Supply Chain Threats: Are Your Vendors Your Weakest Security Link?

If a direct attack on a particular network isn’t viable, then what’s the hacker’s next move? In many instances, it’s a case of going upstream: i.e. identifying an application trusted by the target – and using that software as a backdoor means of malware delivery.

In the security world, these scenarios are referred to as software supply chain attacks. Recent findings from Crowdstrike suggest that at least two thirds of organisations have been hit via their software supply chains, so it seems that this type of activity is on the rise.

Here’s a closer look at how threat actors use supply chains for infiltration – and at the practical steps you can take to reduce the risk of a successful attack…

Why do hackers target software supply chains?

It’s easier than the alternatives. On the whole, larger businesses and organisations that hold valuable data (i.e. the type of target that hackers are most interest in) are ramping up their security technology. This increases the ability of organisations to pick up on vulnerabilities in their systems; even those vulnerabilities that have not been seen before. So instead of taking a direct route, you use a software supply chain as an alternative way in.

Here’s how it works…

  • You identify a software application that’s popular in the sector you want to target (or that you know is used by the particular user you want to attack).
  • Malicious code is embedded into the software maker’s output (e.g. new versions of their popular applications – or routine security updates).
  • The malware-infected release is then downloaded by the end-target user.

How do hackers do it? 

Infection of third party code. It’s rare for software applications to be built entirely from scratch. Usually, they are put together using a combination of custom code, together with large chunks of script from software libraries. According to Forbes, code from third-party software libraries typically accounts for 79% of the codebase for an application.

Most libraries are in the public domain; authored and added to by a global army of volunteers and subject to only minimal security checks. Doctor this code and it can have a knock-on effect on every application that uses it. As an example, Check Point discovered 50 malware-infected apps on Google Play that had all been infiltrated by the same portion of third-party code that had been used by various app developers.

Compromise the developer’s system before the new software is released. This is how the CCLeaner malware infection occurred, whereby a Windows optimisation tool was compromised, affecting more than 2 million users. With a successful spear-phishing attempt on an employee of the software house, it becomes possible to move across the network, ultimately gaining access to the location of the source code.

Target the distribution server. If you can compromise the internet server platform used to roll out updates to users, there’s the possibility of swapping legitimate files with infected ones.

Prevalence: How common are software supply chain attacks?

Crowdstrike recently surveyed 1,300 IT heads across the globe on this. They found the following:

  • Two thirds had suffered a software supply chain attack. Of these, 90% had suffered financial loss as a result.
  • Attacks occur across all sectors (although biotech, pharma, entertainment & media and IT services appear to be hit more frequently.
  • Only a third of respondents say they vet their software suppliers for supply chain security.

Reducing the risk 

Vet the security credentials of your suppliers. Rather than relying on empty assurances, look for evidence of concrete steps to prevent software from being infiltrated. This includes check digits built into the software to identify ALL instances of the code being altered during development. Any modifications made at the distribution stage (i.e. when the software resides on Internet accessible servers) would, in theory, break the digital signature of the code. So look for measures in place to pick up on this.

Stick to approved vendors. The ‘too good to be true’ supplier whose app is cheaper than the alternatives – but whose service and security credentials cannot be assessed: these are exactly the type of vendor to be wary of if you want to reduce your threat exposure risk.

CATEGORIES
  • Mungler says:

    Hey Nathan, This is an informitive article, Befor i reached the section obout the CCleaner Code, it rang a bell in my mind, saying to myself “Is This what had happend to CCleaner” and then it stated “Yes” it was an attack on CCleaner, Maybe some of those old-Fashioned ways are reliable , (Sending Scripts By Post or Mail) without digital interferance. Convenience is now comming at a cost while doing businesss online, And i always believed that the “HTTPS” URLs were useless, as it was only a mater of short time befor another way was found around its protection, Yet, I try to inform people of this, and i am usualy met with something like “But, if the Banks use it theres nothing wrong!”…mmmm This does not Explain mutch to these poepe of the most reasent FaceBook hack (Played Down) to 50 million, But it was over 100 million.. So this article may Answer some of those Questions. Thank You Nathan!, I will check out more of your information into the future.
    Mungler.

  • Chris says:

    Nathan,

    Thank you for sharing. That is very clever. Go up in the software supply stream and manipulate the code used by the target. Seems like it requires an extensive knowledge and perhaps years of coding/ software development experience. Plus knowing where to get the code and how to modify it. Almost like a Zero-Day vulnerability attack. The devil is in the details and easier said than done.

    …And I’m still struggling to write a basic backdoor executable on my Kali Linux VM against my Windows VM for my Pen Testing/ Ethical Hacking course. LOL.

    Having said that, what is your take on the OSCP course and certification?

    I ask because Im having a blast, ( a lot of fun..it’s addicting), using and learning these tools and tricks…And am pursuing a career as a Pen Tester, ( White Hat Hacker and get involved with Red Team vs Blue Team exercises), for a Cyber Security company.

    Thanks,

    -Chris

    ps. You’ve created a great course by the way, (I’m in your first one).
    Im learning a lot, though I do want to learn more about the tools used by a cyber security team to detect and thwart hackers. I know about and have learned to use some of the offensive tools in Kali Linux,
    ( MITF ARP Spoof, Zenmap, Metasploit, Veil, Wireshark, Maltego, Aircrack-ng, etc..),

    But what about the defensive tools? And can I practice using those in a virtual environment ?

  • Segun Eammnuel says:

    In my experience, Protecting yourself against attacks like that means you have to only install and download very trust wares from trusted course, use a god firewall and block all incoming signals, If you’re using windows check and verify all running processes on the task manager and use the top command on Terminal (Unix). Uninstall Java if you don’t really need it.

  • Eglal says:

    Hey Nathan,
    This is very informative. Thank you for sharing. I am also taking your course and have learned a lot from it.It’s absolutely amazing. Thank you so much.

  • Protection Group International says:

    Hey Nathan,

    Really interesting piece to read, as cyber security experts it is always nice to read about what is going on in the industry. We have enjoyed reading through you blog. Your content is well put together, we are looking forward to your next one.

  • Alishia says:

    For any business to be able to withstand any potential supply chain attack, it should undertake a business impact analysis, which it has to prepare and also assess and monitor new and existing suppliers and most importantly proactively address cyber threats to the supply chain.

  • >