Supply Chain Cyber Attacks

11 April 2023 14:23 5 minutes to read

Illustration of strangers on green background

Welcome back to the cyber security tech blog! This time I will share my thoughts and reflections regarding supply chain cyber-attacks etc. directed at third party vendors. Why is this important - well, businesses are dramatically increasing their reliance and consumption of solutions from third party vendors. Cyber-criminal actors are aware of the impact - attacking one victim with spread to hundreds or in some cases thousands of customers creates devastating operational effects. The recovery after a cyber-attack usually takes weeks. Businesses need to prepare much more to train and practice how to deal with this.

What is a Supply Chain Attack

The cyber-criminal actors seek for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices to take advantage of these exploits and vulnerabilities to change source codes and hide malware in application-build and update processes.

Software is built and released by trusted third party vendors, these software and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when these are distributed to all customers. The malicious code then runs with the same trust and permissions as the software.

Types of Supply Chain Attacks

CI/CD Pipeline Breach – the cyber-criminal actors search for ways to infiltrate the CI/CD pipeline to inject malicious code which will immediately have a ripple effects on production applications.
CI/CD tool misconfigurations – the cyber-criminal actor takes advantage of weaknesses and exploits in configuration such as infrastructure and policies that govern software processes. If these configuration files are not properly secured, these configuration files can be badly misused.
Compromised Software Building Tools – cyber-criminal actors use this vector to inject malicious code into a development pipeline used for creating builds, quality testing, and deploying code to production.
Dependency Confusion Attack – cyber-criminal actors have found a way to trick developers into downloading malicious packages by targeting misspellings of the most popular downloaded packages. This type of attack is called dependency confusion.

Supply Chain Statistics

Argon, an Aqua Security company, has found that software supply chain attacks grew by over 300% in 2021.
Gartner predicts that by 2025, 45% of organizations would have experienced a software supply chain attack.
The FBI has reported a 62% increase in ransomware attacks from 2020 to 2021.
A CloudBees-survey showed that 45% of enterprises have admitted that they've secured only half of their software supply chain.

These statistics tell us that software supply chain security will become even more important in the coming years as software supply chain attacks are on the rise.

Supply Chain examples

SolarWinds – the cyber-criminal attackers had access to the SolarWinds supply chain for over a year before it was discovered. Every customer organization of SolarWinds was, in turn, compromised leading to a ripple effect that is so massive that it cannot be easily quantified.
Mercedes Benz – source code leak was used by cyber-criminal actors due to exposed passwords and API tokens of Daimler's internal systems to execute future intrusions against Mercedes-Benz cloud and internal network.
CodeCov – the CodeCov Bash Uploader script was compromised and modified, and the cyber-criminal actor leveraged the Docker image that was used in CodeCov supply chain to gain access. This led to all customers of CodeCov also being vulnerable to the attack as CodeCov is a tool that is embedded into their customers' software supply chain.

Improve the protection against Supply Chain Attacks

Rigorously assess vendors before partnering with a vendor or using any third-party tools or software, businesses should rigorously check a supplier's security measures.
Always use a “Zero Trust Model” to ensure that no user or application should be trusted by default, limiting the types of activities possible within a network.
Prepare the operational business for a potential supply chain attack and adapt the traditional Business Continuity Plans to be relevant for these cyber incidents with major impact that last most likely for weeks before full recovery is done.
Carry out regular scans based on the vulnerabilities that cybercriminal actors exploit, a so-called scanning intelligence approach.
Always be up to date by always patching and life cycle affected systems and environments.

Culture and Awareness

Supply chain attacks are very serious for a bank. Dependence on third parties increases for support and solutions in processes. it becomes an integral part of the operational activities. A rich attack against a third-party vendor has extensive negative effects on all its customers. It usually takes weeks to fully recover from a cyber-attack. It is this interruption that a business must be able to manage. It will require new ways to train and practice simulated effects of a supply chain attack.

Summary and SEB Position

SEB works methodically and fact-based through analyses, modelling, insights, and know-how regarding the cyber threat landscape and the methods and goals of adversaries. That is used and translated into capabilities that underpin a modern and effective cyber defence. SEB validates and follows up on this through very extensive tests in accordance with ethical simulated cyber-attacks against critical processes and infrastructure.