A supply chain attack is a highly effective way of breaching security by injecting malicious libraries or components into a product without the developer, manufacturer or end-client realizing it. It’s an effective way to steal sensitive data, gain access to highly sensitive environments, or gain remote control over specific systems. Most at risk are major software developers and hardware distributors trust a vendor to build and ship products that they use to build their final products.
How a Supply Chain Attack Works
Supply chain attacks in technology focus on software vendors and hardware manufacturers. Attackers search for unsafe code, unsafe infrastructure practices, and unsafe network procedures that allow the injection of malicious components. When a build process requires several steps from development (or manufacturing) to installation, an attacker (or group of attackers) has several opportunities to inject their own malicious code into the final product.
Some manufacturers, vendors, and developers build products used by thousands of clients. An attacker who can breach one of these suppliers could potentially gain access to thousands of unsuspecting victims, including technology companies, governments, security contractors, and more. Instead of breaching just one targeted organization, a supply chain attack gives an attacker the potential to obtain access to numerous large and small businesses to silently exfiltrate extensive amounts of data without their knowledge.
In a hardware supply chain attack, a manufacturer can install a malicious microchip on a circuit board used to build servers and other network components. Using this chip, the attacker can eavesdrop on data or obtain remote access to the corporate infrastructure. In a software-level supply chain attack, a malicious library developer can change code to perform malicious actions within their client’s application. The library could be used for cryptojacking, stealing data, or leaving a backdoor for an attacker to remotely access a corporate system.
In many of the biggest supply chain threats, email fraud is the primary vector used to begin the attack. Business email compromise (BEC) works well for attackers that do their due diligence and research into their target. That is because they can send email messages to key employees (e.g., finance) to instruct them to pay an invoice or send money. The sender’s address looks like that of the CEO or owner, and it’s written in a way that sounds urgent to the recipient. In some scenarios, the attacker compromises an email account for an executive and uses it to send phishing emails to employees within the organization.
Types of Supply Chain Attacks
Any organization that installs infrastructure using third-party vendors is vulnerable to supply chain attacks, but there are three primary attacks to be aware of. The three types of attacks are:
- Physical supply chain threats: Physical supply chain threats usually require cooperation with manufacturers and vendors to inject components into circuit boards. Manufacturers are given a design plan that they must follow to build components. A malicious manufacturer can add just one extra component into the circuit board to eavesdrop on data and send it to an attacker.
- Software supply chain threats: Organizations use software vendors to install their product on the network and perform a function like monitoring servers or allowing users to perform their daily tasks. Applications with unknown vulnerabilities enable a malicious threat actor to perform numerous attacks on organization systems.
- Digital supply chain threats: To decrease development time, software developers use a common third-party library to perform a function in their application. Should a third-party library developer inject malicious code into the product, any software developer that incorporates the infected library would be vulnerable.
- Business email compromise: Using fake invoices, an attacker sends messages to financial employees to trick them into paying them. Other attackers might trick human resources into diverting payroll funds to their own account by pretending to be another employee. If an attacker can compromise a company email address, it can be used to piggyback on conversations and trick recipients into providing sensitive data or send money to an attacker-controlled account.
What are the Impacts of Supply Chain Attacks?
Many organizations are unfamiliar with how supply chain attacks work, so they’re unaware of what happens if they fall victim to this type of attack. The impact of a supply chain attack could devastate corporate revenue, brand reputation, and vendor relationships.
The three main impacts from supply chain attacks are:
- Data breaches and data disclosure: In many supply chain attacks, especially hardware-based attacks, the malicious code eavesdrops on data and sends it to an attacker-controlled server. Any data that passes through a system infected with the malicious code could be breached, including potentially stealing high-privileged account credentials for future compromises.
- Malware installation: Malicious code running within an application could be used to download malware and install it on the corporate network. Ransomware, rootkits, keyloggers, viruses, and other malware could be installed using injected supply chain attack code.
- Monetary loss: If an employee is tricked into sending money to a bank account or paying fraudulent invoices, a targeted organization could lose millions.
Who Is Vulnerable to Supply Chain Attacks?
Any vendor that relies on third parties to build a product is vulnerable to supply chain attacks. In general attacks, threat actors focus on any target, not a specific business. However, in sophisticated attacks, threat actors focus on government agencies or large organizations worth billions. In state-sponsored attacks, a threat actor focuses on governments and their infrastructure. These attacks could cost lives if the malware crashes critical systems.
Security vendors are perfect targets. Organizations trust security vendors to protect their data and reputation. With stealthily placed malicious code in security contractor infrastructure and controls, an attacker can silently siphon data from large corporation systems and send it to an attacker-controlled network. Data vulnerable to these attacks could be financial, personally identifiable information (PII), patient information, and employee data.
A Managed Service Provider (MSP) is another primary target. These businesses support organizational infrastructure and have systems in place to monitor activity. Having access to an MSP system would give an attacker access to numerous MSP client systems. With the right malicious code, the attacker could access MSP credentials, giving attackers access to client infrastructure. Another option for the attacker would be to skim credit card numbers from payment dashboards and customer support systems.
Open source is a great way for developers to collaborate with other developers to improve their code. When other developers contribute to the codebase, the code should be reviewed for any security flaws. These flaws could be mistakenly added to the codebase or purposely added. Because most open-source projects are publicly available to other developers, a mistaken security bug in code could be caught by an attacker before a helpful third party. The attacker could then write code to exploit the security vulnerability leaving all corporations that use the open-source code open to targeted exploits.
