What happens when you don’t protect the software supply chain from vulnerable third-party code? You know…the software, scripts, and code snippets that your business uses on your website or network?
The compromise could be unintentional—perhaps the coders simply made a mistake. Or the compromise could be intentional—maybe hackers wrote a malicious script and promoted it as legitimate on a third-party library source to encourage users to download and install.
Either way, your business has a problem, because you now have code embedded in your systems that could be incredibly dangerous to your company and customers.
When hackers implant malicious software on third-party sources or when they take advantage of vulnerabilities in existing third-party code, this type of scenario is known as a software supply chain attack. (Two recent examples of software supply chain attacks include Kaseya and SolarWinds.) And while supply chain attacks aren’t new, they are growing in frequency and danger. Businesses and people are intricately connected to each other through applications and the internet. When critical systems are attacked and supply chain operations affected, the downstream impact quickly becomes apparent, ranging from significant operational delays and lost customers to corporate or government espionage and substantial reputation damage.
What Is a Cyber Supply Chain Attack?
The term supply chain attack is often used generically to describe several different types of cyber incidents. In general, it means a cyberattack on one business that ripples through and affects operations at any connected business.
Software Supply Chain Attack
This type of supply chain attack relates to software or code connected to mission critical systems. Usually, the software or code comes from a third party and contains tainted scripts or unpatched vulnerabilities. Hackers take advantage of the malicious or vulnerable code to breach the user’s systems.
A software supply chain attack is the most common type of supply chain attack on businesses.
Other Types of Supply Chain Attacks
There are two other supply chain-type attacks often referenced in the news that are worth note for clarification purposes.
Vendor supply chain attack
Typically involves an attack directly on a vendor that has access to customer systems and networks. The instigating incident in this type of attack may be phishing, in which the vendor’s credentials are compromised, or an attack on unpatched vulnerabilities in legitimate operating software that enables the hacker to gain access to the vendors systems and then customer systems.
Traditional supply chain attack
The other type of supply chain attack involves cyber incidents with traditional “supply chain” businesses, such as transportation companies or manufacturers. A classic example is the recent Colonial Pipeline ransomware attack that temporarily shut down petroleum delivery and affected thousands of businesses and consumers along the East Coast of the United States.
How Malicious Third-Party Code Makes its Way onto Business Systems
In today’s fast-churn, web software development environment, few businesses rely on software applications created wholly in house. Instead, businesses turn to other companies to obtain software and third-party code libraries like GitHub to obtain a specific type of script to help solve a need, such as enhancing online website operations or tracking customer engagement.
Common Software Attack Techniques
The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) identify these three most common software attack techniques that can be used individually or combined and used simultaneously:
Hijacking updates
Involves infiltrating the software vendor’s network and inserting malware into an outgoing update or altering the update to give the attacker control of the software’s functionality.
Undermining code signing
Attackers self-sign certificates, break signing systems, or exploit misconfigured account access controls to compromise software updates by impersonating the trusted software vendor and insert malicious code.
Compromising open-source code
Threat actors insert malicious code into open-source code libraries, which are then downloaded by unsuspecting developers and added to their own systems and websites.
What Types of Code or Software are Most Vulnerable?
Any type of software is vulnerable, although some specific tools, like JavaScript, are more vulnerable than others. JavaScript, in particular, does not contain any built-in security permissions, making it highly susceptible to attack. The most common JavaScript security vulnerabilities include:
- Source code vulnerabilities
- Input validation
- Reliance on client-side validation
- Unintended script execution
- Session data exposure
- Unintentional user activity
Website security misconfigurations and elevated software privileges can also facilitate software attacks.
What Type of Attacks Target Web Application’s Software Supply Chain?
Organizations need to protect the software supply chain from vulnerable third-party code targeted specifically at web applications. Software supply chain attacks can result in a type of attack known as e-skimming (sometimes also called Magecart attacks), where a threat actor leverages vulnerabilities in web application code to steal customer information, such as name, date of birth, and credit card or banking data.
Why Are Software and CodeVulnerable to Attack?
Two key components in the software design makes it vulnerable to attack: (1) privileged access and (2) frequent communication between the vendor’s network and the software product located on customer networks.
Privileged access
Elevated system access is required by many third-party software and code products. If the code is malicious, then the attacker may have privileged access to critical systems within a network.
Frequent communication
Installed software may include code that facilitates communications between the user and the software vendor to install updates or fix vulnerabilities. This level of connectivity can give attackers the opportunity to send malicious software updates or prevent an update from reaching the customer.
The Repercussions of a Software Supply Chain Attack
Attacks based on vulnerable or malicious code can go undetected for months and affect businesses, even when cybersecurity defenses are comprehensive and current. Sometimes the software supplier doesn’t even know they’ve been compromised until their downstream clients are attacked or begin to experience problems. Ultimately, any business using the vulnerable software is at risk—making a software supply chain attack one of the most dangerous types of cyberattacks facing businesses today.
Software supply chain attacks can result in significant damage, including business and government espionage, persistent system and network infiltration, reputation damage, and significant financial loss.
Best Practices to Help Prevent and Mitigate Software Supply Chain Attacks
Both software supplies and software end users need to make sure they’re applying industry best practices to help prevent and remediate software supply chain attacks.
Software Supplier Best Practices
- Know your web assets and the type of data they hold.
- Adopt automation where possible, particularly when identifying web assets
- Use automated tools to conduct scans and monitor to identify code issues, intrusions, behavioral anomalies, and unknown threats.
- Use tools that automate security policies on JavaScript-based applications.
- Update and patch and software vulnerabilities regularly.
- Make sure your infrastructure and processes to deliver software to customers follows cybersecurity best practices.
Business User Best Practices
- Assess and know your software supplier network, including identifying and documenting all software suppliers and vendors that have access to your networks and systems.
- Confirm the legitimacy and safety of any software supplier’s code or web application.
- Require any vendor with access to your systems and networks to maintain cybersecurity best practices.
- Develop and integrate across the entire organization a cyber supply chain risk management (C-SCRM) program.
- Apply identity and access management (IAM) policies to software and don’t rely on default software privileges.
- Adopt automation where possible, particularly when identifying web assets.
- Use automated tools to conduct scans and monitor to identify code issues, intrusions, behavioral anomalies, and unknown threats.
- Use tools that automate security policies on JavaScript-based applications.
- Define risk for each software supplier based on dependencies and points of failure.
- Know your web assets and the type of data they hold.
- Update and patch and software vulnerabilities regularly.
Use Automated Tools Designed to Protect Your Supply Chain
If you would like to ensure your website applications are using the latest security tools, check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers. And if you would like to see our products in action, please request a demo here: link. If you would like to read a solid overview of how to protect your client-side web applications, please read our e-book here: link.
