Attackers have always looked for the weakest link in the chain in order to break through a defence. This has not changed in today's highly digitized business world and also includes the supply chain of the supplier industry. Suppliers often have access to their customers' internal systems, and a hack on seemingly insignificant suppliers can mean for hacker groups entry into the network of a global corporation.
Attacks via the software supply chain are even more common and have even more dramatic effects. So instead of attacking the targeted company directly, cybercriminals target their software distributors. They identify operators with inadequate security practices in order to inject malicious code into a trustworthy software component. With the next update they have reached their goal: in the network of the large company.
Explosive supply chain attacks in 2023
Recent incidents have made it clear: In the course of global advances in digitization, supply chain attacks have taken on new dimensions and are creating a completely new starting point in cyber security. They mean an unpleasant realization for companies: the weakest link in the chain is often outside of their security structure and thus beyond their control. By compromising a single vendor, attackers can turn every application or software update sold into Trojan horses. A large service provider can unknowingly infect thousands of companies with a single update. This high level of efficiency has made supply chain attacks enormously popular with cybercriminals. The threat of supply chain attacks poses a significant risk to modern businesses today, and the financial damage can be enormous - from lost production, to the effort required to investigate the security incident, to losses due to reputational damage, to regulatory fines.
Attractive goals
One of the most devastating examples is the 2020 supply chain attack on software company SolarWinds, which affected a variety of organizations, including the US government. Since the IT monitoring system on offer is widely used and, moreover, enjoys privileged access to IT systems to obtain log and system performance data, this made SolarWinds an attractive target for attackers.
Another serious case was the supply chain attack on the IT service provider Kaseya in July 2021, in which ransomware was finally deployed via a manipulated software update and affected around 1.500 companies worldwide. One of the best-known victims in Europe was the supermarket chain Coop-Sweden, which had to temporarily close 800 of its stores because a payment service provider for their checkout systems failed.
The recent cyber attack on Toyota's supply chain in March 2022, which paralyzed a third of the company's global production, demonstrated just how vulnerable the supply chain of today's industrial companies is. For example, the Japanese car manufacturer had to stop all 28 production lines in its 14 domestic plants after a key supplier was affected by an IT system failure caused by a cyber attack.
Zero Trust
While attacks on the software supply chain are becoming more sophisticated, they can be contained. Forgoing updates is not an option, but organizations need to realize that even the most trusted suppliers are not immune to intrusions and breaches. As a result, security leaders need to go beyond traditional vendor risk assessments. The principle of "zero trust" applies even to standard software from major manufacturers. Every application on every device must be continuously monitored, both at the endpoint level and at the network level. It only becomes apparent when an application changes its usual behavior and, for example, seeks access to other applications, sends data across the network border or reloads files from previously unknown sources.
In order to enforce a zero trust model, companies should ensure that access rights are assigned and managed adequately. In many organizations, employees, partners, and software applications have unnecessarily high privileges that make it easier to launch supply chain attacks. Therefore, the principle of least privilege should be followed here, in which employees and software programs are only assigned the authorizations they really need to perform their tasks. There is no more carte blanche: Every access to further resources is checked.
Proven Measures
Proven access control measures include multi-factor authentication (MFA) and network segmentation. This prevents third-party software from having unimpeded access to every corner of the network, builds walls of defense against attacks, and thus limits the success of attacks. If a supply chain attack impacts one part of the network, the rest remains protected.
In order to evaluate the compliance and processes of the software providers they use, companies should also regularly send out security questionnaires. It's about making sure they follow best practices to prevent any tampering with the code.
Companies have only limited means to defend themselves against a manipulated update of legitimate software. With a zero-trust approach and close control by security analysts in the form of Cyber Defense Center services (CDC-as-a-Service) or CDC technology solutions such as Radar Solutions, an attack is quickly noticed and the consequences of the attack become local limited. Mind you: Cybercrime is only as lucrative and successful as long as you allow it.
More at RadarCyberSecurity.com
About Radar Cyber Security Radar Cyber Security operates one of the largest cyber defense centers in Europe in the heart of Vienna based on the proprietary Cyber Detection Platform technology. Driven by the strong combination of human expertise and experience, paired with the latest technological developments from ten years of research and development work, the company combines comprehensive solutions for the challenges related to IT and OT security in its products RADAR Services and RADAR Solutions .