Imagine if burglars broke into your house not because you failed to secure a door or shut a window at night, but because of a manufacturing problem with the lock or window itself. It’s not just your house, either. It turns out that eight other houses on your street all used the same problematic component — and now they’ve been subject to a break-in as well. That, in a nutshell, is the essence of supply chain attacks, only transposed to the real world as an analogy for the world of cyber security.
Also referred to as a third party or value chain attack, a supply chain attack is a type of cyber attack in which a bad actor infiltrates a system through an external provider or partner. It means that, rather than launching a full, head-on attack on a network, attackers seek out weak points that allow them to exploit one vulnerability to access many victims’ systems.
In cases where these vulnerabilities exist in widely used open-source software, the results can be devastating. By targeting attacks upstream, hackers are able to spread malware throughout a supply chain in a far more scalable way than they would if they targeted individual downstream users.
It’s a clear example of why top-of-the-range application security measures are needed.
The Surge in Supply Chain Attacks
There have been some high-profile examples of supply chain attacks in recent years. One of the most notable of these was the SolarWinds attack of 2020, in which an IT management company had its network infiltrated by a threat actor who was able to maintain a presence on its network for a period of months.
Specifically, the hackers — reportedly an “outside nation state” believed to be Russia — broke into SolarWinds’ system and carried out insertion of malicious code into software that was relied upon, and widely used, by a customer base of thousands. Clients who installed tainted software updates then unknowingly opened a backdoor to their IT systems. This backdoor could then be used to allow for the distribution of further malware.
With the potential damage that can result, it’s no surprise to hear that there has been an enormous uptick in the number of supply chain attacks. These can take a number of different forms. For instance, as seen in the SolarWinds attack, attackers can hijack updates that are distributed to customers from centralized servers, appearing as trusted downloads.
Malicious Code in Code Libraries
Another notable approach involves threat actors inserting malicious code into code libraries that are publicly available — and are then unwittingly inserted into third-party code by unknowing developers.
This exploits the fact that many developers lean heavily on open source libraries and/or third-party code as a way to deliver superior software without having to write everything from the ground up.
Since not every programmer can claim to be a master of every area, this usage of open source libraries and third-party code allows them to add in working code that they don’t have to figure out entirely on their own.
A recent report analyzed the increasing number of these latter types of supply chain attacks in recent years. It notes that developers around the world now borrow more than 2.2 trillion open source components or packages from third-party ecosystems.
This is to decrease the time it takes to bring products to market. The problem? That these shared code packages can frequently feature publicly disclosed vulnerabilities bad actors are able to exploit as a way to go after targets.
There were reportedly 216 attacks that fall under this banner that took place between February 2015 and June 2019. This figure then increased greatly to 929 between July 2019 and May 2020 — before skyrocketing to a frankly shocking 12,000 in the past year.
Defending Against Supply Chain Attacks
One of the most insidious aspects of supply chain attacks is that they can be used to successfully target organizations even when they may otherwise have good defenses. Protecting against software supply chain exploits is therefore essential.
Fortunately, help is available. Solutions like Web Application Firewalls (WAFs), Web Application and API Protection (WAAP) and Runtime Application Self-Protection (RASP) can all help to protect vulnerable applications from attack.
As evidenced by the increasing number of supply chain cyber-attacks, this form of malicious attack is not going away any time soon. Organizations have to be prepared to defend against this potentially devastating form of malicious behavior. The potential risks of code supply chain compromises are considerable — and, as seen with the SolarWinds attack, can be long-lasting and undetected for a long time.
It’s important to take advantage of the tools that are available to help safeguard against this threat.