What Is Software Supply Chain Security?
Software supply chain security helps organizations detect, identify, analyze, and mitigate risks associated with the digital artifacts that enter their software via third parties like open source libraries, commercial software vendors, or outsourced development. A comprehensive supply chain security strategy combines risk management and cybersecurity principles to assess supply chain risks and implement measures to block, mitigate, or remediate them.
A supply chain attack is an attempt by a threat actor to infiltrate one or many organizations’ software and cloud environments. Attackers might exploit commercial trust among software vendors and their customers, or exploit implicit trust among developer communities.
For example, an attacker can inject malware into an update delivered by a software vendor, or can contribute malicious code to an open source project. Users of these artifacts trust the software that they are consuming, incorporate it into their projects and CI/CD pipelines, and unknowingly deploy the malware.
Recent supply chain attacks, such as the SolarWinds and Kaseya attacks allowed attackers to breach a large number of high-profile organizations with one concerted initiative. They achieved this by compromising elements in trusted IT management software offered by SolarWinds and Kaseya, which were deployed by their customers, bypassing existing security measures.
In this article:
- Common Types of Software Supply Chain Attacks
- Recent Supply Chain Attack Examples
- Why Software Supply Chain Attacks Are Becoming More Common
- What Is The Impact of a Supply Chain Attack?
- 6 Ways to Mitigate Supply Chain Security Risks
Common Types of Software Supply Chain Attacks
Malicious Code in Open-source Software
Open source software is available for anyone to use and modify. While this collaborative approach can lead to the creation of high-quality software, it can also make open source projects vulnerable to malicious actors who may try to introduce vulnerabilities or malicious code into the software.
One way this can happen is through the submission of malicious commits to the project’s code repository. These commits can go unnoticed for a long time, allowing the attacker to maintain a foothold in the project’s codebase and potentially compromise the security of any software that uses the affected code.
CI/CD Pipeline Breaches
Continuous integration/continuous delivery (CI/CD) pipelines are used to automate the build, test, and deployment of software. These pipelines can include a variety of tools and processes, such as code repositories, build servers, testing frameworks, and deployment tools.
If an attacker is able to gain unauthorized access to any of these tools or processes, they may be able to introduce vulnerabilities or malicious code into the software that is being built and deployed.
CI/CD Tool Misconfigurations
Even if an attacker is unable to gain direct access to a CI/CD pipeline, they may still be able to compromise the security of the software being built and deployed if the pipeline is misconfigured.
For example, if access controls are not properly configured, an attacker may be able to gain unauthorized access to the software. Similarly, if testing and deployment processes are not properly configured, an attacker may be able to bypass important security checks and deploy compromised software.
Recent Supply Chain Attack Examples
Here are several mega-scale supply chain attacks publicized in recent years.
SolarWinds is an IT vendor with top-tier clients like the US government, Cisco, VMware, and Intel. In 2020, attackers managed to inject malware into Orion, an IT resource management system in the SolarWinds product portfolio.
Attackers infiltrated the SolarWinds build process and added the malware to a regular update of the software, signed by a SolarWinds certificate. This update was distributed to hundreds of SolarWinds customers, giving attackers complete access to the infrastructure of those clients. The attack began in March 2020 but was only detected and reported in December.
CodeCov is a software auditing tool that was breached in April 2021, allowing attackers to access the networks of many CodeCov users. The attack started earlier in the year when attackers compromised an uploader script that sends code coverage reports from clients back to CodeCov servers. The compromised script allowed attackers to gain access to credentials stored within client code and provided an easy way to exfiltrate the data.
Kaseya is a network monitoring system used by thousands of organizations. A high-profile ransomware group known as REvil injected their ransomware into a regular update of Kaseya’s Virtual System Administrator (VSA). Customers who installed this update also deployed REvil ransomware, known as Sodinokibi, and lost access to their files.
Kaseya reported up to 15,000 organizations may have been hit by the ransomware. A Swedish retailer, for example, had their IT systems paralyzed after the attack and was forced to shut down 800 stores.
Mimecast is a cybersecurity company that provides a range of services and products to help organizations protect against email-borne threats such as spam, phishing, and malware. One of its digital certificates was compromised, leading to a supply chain data breach in 2021. This certificate was used to authenticate Mimecast services on Microsoft 365 Exchange.
