After SolarWinds and Passwordstate: Do you still have a backdoor open in your supply chain security?
by Svenja Koch
In an increasingly globalised world, supply chains are also becoming more complex. And supply chains in companies are increasingly turning out to be gateways for cyber attacks. IT security experts warn: IT security is often still too focused on the company itself. In supply chain attacks, components may already be compromised when they arrive at the company. ENISA, the EU agency for cyber security, warns that companies underestimate the cyber threats posed by supply chain attacks and are usually not sufficiently prepared for such cyber attacks.
When do we speak of supply chain attacks?
We speak of a supply chain attack when components that a company purchases and which are thus outside its own area of responsibility become the target of a cyber attack. In these cases, the components are infected and enter the company. These are, for example, codes of software products or complete applications developed by a third-party provider. They are then used in products or applications of another manufacturer, who uses these components as building blocks for his technology. This type of attack can be compared to the Trojan horse from Greek mythology.
In IT, there are often very complex supply chains. These concern both the software and the hardware sector. Companies process controls, chips, software components and other IT products from third-party suppliers. These in turn give rise to their own products. In practice, there are numerous examples of such products. The IoT sector in particular cannot do without supply chain management: Companies purchase controllers, network chips and many other components as finished parts and install them in their end products. Such components are then found in smart meter gateways, smartphones or even refrigerators, WLAN access points and many other devices.
The actual target of these cyber attacks are the software components of such devices. More and more often, these have their own firmware or even more or less complex applications and controls. Manufacturers of such components offer ready-made components in which the software supplied already provides the specific function. This makes it possible to use them out of the box. The use of such components continues to increase due to ever more complex systems in a multitude of devices. This now also applies to devices such as fully automatic coffee machines, lawn mowers or surveillance cameras for home security systems.
Gateways for successful supply chain attacks
- Compromised software development tools or updated infrastructure
- Stolen code: signed certificates or signed malicious apps using the identity of the developer company
- Vulnerable specific code contained in hardware or firmware components
- Pre-installed malware on devices (cameras, USB, phones, etc.) Source: Microsoft
Why is supply chain security often ignored?
There are many reasons why cyber threats from supply chain attacks are negligently underestimated. One reason is a lack of knowledge and resources. Companies that procure components via a supply chain are often initially in good faith and do not suspect that they pose a threat. When developing the IT security strategy, this area is still often disregarded and the focus is exclusively on the company's own network and the various cyber threats in this area.
In addition, it is not always obvious from which components cyber threats emanate. The global economy is creating longer and longer supply chains. It can happen that a company installs a component that not only has components from one manufacturer, but also consists of a combination of different elements. If there are controls or chips with firmware and software components, these are also threatened by supply chain attacks. The potential danger is thus multiplied and becomes an unmanageable risk. This is accompanied by extensive organisational challenges in terms of supply chain security.
Another point is that companies still lack the appropriate tools for supply chain security or lack the knowledge of which protective measures should be used. The control of such components is certainly possible, but the necessary solutions are still too rarely used.
Dangers for companies and end consumers through supply chain attacks
Just how important supply chain security really is can be seen from the potential impact of such cyber attacks. In fact, there are more and more examples from practice that show the glaring IT security gaps that exist and how cyber criminals specifically exploit them.
One of the larger cyber attacks in the recent past, which has caused a stir worldwide, can also be traced back to weak points in supply chain security. The attack on the US IT security company, which became known as the SolarWinds hack, followed this pattern. A software component that SolarWinds uses in its Orion security software was compromised by cybercriminals. This allowed malicious code to enter the software, which was then rolled out by SolarWinds as an update via its own official channels. Numerous SolarWinds customers installed this update and thus infected their own network.
The attack pattern of this supply chain attack seems to continue successfully: More and more frequently, cyber criminals try to access the computers and thus the data of their victims by infiltrating code into legitimate software. For example, there was recently a supply chain attack on the software manufacturer Click Studios and its password manager Passwordstate. In this case, the attackers managed to infiltrate malicious code via an update in order to steal passwords and other confidential data.
These examples illustrate one of the central dangers of supply chain attacks. Users and companies trust the products they receive from their suppliers through their official channels. In many cases, no thought is given to the fact that this is software that is brought into the company network from the outside without being checked.
