SOFTWARE SUPPLY CHAIN UNDER ATTACK

Supply chain attacks are not a new idea, but in recent times they have become more common, especially in the software supply chain, where they have seen an increase in their use as a means of perpetrating malicious attacks.
Attackers know that it is easier to fool people by trusting the security of these chains than to attack protected targets. Adversaries take the easy path, and supply chains are that path.

If the organization's security is vulnerable, the attack can spread and affect the organization and its customer base.

What is a supply chain attack?

A supply chain cyberattack is a computer attack that is carried out through the infrastructure used to distribute software or digital products.

The goal of this type of attack is to disrupt or compromise the integrity of the supply chain in order to take advantage of it to obtain sensitive information, spread malware, or other malicious purposes. This type of attack can be particularly damaging because it can affect multiple parties and systems throughout the supply chain.

Cyberattacks on the supply chain occur when companies or organizations delegate the development of products, software, hardware or other services to third parties and it is the latter that become the targets of cybercriminals.
These attackers can compromise the design process, integrity, production, distribution, operation, installation, or maintenance of a system in order to disable or reduce the functionality of such systems or products.
Infected software is delivered to organizations, acting as an entry point for attackers. Once inside, the adversary can access and damage any information, including product information, financials, and personal data.

How do they avoid detection?

Supply chain attacks are based on leveraging trust. Reliable providers are supposed to have high security standards. For example, an analyst reviewing C2 traffic alerts may be subjective, based on their trust in an application.
He can see a specific domain in the traffic or SSL certificates, but since it comes from a trusted application, the threat indicator is assumed to be legitimate. This subjectivism highlights the importance of avoiding focusing on trust and how it can be a weakness. It also highlights the need to further investigate third-party applications.
The chain is only as strong as its weakest link: if one part fails, the whole system can be affected.

Some of the weaknesses in software supply chain security

• Third party dependencies: they imply dependency on external companies in the software supply chain. Verify security and communicate with suppliers.
• Licenses: legal risk that can force the software to be released as open source and lose patent rights.
• Vulnerabilities: Bugs in the software that can be exploited and cause data leakage.
• Processes and policies: implementation in the company to prevent problems. Create policies for developers and action plan for vulnerabilities.

Recent attacks on supply chains

Some historical examples of attacks are mentioned, such as NotPetya in 2017, SolarWinds in 2020 and Kaseya in 2021.
A report by the European Network and Information Security Agency (ENISA) analyzed 24 attacks on the supply chain and reveals that in 66% of cases, providers did not know how they were compromised. It is believed that 50% of attacks are the responsibility of advanced persistent threat (APT) groups and 62% of attacks on customers were successful by exploiting trust in the provider.

Software supply chain attacks are a real and persistent threat, which can result in serious financial and privacy damage.
According to the ENISA report, providers do not always know or report how they have been compromised, and successful attacks on customers are often due to exploiting trust in the service provider.
In conclusion, Businesses must take proactive steps to protect against these attacks, including rigorous verification from software vendors and implementation of strong security measures. it is crucial for providers and customers to be aware of these risks and take steps to protect against them.