The breach impacted up to a tenth of Mimecast customers. It is believed that the hackers behind this breach were also responsible for the infamous SolarWinds attack in 2020.
Passwordstate is a password management tool that helps organizations securely store, manage, and share passwords and other sensitive information. The Australian company that created it, ClickStudios, discovered a supply chain attack affecting the software’s update service in 2021. This service was hosted on an external CDN.
Customers automatically downloaded the malware onto their devices when updating the Passwordstate software. This malware decrypted the data stored on customer databases and sent it in plaintext format to an external server used by the attackers.
SITA (Societe Internationale de Telecommunications Aeronautiques) is an information and communication technology company that serves the air transport industry. The company suffered a data breach in 2021 that likely exposed flight record data of over 500,000 passengers. It impacted Malaysia Airlines, Finnair Air, and Singapore Airlines. It is believed that the attack occurred via Star Alliance, which shares the data of multiple airlines, allowing the breach to compromise the whole supply chain.
Why Software Supply Chain Attacks Are Becoming More Common
There are a number of factors that make software supply chain attacks an especially attractive technique for cyber criminals.
Supply chain attacks are becoming increasingly popular because of their economies of scale. Attack campaigns usually operate like a for-profit business, attempting to achieve low operational costs and gain a high return on investment (ROI).
Software supply chain attacks can enable hacking at scale—threat actors can build a hacking operation that targets a single organization, gains an initial foothold, and then compromises hundreds or thousands of additional organizations with little additional effort.
These operations are often enabled by automation, which helps threat actors to compromise many organizations simultaneously, accelerates the speed of the attack, and makes human intervention in the attack less likely. Additionally, a supply chain can continue to yield benefits to attacks as long as the operation remains undetected.
Highly Accessible Attack Vector
Threat actors targeting the software supply chain are devising more creative methods of attack. Often, these attacks infiltrate a soft target with inadequate security measures, or exploit insecure permissions or misconfigurations in cloud environments. Attackers then surreptitiously install malware on these machines.
Once installed, attacks can instantiate and evolve with lessened chance of detection, assuming the target organization lacks adequate runtime security controls. This creates the possibility of propagating to the affected organization’s customers, vendors, or collaborators. As more stakeholders join the software supply chain, there are more points of entry. Each of these is an opportunity to stage a new phase of the attack.
Software supply chain attacks can be difficult to detect due to their complexity and the number of organizations and systems involved. Many supply chain attacks add a backdoor to legitimate software, as a method for exploiting trust when used as a security measure. Since the legitimate software is considered trustworthy, it is less scrutinized, and potentially malicious activity originating from within that software can be overlooked.
Traditional cybersecurity measures are often unsuccessful at detecting supply chain attacks. These tools were designed to find weaknesses in custom code or exploitable open source vulnerabilities. Because of the nature of the software supply chain, organizations often do not have access to source code or build artifacts necessary to perform application security testing and are, therefore, limited in their detection capabilities.
Lastly, software supply chain attacks tend to leverage advanced malware and evasion techniques to “change shape” and avoid leaving a trail of evidence. Consistent patterns of malicious activity may be non-existent. However, viewed in aggregate, seemingly unrelated artifacts embedded in the supply chain can add up to intrusion, data exfiltration, and package drops.
Cloud Native Environments
Many organizations use cloud native technologies, such as containerized applications, serverless functions, and infrastructure-as-code (IaC) templates, in single or multi-cloud environments. These architectures are attractive targets for supply chain attacks for the following reasons:
- Cloud native applications make extensive use of open source and other libraries that are often sourced from public registries and repositories. Attackers can threaten such libraries in a variety of ways, including posing as contributors to inject vulnerabilities, or by typosquatting.
- Cloud native applications tend to leverage both production and development environments hosted in public or private clouds. Configurations and security practices often differ between these environments. An application which cannot be exploited in production may be exploitable in a development environment, and malicious changes can be pushed into production later.
- Cloud native development methodologies rely on short development cycles, rapid releases, extensive integration, and automated processes. Traditional security tools cannot keep up with the pace of code shipping deadlines, and often do not deliver results fast enough for proper remediation. The result is that risky, untested artifacts are pushed to production.