Any organization with a hierarchy of employees posted on social media or on the organization’s website is a target for BEC. An attacker can collect a list of high-privilege accounts for phishing, social engineering, or tricking employees into paying fraudulent invoices. After reconnaissance, an attacker can “become” the person they intend to use to trick employees into sending money or pay the invoices. In some scenarios, vendors for the organization could also be at risk. An attacker might compromise a vendor’s email account and use it to email targeted high-privilege employees within the victim organization.
Several real-world attacks have already been launched against the supply chain but aren’t widely known to the general public because they supply developers and operations. The popular real-world examples primarily impact corporate administrators who have to contain, eradicate, and remediate the vulnerabilities left by vendors affected by supply chain attacks.
A few real-world examples that affected large corporations include:
- SolarWinds: In 2020, attackers injected a backdoor into the SolarWinds update distribution process, leaving corporate and government production servers open to remote access. Numerous organizations fell victim to data breaches and security incidents.
- Kaseya: The REvil ransomware infected MSP software used to manage thousands of customer environments, allowing attackers to demand $70 million from MSP customers.
- Codecov: Attackers infected the Codecov Bash uploader to automatically send reports to customers. With malicious code injected into its scripts, attackers eavesdropped and stole customer data from Codecov servers.
- NotPetya: NotPetya was fake ransomware used to trick users into paying a fee, but no private key was ever delivered, leaving victims with data and monetary loss. The attack started when a Ukrainian update application was infected with malicious code.
- Atlassian: In 2020, security researchers found that Atlassian apps were vulnerable due to an exploit against their Single Sign-On (SSO) procedure. Using SSO tokens, attackers could access applications and perform actions related to the user account.
- British Airways: British Airways suffered a data breach after the Magecart supply chain attack compromised their transaction system and disclosed sensitive information.
- Community housing non-profit: Attackers spoofed a vendor domain to trick non-profit employees into divulging sensitive data so that attackers could steal £1 million of rent money.
How to Protect Against Supply Chain Attacks
Because supply chain attacks target developers and manufacturers outside of your organization’s control, they are difficult to stop. You should always review any code or hardware before installing it on your infrastructure. Security professionals will also perform a penetration test on these components to ensure that they do not have any unforeseen vulnerabilities maliciously injected into your system or exploitable ones accidentally introduced into the system.
Although supply chain attacks are outside your control, you can still follow several strategies to avoid becoming a victim. Here are a few strategies:
- Set up a honeypot: A honeypot of fake data that looks like sensitive, valuable information acts like tripwires to alert administrators that the system could be under attack or compromised. Honeypots should act and look like regular systems and data and should have monitoring in place to allow administrators to identify how an attacker could breach the environment.
- Limit privileged accounts: Lateral moves across a network are common in supply chain attacks that compromise high-privileged accounts. Limiting access to only a few accounts and ensuring accounts can only access data necessary to perform a function also limits risk.
- Staff training: Training staff to understand the importance of cybersecurity and the many ways that they can detect and defend against insider threats has been proven to reduce risk. Security awareness training helps to ensure that individuals understand and follow certain practices to help ensure the security of an organization.
- Implement an Identity Access Management (IAM) system: An IAM provides a centralized dashboard for administrators to control data access and create and disable accounts across the entire enterprise. The advantage is that administrators can better manage permissions on the network in one location and identify potential privilege mismanagement.
- Work with zero trust architecture (ZTA): Instead of trusting authenticated users, a zero trust environment assumes that all applications and users could be attackers and require reauthorization and authentication for every data access request.
- Identify vulnerable resources: In a risk assessment, a professional will audit all resources on the network and identifies which ones are most vulnerable and contain the most risk. Administrators can then prioritize cybersecurity controls on the riskiest infrastructure and protect any resources attackers could target.
- Minimize access to sensitive data: For sensitive data, including intellectual property and files containing trade secrets, organizations must limit access to only high-privilege users and monitor successful and unsuccessful access requests to identify any compromises.
- Monitor vendor access and resources: Third-party vendors pose the most significant risk in supply chain attacks. Many vendors don't realize that they are a target and pose a risk to their clients, so any access or implementation of third-party vendor resources should be reviewed for vulnerabilities.
- Apply strict shadow IT rules: Shadow IT resources are any devices unauthorized to access the network environment. This issue poses a risk when the organization also offers a bring-your-own-device (BYOD) policy allowing users to connect with their own desktop or mobile devices. These devices should be heavily monitored and have antivirus software installed.
- Be aware of insider threats: Human error is a primary attack vector for phishing and social engineering threats. Your risk assessment and review should also identify potential insider threats and human errors that could result in a severe data breach or compromise of your system.
- Use email cybersecurity to block spoofed senders: Your email servers should stop spoofed senders from reaching a recipient’s inbox and use artificial intelligence to stop spoofed domains and known attack sites.
- Train employees to detect malicious messages: Employee training is key to reducing risk of human error. Simulated phishing attacks empower employees to identify phishing attacks and social engineering.
- Put policies in place for invoice payments: To avoid paying fraudulent invoices, put payment policies in place to validate invoices and get authorization before sending money to any bank account.
Supply Chain Risk Assessment
To understand the ways your organization could be vulnerable to a supply chain attack, you first must do your due diligence and perform an internal risk assessment. After the SolarWinds supply chain attack, many more organizations have realized the importance of risk assessments to protect the internal environment from these third-party threats.
During a risk assessment, professionals not only identify risks but also help the organization design and manage risks. Risk mitigation requires the proper cybersecurity controls and a zero-trust environment to stop threats properly. In many cases, the organization must redesign its authorization controls and user privileges to reduce risk.
How Proofpoint Can Help
Proofpoint staff are experts in supply chain attacks and the many ways threats pose a risk to your data privacy, compliance, and your cybersecurity defenses. We offer extensive services that protect a primary attack vector – email. We protect the supply chain for several industries, including healthcare, financial services, education, manufacturing, and more.