Protection against supply chain attacks in SMEs 

25 April 2022
| No comments
Protection against supply chain attacks in SMEs

Share post

Attacks on the supply chain - the supply chain - for software (and for hardware) from IT also threaten small and medium-sized companies. Updates for services and software represent an increasingly dangerous vulnerability, especially since cybercriminals hope that hijacking an update will spread the attacks to numerous victims.

In addition to upgrading their cyber defenses, small and medium-sized businesses should also review their supply chains for sourcing software, hardware, and updates.

Unfortunately, attacks on the supply chain are often effective

The aim of an attack on the IT supply chain is to manipulate the production process of third-party software from development to updates so that malicious code is played out instead of an update. This IT supply chain is vulnerable and cybercriminals are increasingly attacking it. Because such attacks are efficient for them: when they attack software packages and platforms from software and information system providers, they reach several victims at once. It makes little sense for the hacker to attack one company after the other with a complex attack when perhaps tens of thousands of companies and organizations use a widespread application or service and are thus efficiently within reach of the companies. The attack on the Solarwinds supply chain in December 2020 affected around 18.000 of the 300.000 Solarwinds customers worldwide. In addition to a mass attack, very targeted attacks via the supply chain are also possible.

Scenes of a supply chain attack

A compromised supply chain is difficult for affected customers to detect. Therefore, the cyber criminals have enough time to cause damage - such as data exfiltration, attacks on systems or interrupting processes.

These attacks differ from the previous attacks aimed at individual customers and pose a challenge even for experts. It is not for nothing that the European Union Agency for Cyber ​​Security, ENISA, rates the danger even for companies whose IT defense is right is well positioned.

An attack can start at several stages in the supply chain for developing, deploying or updating the software. Compromising the supplier IT does not constitute a supply chain attack. This includes modifying the code sources and writing scripts.

Depending on which link in the supply chain the hacker starts with, the skills required of him or the possibilities for defending against manipulation will vary. The following phases in the supply chain can be distinguished as starting points for an attack:

  • Phase One – Programming: These attacks are relatively easy to detect. They start with targeted emails, exploits and malicious websites to gain access to the programming code. It's relatively easy for a hacker to change the code at this point. But what they changed is visible in the log logs.
  • Phase Two – Versioning: Attackers can launch an attack using a Remote Desktop Protocol (RDP) with little effort. Weak passwords and exploits of an application help them. They can also play out modified versions in a reduced or delayed framework, because they have direct access to the source code and logs and leave few traces. But the changed code proves the manipulation.
  • Phase Three – Implementation (Build): This is where it gets more demanding for the hackers, but unfortunately also for the defense. The means are the old ones and attackers use RDP attacks, weak passwords and exploits in the application. But you need a good understanding of scripts. Because the necessary modifications of the individual builds require a lot of time and are complex. The modified code can be hidden. The defense would also have to check the successive script versions individually to detect manipulations.
  • Phase Four - Signing the Components: If the attacker intervenes now, he does not have to manipulate code. It simply replaces the actual code with malicious code. But a validation in the supply chain concept will reject this false update. Therefore, hackers have to meet some minimum criteria for legal updates in their fake programs.
  • Phase Five - Delivery: Here too, an attacker only has to replace the components. But the malicious components then have no signature and can be recognized by it.

How can small and medium-sized companies protect themselves?

Although the attacks take place in the supply chain of the update supplier, the attacks also affect small and medium-sized companies. In order to arm yourself against the damage of a supposedly legal update, you should take the following measures:

Stages of a supply chain attack (Image: Bitdefender).

1. Implement comprehensive cyber security that includes Endpoint Detection and Response (EDR), but at the same time sees and reports suspicious data connections thanks to threat intelligence. A common symptom of a successful supply chain attack is communicating with a malicious command and control server. Companies with limited IT resources in particular should also make use of a managed detection and response (MDR) service and thus the expertise and time of IT security analysts. Only through the combination of EDR and MDR do those responsible see any anomalies occurring.

2. Equally important is educating employees about phishing to prevent identity hijacking in the supply chain process.

3. It is essential to know the supply chain processes of a company and to check them continuously. Does an IT manager even know which software or service updates he is getting from whom and when? What hardware does it acquire and how do you protect yourself from getting malware through it? Every security officer should ask their IT supplier the following questions:

  • Is the provider's software/hardware development process documented, traceable and verifiable?
  • Is it addressing known vulnerabilities in product design and architecture, runtime protection, and code review?
  • How does the vendor keep a customer informed of emerging vulnerabilities?
  • What possibilities does the provider have to fix “zero-day” vulnerabilities – i.e. vulnerabilities that are present in software from the start and are only discovered later?
  • How does the supplier manage and monitor the production processes of a software and an update?
  • What does the provider do to protect its updates from manipulation and malware?
  • What type of background check is performed on vendor employees and how often?
  • How secure is the deployment of the updates?

If you get a software update, you have to be sure that you don't get malicious malware: Ultimately, you have to pay for the consequences of a successful supply chain attack yourself. Caution and a well-considered selection of suppliers in connection with comprehensive IT security are the best helpers against a type of attack whose risk potential is far from exhausted.

More at Bitdefender.de

 

About Bitdefender

Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de

 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

New wave of phishing: Attackers use Adobe InDesign

There is currently an increase in phishing attacks that abuse Adobe InDesign, a well-known and trusted document publishing system. ➡ Read more

Bitdefender, Stories
, , , , ,