- Cloud native applications are built to scale easily. This can improve the scalability of supply chain attacks, and allows malicious software to exploit permissions to access cloud resources at scale. Attackers can then perform additional actions, such as cryptomining or large scale network communication.
What Is The Impact of a Supply Chain Attack?
Supply chain attacks can have major impacts on an entire organization.
A supply chain attack can have an enormous impact on one or many organizations. Depending on the nature of the attack, each organization participating in the affected supply chain can face direct or indirect financial repercussions.
Damages can include the cost of incident response and forensic investigations, business interruptions, lost revenue, and loss of reputation.
A supply chain attack can cause organizations to violate regulations or industry standards, which may directly result in fines or inspire further audits of the organization. In the wake of an audit, remediation efforts for any detected shortcomings can generate major additional costs.
6 Ways to Mitigate Supply Chain Security Risks
To mitigate the risks associated with third parties and to prevent supply chain attacks, apply the following practices.
Assess Your Supply Chain
Eliminating trust is a key security practice against software supply chain attacks. Investigate the cybersecurity practices of software vendors and third-party contributors, in addition to maintaining security best practices for the software your developers create and consume.
Do not grant access to your network to third party suppliers until you have fully vetted their security practices. Assess their security risk posture, governance policies, and compliance processes as well as their technical security controls.
This can help you gain greater visibility into supply chain risks and allow you to implement the processes and controls necessary to detect, address, or preclude supply chain attacks.
Identify Attack Vectors
To mitigate risks, you need to understand how threat actors can infiltrate your organization. This type of information can help inform the incident response process. A better understanding of the threat environment can also help you improve developer security education, take mitigation and remediation steps, and implement security testing procedures.
Be aware of limitations to each security tool or practice at your disposal, and ensure that there is a solution or procedure in place to detect or address any potential attack vector.
Perform Regular Audits
Perform regular audits of your network and environments, noting which people or tools have access to sensitive data or cloud resources. This will help you to properly assess your connections with suppliers and determine what data and systems are being shared. This will also help future forensics investigations if an attack is detected, facilitating remediation and helping to identify the attack killchain.
You also need to regularly audit the activity of your third-party suppliers. This can help ensure that all parties are following the appropriate security controls, reducing your exposure to the security inadequacies of others.
Monitor Third Parties
Regularly monitor and review all activities between your organization and third-party suppliers. This can help you identify suspicious or anomalous activity that might indicate a supply chain attack.
Remember that anomalous or malicious activity may not always be a deliberate act by a third party with whom you work. They may be the victim of an attack, resulting in your organization becoming compromised. Log activities on network devices and endpoints to make it easier to detect anomalies. This information is critical to detecting and mitigating threats, as well as responding to critical events.
Create an Incident Response Plan
Establish an incident response plan before an attack occurs. Any supporting policies, plans, and processes should be contextual, based on risk, and should account for all regulatory reporting requirements.
Your third-party supplier should also have an incident response plan, to enable them to quickly respond to attacks and mitigate any potential risk to your business. Ensure that any information gathered by security tools and processes is automatically delivered into the hands of those who need to take action, whether in-house or outside your organization.
Conduct Security Awareness Training
Employees must understand how software supply chain attacks can unfold and what each employee’s role is in the detection, remediation, and prevention of threats.
Security awareness training should educate employees on all aspects of cybersecurity, including password security, social engineering attack methods, secure coding, testing practices, and company policies. A better understanding of threats can help employees to preclude potential attacks, quickly react to active attacks, and help protect the organization’s critical systems and sensitive data.
Supply Chain Attack Protection with Aqua Security
Aqua Security provides enterprise-class security solutions to secure cloud native applications and environments from software supply chain attacks. Detect malware and anomalous activity that only manifests at runtime, without putting production environments and sensitive data at risk. Aqua Dynamic Threat Analysis (DTA) deploys containers in a secure sandbox environment and documents the entire attack killchain, providing unprecedented insight to security and forensics teams and establishing a security gate to block promotion of malicious artifacts into production.
For more information, find out how Aqua helps protect you from supply chain attacks: