Software supply chain attacks are becoming more widespread. Learn what they are and how they occur so you can develop a strategy to help manage the risks.
The statistic is alarming. Software supply chain attacks increased by 78% in 2018, according to Symantec’s “2019 Internet Security Threat Report“. And security experts expect the number of attacks to continue to spiral upward.
If you haven’t heard of software supply chain attacks, you are not alone. It is important that you learn about them, though. You need to understand what they are and how they occur so that you can develop a strategy to help manage the risks.
What Software Supply Chain Attacks Are
The term “software supply chain attack” is not referring to a new hacking tool or the latest class of malware. These attacks have, in fact, been around for years. Rather, the term describes a strategy that cybercriminals use to attack companies. Instead of attacking them directly, hackers compromise the third-party software used by those businesses. This is done before the software reaches the companies’ doors, so the hackers do not have to worry about hacking into the companies’ networks and being detected.
Once the compromised software arrives, the hackers use it to initiate other types of malicious activities. For example, the NotPetya malware that paralyzed companies’ networks worldwide in 2017 was initiated by a successful software supply chain attack.
How Hackers Compromise Software
So, how do cybercriminals compromise companies’ software? The main ways include:
- Hijacking software updates or update servers. If software update files are sent through unsecured channels (e.g., Wi-Fi networks) or posted on unsecured websites, hackers can replace a legitimate update file with one that includes malware. Malicious software updates can also result from a compromised update server. That is what led to the NotPetya malware attack, according to the security experts who conducted a forensic analysis of the attack. Cybercriminals hacked the server that was used to update an accounting program named MeDoc. The hackers used the application’s auto-update functionality to push malicious updates to the software users on three separate occasions. The updates created backdoors that allowed the hackers to remotely access the compromised computers and install the NotPetya malware.
- Injecting malicious code into legitimate applications. Cybercriminals sometimes hack into a software provider’s development infrastructure and add malicious code to an application before it is compiled and released to the public. For instance, in 2018, hackers compromised a commercial antivirus program in order to steal South Korean classified military data, according to the Computer Security Resource Center at the National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce.
- Injecting malicious code into third-party code libraries. Applications often contain code libraries, frameworks, and other components created by third parties. Software can become compromised if a hacker inserts malicious code into a third-party component and then the developers use that component in the software. For example, in April 2019, security researchers discovered that several video games had backdoors due to compromised third-party components.
Hackers are not the only ones compromising software to carry out supply chain attacks. There have been cases of insiders inserting malicious code into programs.
How to Manage the Risks
Admittedly, there is nothing you can do to stop a hacker from inserting malicious code into software when the software is not under your control. That is one reason why software supply chain attacks are becoming more popular among cybercriminals. However, you can take steps to manage the risks.
At a minimum, you should list each application used in your company and its supplier. If you are not familiar with a supplier, do some research to make sure the company is reputable and no red flags pop up.
You might also want to look at NIST’s guide for managing risks in the cyber supply chain. It provides questions to ask suppliers to determine their security risk level as well as best practices to follow to manage the risks. If time is a factor, there are companies like BitSight Technologies and Security Scorecard that will evaluate and rate your vendors based on the security of their networks. However, they charge for this service.
Finally, you should take the basic security precautions (e.g., make sure your security software is up-to-date, perform backups of data and systems) in case you fall victim to a software supply chain attack. You might also want to consider getting a security solution that uses advanced detection methods (e.g., analytics, machine learning) to identify and block attacks. We can provide more information about those solutions if you are interested.