A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.

The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm.

How Supply chain attack work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.

Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.

The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.

Types of supply chain attacks

  • Compromised software building tools or updated infrastructure
  • Stolen code-sign certificates or signed malicious apps using the identity of dev company
  • Compromised specialized code shipped into hardware or firmware components
  • Pre-installed malware on devices (cameras, USB, phones, etc.)

Supply chain attack examples

 

There’s no end to major cyber breaches that were caused by suppliers. The 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor.

Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year’s Panama Papers, it was a law firm that was the weakest link.

How to protect against supply chain attacks

  • Deploy strong code integrity policies to allow only authorized apps to run.
  • Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities.

For any Cyber Security information contact help@theweborion.com