What Are Software Supply Chain Attacks and How to Prevent Them

Today, the byways, highways, and roads on which we travel are digital. It’s how we relate, how we do commerce, how we get things done. And, those very paths are brimming with virtual highwaymen. Major incidents have demonstrated how powerful a hack can be and how a disruption in operations not only affects our business but the global equilibrium. Today, software supply chain attacks are cybercriminals’ newest favorite weapon — and the threat is getting bigger. In the past 12 months, several incursions have shown the large-scale consequence of these types of attacks. From compromised updates that affected 18,000 customers of SolarWinds to the Equifax breach that ended up costing almost $2 billion. In today’s article, we’re going to investigate what are software supply chain attacks, how they affect you, and, ultimately, what you can do to slow them down. 

What are software supply chain attacks?

Supply chain attacks are a rather new kind of threat that just started to emerge a couple of years ago. Today, it is getting a lot of steam and, more importantly, it’s fast becoming the go-to method of assailing a company and its infrastructure. What are software chain attacks? Well, the target isn’t so much your company’s tangible assets or actual mechanics, but your software developers, its suppliers, and your updates. The main goal of this practice is to corrupt your codes, build backdoors or processes into them and then infect legitimate updates to your apps or your services once you distribute them. It’s a type of malware that is “injected” into your software which you, as a provider, unknowingly distribute to your clients. 

Attackers make a habit of hunting insecure networks, unprotected servers, and unsafe coding practices. They then break in, alter your codes and infect your updates with malware. Because software is supposedly built and released by trusted vendors — in other words, you, these apps, and firmware are certified and signed off by the likes of Apple, Google, Microsoft, or private distributors. Your clients download these updates, and in doing so install the malicious code into their personal infrastructure. 

Types of software supply chain attacks

There are many types of these attacks, and as an emerging trend, we’re only now getting a glimpse of what the cybercriminal community can get up to with these new forms of incursion. As of today, there are 4 types to be wary of:

• Compromised digital infrastructure or software building tools.
• Stolen certificate sign-in codes — that’s when hackers steal your identity and certification and use it to release their own software.
• Corrupted hardware, or other firmware components.
• Pre-installed malware on devices like USBs, smartphones, cameras, etc.

Software supply chain attacks — the trend is growing

But why are software supply chain attacks trending nowadays? What has changed? Well, this is due to various factors, all of which attract cybercriminals and truly make this kind of attack enticing.

• The Internet Of Things has made it possible for a hacker to gain access to a client’s servers and hard drives by a backdoor installed into a toaster that has WiFi access. Companies like Xiaomi are now releasing hundreds of appliances with smart-home technology, not only them but other titans like Apple and Google. What does this mean? A small tweak in a blender’s firmware can give criminals access to a much larger mainframe.
• Foreign Intelligence Agencies are using updates to gain access to National Federal DataBases — as was the case with SolarWind. In many cases, malware might be installed into a supply chain simply to get access to just one client. It might infect 18,000 customers but the primary target is just 1. It’s a huge investment by hackers but one that pays off if they manage to compromise that big whale.
• The pandemic created a bottleneck when it came to software development. Overnight hundreds of companies needed to go online and shift their business model. This meant that they had no choice but to start downloading plugins, software, and updates just so they could manage to stay afloat and migrate to eCommerce. This was a once-in-a-lifetime event for hackers. Why? Software developers had to act fast and in doing so a huge amount of them became lax with their safety protocols.
• The payoff is staggering — the average software attack might end up netting cybercriminals anywhere between $4 million to $7 million.
• Due to the payoff, hacker groups have a lot of money to invest — this means they have better technology, better information, and Grade-A professionals. Plus, some of them are even bankrolled by foreign powers. In other words, they also have immunity.

What can companies do to mitigate software supply chain attacks?

You can’t ensure to prevent software supply chain attacks. That’s the first thing you have to understand. You inevitably will, sooner or later, discover that you’re been breached. Apple, Yahoo, Sony, the CIA, the NSA, the FBI, and even the White House have been attacked – successfully – by cybercriminals through this method. If they can’t prevent it, neither can you. If a well-financed group has you in their crosshair, you will be hit — nevertheless, you can mitigate and lessen the damage following a couple of simple rules.

• Initialize strong code integrity policies. This will mean that only authorized and inspected apps will run and be made available to the public.
• Use endpoint detection to automatically single out suspicious activities.
• Maintain a secure software building infrastructure.
• Constantly update third-party apps and OS.
• Apply security patches.
• Require multi-factor authentication for administrators.
• Create secure software updaters.
• Require SSL for update channels.
• Implement certificate pinning.
• Check for digital signatures.
• Don’t allow software updates to accept generic inputs, sign-ins, or commands.
• Tell customers and clients when you’ve been breached and how it might affect them.

And, finally, always be on the lookout for a software supply chain attack. The faster you spot one, the faster you can dampen its damage and patch it up. There are many solutions in the market to prevent software supply chain attacks, but the most comprehensive ones are those that look at context throughout the software development life cycle such as Apiiro, for example.

Securing your network against software supply chain attacks

In 2014, a software update of Apple’s “secure” iCloud network allowed hackers to gain access to millions of accounts. It gave them unfettered entry to a smorgasbord of photo galleries. Thousands of people’s intimate photos were compromised — amongst them dozens of celebrities. The event became an international scandal and Apple stock went belly up for a time. It hurt the company, their reputation, and the people whose accounts were accessed. A software update by Sony, a couple of years later, gave hackers access to thousands of bank accounts. And the list of attacks on multinational tech companies goes on and on. Each time it’s cost them millions. Not only in litigations, and infrastructure fixes but on account of the backlash. 

Can you really afford a breach of this kind?