Today, the byways, highways, and roads on which we travel are digital. It’s how we relate, how we do commerce, how we get things done. And, those very paths are brimming with virtual highwaymen. Major incidents have demonstrated how powerful a hack can be and how a disruption in operations not only affects our business but the global equilibrium. Today, software supply chain attacks are cybercriminals’ newest favorite weapon — and the threat is getting bigger. In the past 12 months, several incursions have shown the large-scale consequence of these types of attacks. From compromised updates that affected 18,000 customers of SolarWinds to the Equifax breach that ended up costing almost $2 billion. In today’s article, we’re going to investigate what are software supply chain attacks, how they affect you, and, ultimately, what you can do to slow them down.
Supply chain attacks are a rather new kind of threat that just started to emerge a couple of years ago. Today, it is getting a lot of steam and, more importantly, it’s fast becoming the go-to method of assailing a company and its infrastructure. What are software chain attacks? Well, the target isn’t so much your company’s tangible assets or actual mechanics, but your software developers, its suppliers, and your updates. The main goal of this practice is to corrupt your codes, build backdoors or processes into them and then infect legitimate updates to your apps or your services once you distribute them. It’s a type of malware that is “injected” into your software which you, as a provider, unknowingly distribute to your clients.
Attackers make a habit of hunting insecure networks, unprotected servers, and unsafe coding practices. They then break in, alter your codes and infect your updates with malware. Because software is supposedly built and released by trusted vendors — in other words, you, these apps, and firmware are certified and signed off by the likes of Apple, Google, Microsoft, or private distributors. Your clients download these updates, and in doing so install the malicious code into their personal infrastructure.
There are many types of these attacks, and as an emerging trend, we’re only now getting a glimpse of what the cybercriminal community can get up to with these new forms of incursion. As of today, there are 4 types to be wary of:
But why are software supply chain attacks trending nowadays? What has changed? Well, this is due to various factors, all of which attract cybercriminals and truly make this kind of attack enticing.
You can’t ensure to prevent software supply chain attacks. That’s the first thing you have to understand. You inevitably will, sooner or later, discover that you’re been breached. Apple, Yahoo, Sony, the CIA, the NSA, the FBI, and even the White House have been attacked – successfully – by cybercriminals through this method. If they can’t prevent it, neither can you. If a well-financed group has you in their crosshair, you will be hit — nevertheless, you can mitigate and lessen the damage following a couple of simple rules.
And, finally, always be on the lookout for a software supply chain attack. The faster you spot one, the faster you can dampen its damage and patch it up. There are many solutions in the market to prevent software supply chain attacks, but the most comprehensive ones are those that look at context throughout the software development life cycle such as Apiiro, for example.
In 2014, a software update of Apple’s “secure” iCloud network allowed hackers to gain access to millions of accounts. It gave them unfettered entry to a smorgasbord of photo galleries. Thousands of people’s intimate photos were compromised — amongst them dozens of celebrities. The event became an international scandal and Apple stock went belly up for a time. It hurt the company, their reputation, and the people whose accounts were accessed. A software update by Sony, a couple of years later, gave hackers access to thousands of bank accounts. And the list of attacks on multinational tech companies goes on and on. Each time it’s cost them millions. Not only in litigations, and infrastructure fixes but on account of the backlash.
Can you really afford a breach of this kind?
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…