Cyber attacks on supply chains have very different targets
Often, cybercriminals are specifically targeting the existing vulnerability for exploitation. Successfully compromised supply chains pose numerous threats. First, of course, the company that uses these infected components is affected. Depending on what type of malware is used, there is a threat of compromising the company's own network. Among other things, this leads to the attackers gaining access to the network. This is then used to spread in the network or the attackers control the software via a command and control (C2) server. This allows the infiltration of ransomware, the interception of access data or even confidential information from the company network. Industrial espionage also plays a role in these cyber attacks.
If attackers identify in which end products certain components are used, a targeted infection of the supplier is possible. In this way, the attackers circumvent the IT security of downstream companies with such supply chain attacks and concentrate on the weak link, i.e. the weakest link in the supply chain.
Another threat is to the users of the end product. It is possible that a compromised system collects information about the users and sends it to the cybercriminals. The example of another, quite recent case, shows the extent of this. The company Verkada, which specialises in security systems for building technology, had its network infiltrated. Among other things, Verkada's customers use the service to store images and video information from surveillance cameras in the cloud. The hackers gained access to Verkada's network and had access to stored videos and images as well as to the live transmissions of the cameras.
What protective measures and solutions are there for this form of cyber threat?
With targeted measures, it is possible to significantly improve supply chain security. For all companies that procure software via supply chains, appropriate protective measures in supply chain security should be part of a holistic IT security strategy.
First of all, it is important to record one's own situation with a cyber supply chain risk management. This involves mapping the risk situation so that all threatened components are identified. The development of supply chain security is then based on this analysis.
Concrete IT security measures for the supply chain include firmware scans, for example. These come into consideration for hardware components that companies buy out of the box and integrate into their own production, for example in the area of IoT. Service providers offer comprehensive checks here so that the IT security of the software components is guaranteed.
Another method in supply chain security is certificates and signatures. These are used to take into account the IT security of the individual components over the course of the supply chain. Service providers have established themselves here with practical solutions for security control, certification and tracking. This is particularly useful when several components and companies are part of a complex supply chain.
Supply chain security also includes application security tests. Tools specially designed for this task check applications, programme code and other software for security. These application security tests look for hidden malware that attackers may have introduced to a third-party supplier in the course of the supply chain.
Last but not least, 24/7 security monitoring in one's own network is an elementary component of supply chain security. This actively looks for conspicuous behaviour patterns. These indicate compromised systems, for example, when malware establishes contact with a C&C server. In this way, it is possible to quickly uncover activities of compromised software originating from third-party providers. secion offers such an Incident Response and Threat Hunting Service: As part of the Active Cyber Defense Service, a complete scan of the network is carried out in real time. This active form of searching for illegal activities ensures the rapid discovery of malware that has slipped in unnoticed, as is the case with supply chain attacks.
It also makes sense to work exclusively with trustworthy partners. A supply chain that is as small as possible with a low number of third-party suppliers also helps to minimise the risks. In this way, the number of possible IT security vulnerabilities within the supply chain decreases. Close cooperation with these suppliers is another way to reduce IT security risks in the supply chain. An exchange on the topic of supply chain security and agreement on certain IT security standards are recommended in this context. When selecting suppliers, it also makes sense to include a cybersecurity assessment as an important point in the evaluation as part of quality management. In some sectors, standards for information security have already been established. One example is TISAX in the automotive sector. Here, manufacturers require their suppliers to have the corresponding TISAX security certificate, which raises supply chain security to a high level.
With attacks on and through suppliers and third-party companies on the rise, companies should pay more attention than ever to how their supply chains - from software development to the actual delivery processes themselves - are positioned in terms of IT security.
Recent incidents clearly show that supply chain attacks are not only a real threat, but also what the reach and impact of such a successful attack is. Supply chain attacks are extremely complex and usually targeted. As they are increasingly seen in applications, IT security professionals need to stay on the ball: Attackers are very sophisticated and professional. They cover their tracks so skilfully that it is almost impossible to trace where the attack came from or who the actual targets were. It is important that companies perceive this type of cyber threat as relevant and actively integrate effective protective measures into their own IT security strategy.