PREVIEW:
After deploying a new system, you’re likely to feel there’s a honeymoon period before it comes under an attack. Likewise, when performing a software update, we can feel some relief believing the newest features and patches will protect our applications against exploits. However, supply chain attacks are destroying this false sense of security by compromising trusted vendors to implant threats in new systems and software updates.
The SolarWinds malware campaign that has caused so much damage and uncertainty is just the latest example of the widespread devastation with a supply chain attack. Here is all you need to know about supply chain attacks and the actions you must take to secure your environment against them.
How supply chain attacks work
Supply chain attacks can compromise both trusted software and hardware vendors. Once attackers get past a vendors’ defense systems and implant threats in their products, vendors will unknowingly distribute malware or embedded threats into other network environments.
Software
When it comes to software vendors, supply chain attacks typically start by threat actors surveilling a vendor waiting to find insecure network protocols, unprotected servers, and unsafe coding practices. When threat actors find these, they change source code to embed malware in a software build and update processes and software update mechanisms. Because the software comes from a trusted vendor, the infected apps and updates are legitimately signed and certified.2
Hardware
In addition to software-based threats, IC and computer manufacturers are also susceptible to supply chain attacks. IC foundries face threats such as hardware Trojans and piracy breaches. Chip foundries use split secure fabrication and logic barriers that separate logical inputs from the outputs to prevent threats during chip fabrication. However, these are not foolproof.3
When moving up a level from chips to computing systems, there are two ways for threat actors
to infiltrate computer equipment. One is through interdiction attacks that tamper with computing
devices during transport from manufacturers to customers. The second method puts malicious
chips on computers during the manufacturing of motherboards.4
Why fear supply chain attacks?
Simply put, every element of your infrastructure is at risk. Supply chain attacks target software and hardware in your on-premises, cloud, mobile, and IoT environments, putting every element in your infrastructure at risk. Supply chain attacks not only target a victim’s infrastructure, but they can also quickly spread among partners, customers, and other stakeholders, leading to an escalation attack. Successful escalation attacks could grant threat actors access to protected data and several IT environments. In addition to traditional hardware and software, security researchers have found supply chain attacks that preloaded malware in cloud infrastructure6, smartphones, IoT, and endpoints.
How supply chain attacks escalate beyond hardware and software
Going back to the current attack, the U.S. Department of Justice reported that the SolarWinds supply chain attack added a Trojan to SolarWinds’ Orion app to move across its network and access employees’ Office 365 email accounts. This attack demonstrates how SaaS applications are also at high risk. One can anticipate that the compromised email accounts not only leak sensitive. Why fear supply chain attacks?
Download the full text here.