Supply Chain Attack

Nowadays, cyber attacks and security breaches are very sophisticated and take different forms. Among others, supply chain attacks are becoming increasingly popular since attackers can access systems of multiple organisations through trusted third-party vendors. Even organisations with the most robust data security systems may still be susceptible to cyber attacks or security breaches due to the vulnerabilities of commercial or open source software/system components with malicious codes being injected by attackers.

Supply chain attacks are on the rise and has recorded a rally of 430% increase in 2020. In December 2020, a sophisticated supply chain attack targeted a widely used network management product with multiple vulnerabilities identified. The attacker staged an unprecedented backdoor malware through a legitimate software update that caused over 30 000 organisations including government agencies vulnerable for a couple of months. Supply chain attacks targeting open source software should not be ignored since 90% of applications contain open source codes and 11% of those have known vulnerabilities.

Key Threats Affecting Supply Chains

Increasingly interconnected global supply chains make cyber attacks very difficult to mitigate. Cyber attacks can occur at any stage of the supply chain which may lead to:

data breaches (including intellectual property);

interruption to business operations;

service interruption to customers;

delivery or implantation of malwares (such as Trojan Horse, setting backdoor or covert channel); and

corruption of trusted software codes, etc.

Attackers can exploit supply chain vulnerabilities through contaminating the software concerned to steal an organisation’s intellectual property information, corrupt trusted software codes, eavesdrop on systems with sensitive data, and carry out further malicious activities. In fact, such attacks often involve the delivery of malware that allow for data harvesting, exfiltration or privilege escalation on targeted systems. Attackers are also able to maintain their presence on targeted networks to perform the aforementioned malicious activities.

Securing the supply chain involves a holistic approach to security, knowing that simply technical solutions can hardly address the breadth of potential threats and vulnerabilities. Organisations should not only examine the vulnerabilities of the software components involved but also consider potential attacks against a physical equipment asset that may be damaged, disabled or used by others for malicious intents.

Supply Chain Risks

Supply chain risks may affect the confidentiality, integrity, or availability of systems including unauthorised access to enterprise data, implantation of malicious codes into software and firmware, etc. Attackers could exploit interconnected supply chain systems’ vulnerabilities to trigger remote code execution and sensitive information disclosure as well as re-programming of a device to facilitate other cyber attacks.

Sources of risks include but not limited to:

Sensitive data misused by third-party suppliers;

Insecure cloud application programming interface (API) affecting downstream users;

Compromised software or hardware purchased from suppliers;

Lack of awareness of security vulnerabilities in suppliers’ systems;

Lack of security control over the upstream supply chain; and

Poor cyber security practices of suppliers, etc.

Common forms of Supply Chain Attacks

Supply chains consist of many parties, while most organisations lack the visibility of their data across these relationships, including which parties can access sensitive or proprietary information. Targeted attacks intentionally leverage the digital supply chain to access sensitive data.

In general, there are three kinds of supply chain attacks: hardware, software and firmware. A hardware supply chain attack requires the physical altering of the microcode of a device, or the addition of another component onto the board that can enable control access or data exfiltration.

A software supply chain attack in particular can target application products at any stage of the development life cycle to achieve unauthorised access and enable sabotage. Attackers can use deception techniques such as disguising malware as legitimate software to access and modify the source code of genuine application programs (e.g. inserting an attack code into the code library by maliciously altered compilers or through the backdoor implanted in the system during development or maintenance). Attackers may also seek to exploit tools and third-party shared software libraries in addition to compromising the infrastructure of developers and distributors.

Illustration of common forms of supply chain attacks

Implanting Malware or Backdoor into Firmware - Contaminated firmware is difficult to detect because pre-loaded firmware embedded in devices is at a lower level than the operating system. It cannot be detected or removed by anti-malware software. Intuitively, these devices can be targeted by attackers in order to gain access to the underpinning system or the data collected, processed or disseminated. In other words, these devices can be both the target of cyber attack and the tool used to perform a cyber attack (e.g. TrickBot malware embedded in BIOS firmware to control and modify device operating system).

Substituting Malicious Software – Third-party programming framework allows software developers to focus on building a unique feature for their projects rather than re-inventing by software coding. If these framework components are compromised, the malicious code will be embedded in applications developed with these components. The less mindful developers may not be aware that they are using a contaminated third-party software code library (e.g. malicious NPM packages downloaded to install remote access Trojan.

Compromising Software Updates - Malicious software updates raise substantial cyber security concerns that could have serious effects on all affected products. Fixing vulnerabilities requires a trusted software update channel. If the attackers can compromise the suppliers’ software update distribution mechanism, the malicious software code will thus have a higher chance to be treated as legitimate software and trusted by targeted systems (e.g. trojanised SolarWinds Orion software (December 2020)).

Waterhole Attack - It is a method in which the attacker seeks to compromise a specific group of users of a targeted organisation either by creating new websites that would attract them or by infecting existing websites that members of that group would always visit. The attacker then manipulates the website to deliver malware that will exploit the organisation’s security weaknesses. The attackers may use deceptive methods to lure a user or an automated process to download and install malicious software code believed to be a legitimate software copy.

Defending Against Supply Chain Attack

There are several mitigation measures and best practices that can be adopted to improve an organisation’s security posture and reduce the risk of supply chain infections:

For organisations

Ensure that the up-to-date software is installed and obtained from official distribution channels only;

Implement least privileged access and re-authentication control to grant all users the minimum level of access with the ability to assign and elevate privileges as necessary;

Adopt additional security measures such as enabling multi-factor authentication and login notification, if available;

Revoke account to ensure that all parties within the supply chain such as system integrators, suppliers, and external service providers, are unable to access an organisation’s system when it is no longer necessary (e.g. the service is terminated);

Ensure that third-party providers employ adequate security measures to secure the supply chain channels and regularly conduct information security assessment and audit according to the organisation’s information security policies;

Establish, maintain and implement plans for incident response, backup operations and post-disaster recovery for organisational information systems to ensure the availability of critical information system and continuity of operations in emergency situations;

Protect APIs by restricting access to those from authorised API endpoint only, as well as detecting and blocking exploits;

Review systems logs regularly to identify any abnormal systems or network activities that may be due to possible cyber attacks; and

Report to the third-party suppliers or service providers if abnormal activities or events are detected.

For third-party vendors and providers

Ensure only trusted development tools are used for software development;

Perform penetration tests regularly and after major system changes to ensure the security of the systems and sensitive data;

Enable secure channel (e.g. Hypertext Transfer Protocol Secure, HTTPS) for transmission of relevant software updates and implement ;

Implement code signing for software packages and relevant components to ensure their authenticity and integrity;

Review and test all new and modified hardware, firmware, software and configuration changes thoroughly in testing facility before rolling them out for production use;

Publish software updates in a staged rollouts for efficient rollback to minimise impacts from supply chain attacks; and

Notify customers of supply chain incidents with accurate and timely information.

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.