Attacks on the software supply chain are on the rise: How to act now
by Tina Siering
The recent study "Software Supply Chain Security Review" by Argon Security proves: Hackers are increasingly targeting the software supply chain. In 2021, cybercriminals launched three times as many attacks on the software supply chain as in the year before. Among other things, the attackers exploit vulnerabilities in open source solutions and in the CI/CD pipeline to inject malicious software and manipulate applications. And it is by no means only large corporations that are at risk, but also small and medium-sized enterprises.
What the study also shows: Attacks on the software supply chain are only so successful because security measures in the area of software development are still clearly deficient. If you are now getting weak in the knees, we can reassure you: Your supply chain security can also be upgraded with new reliable solutions.
What actually is a software supply chain?
Hardly any technology company today develops all the software components for its products itself. Just as automobile manufacturers have their parts manufactured and delivered by suppliers, software companies are also increasingly purchasing components from third-party suppliers and processing them in their own solutions. The purchased components can be, for example, prefabricated payment systems, management platforms or code components created by several developers.
The advantage of such a software supply chain based on division of labor is obvious: you can accelerate the development of your products and bring them to market faster and more cost-effectively. The major disadvantage, however, is that it is difficult for you to monitor external production processes. The risk of already infected software components entering your company and your products unnoticed is relatively high. The more complex a supply chain is, the lower its resilience.
The danger lurks in the update
In a software supply chain attack, cybercriminals manipulate the production cycle of job software and cause widespread damage with malicious code. The attacks not only lead to the compromise of your corporate network, but also affect your customers.
Update files contaminated with malware are particularly common. If these are installed by countless end users of a service or a central platform, the attackers gain access to data of thousands of users in the worst case. This profitable dispersion is precisely why supply chain attacks are so popular with hackers.
The perfidy of software supply chain attacks is that they are difficult to trace and go undetected for a long time. Hackers use stolen code-signing certificates to disguise their manipulations and gain the trust of users. The most prominent cases in recent years include the SolarWinds hack and the supply chain attack on Click Studios' password manager Passwordstate.
These are the attacks you should expect
According to Argon Security's study, cybercriminals predominantly carry out their attacks in three areas of the supply chain. The most common attack scenarios include:
1. Attacks on open source solutions.
To save time and money, the use of open source code is commonplace in software development today. However, open source code often has security vulnerabilities that cybercriminals like to use to inject malicious code and spy on data.
Two main methods can be observed: First, hackers gain access to applications via existing vulnerabilities in packages and launch their attack there. Second, they inject malicious code into open source solutions or self-developed software, which then enters the build process via pipeline tools or programmers.
2. Attacks on pipeline tools
CI/CD pipeline tools are essential for efficient software development - however, they too can become targets of supply chain attacks. For example, hackers exploit faulty configurations and security vulnerabilities in build agents or code management systems to gain access to applications, source code and manufacturing processes. It is also not uncommon for attackers to target package registry manipulation to inject compromised source code.
3. Attacks on source code repositories
Another major threat, according to the study, comes from source code repositories. If developers upload faulty code to the repository, this poses an immediate risk to security and an opportunity for attackers. Degraded code quality, common misconfigurations and security vulnerabilities, and sensitive data in the code are just a few of the problems that are becoming more prevalent in customer environments. Eliminating the multitude of complications often requires lengthy and costly cleanup projects.
How to protect yourself from software supply chain attacks
You see: Attacks on the software supply chain are particularly insidious and can go unnoticed for many months. During this time, they cause massive damage that not only puts you in financial trouble, but also permanently ruins your company's reputation. Since traditional reactive security solutions are no longer sufficient for reliable supply chain security, new approaches are needed. Instead of reacting only when it is too late, you should actively protect yourself.
24/7 security monitoring has proven to be an extremely effective measure for defending against supply chain attacks. This allows your company's network - including printers, smartphones and IoT devices - to be scanned for suspicious activity around the clock, so that a compromise is immediately visible and your IT team can take immediate countermeasures.
This is exactly the kind of proactive threat hunting and incident response solution Allgeier secion offers with its Active Cyber Defense (ACD) service - which actively searches for conspicuous behavior patterns. In this way, it is possible to detect activities of compromised software originating from third-party providers at an early stage. The preventive system thus enables you to initiate countermeasures quickly and in a targeted manner - thus offering your company and your customers secure protection against supply chain attacks.
The fact that attacks on the software supply chain represent one of the greatest threats to your IT security now and in the future has been impressively demonstrated by Argon Security's study. However, the trend towards increasing attacks on the software supply chain was already clearly evident beforehand, when reports of successful hacks repeatedly circulated through the media. Although preventive measures are more important than ever, the IT departments of many companies still do not seem to have realized the need for active action. This is a fatal mistake: Those who do not seriously address the issue of supply chain security now are negligently risking damage to their business processes and customers - even though effective defense against supply chain attacks should have been standard practice long ago. With proactive security monitoring, you can ensure that compromises of source code or entire applications are uncovered promptly, without great effort and at relatively low cost.