the vast amounts of telemetry to tune up protections in view of emerging threats. However, in-house SOC teams often face a shortage of time, analytical, and intelligence data to implement the newest detection algorithms. A viable solution could be using a collaborative cyber defense approach to leverage the highest-quality detection content in generic rule formats like Sigma and Yara. After that, using an online Sigma translation engine Uncoder.IO will help to make the detection process quicker and more efficient by instantly converting Sigma rules into a variety of SIEM, EDR, and NTDR formats.
Finally, staff education should be performed to exclude the probability of social engineering attacks. The well-defined procedure of identifying and reporting breach attempts will help the SOC team to gain greater visibility into the current security posture.
Software supply chain attacks have become more advanced and stealthy over recent years. The malicious code can quickly spread across the entire network of the supply chain, affecting the customers of the software vendor and damaging the supplier’s reputation. To prevent such attacks, software companies need to establish the latest cybersecurity procedures across multiple levels, from the initial product development to technical maintenance and update processes.