SolarWinds, a software company, fell victim to a devastating cyber-attack that saw hackers injecting malicious code into their widely used Orion software. This breach led to an alarming 18,000 of their clients receiving compromised software updates. This cybersecurity incident resonated globally, affecting myriad businesses and governmental entities.
The software supply chain, integral to modern business operations, is increasingly becoming a target for cybercriminals. Just as goods and services have supply chains, so does software. It consists of multiple components, from raw code to third-party libraries, and the entire lifecycle from development to deployment.
In this piece, we’ll explore the techniques hackers utilize to exploit software supply chain vulnerabilities and recommend measures to reinforce your security.
- Third-Party Software Integration: Software providers often seek out third-party software solutions to enhance and broaden their capabilities. By integrating external software, companies can access specialized features and functionalities without building them from scratch. This interconnected approach often leads to streamlined operations, reduced costs, and increased efficiency. However, while third-party integrations can be beneficial, they also come with challenges and potential vulnerabilities. These integrations can create vulnerabilities if the third-party software is not adequately secured. If a third-party service is compromised, it can act as a gateway to attack the primary software.
- Updates/Patches: In the SolarWinds attack, malicious actors can infiltrate a software provider's update mechanism and use it to distribute malware to all the software's users. Also, software that isn't regularly updated can have known vulnerabilities that cybercriminals can exploit. In addition, third-party software vendors might have different schedules and priorities for releasing patches and updates. If they are slow to patch known vulnerabilities, it can leave the integrated system exposed for longer periods.
- Open-Source Libraries: Modern software often relies on open-source libraries. If a vulnerability is found in one of these libraries and isn't patched quickly, cybercriminals could exploit it and all software that connects to it. Look no further than the infamous Log4J open-source library hack. Log4j is a widely used Java logging library developed by the Apache Software Foundation. A severe vulnerability, often referred to as Log4Shell, was discovered in the log4j library. The vulnerability allowed attackers to remotely execute code on a backend system, impacting numerous organizations, including IBM, Cisco, Amazon, Microsoft, VMWare, Dell, and more.
- API Vulnerabilities: Many supply chain systems now offer Application Programming Interfaces (APIs) for integration purposes. If these are not secured properly, nefarious actors can exploit it to gain unauthorized access or extract data. Facebook disclosed an API security breach that affected almost 87 million users. Cambridge Analytica, a political data analysis firm, had accessed the data of up to 87 million Facebook users without their explicit consent. While this wasn't a "hack" in the traditional sense, it was a significant misuse of API access. Facebook received significant backlash from the public and regulators.
- Cloud/Web App Vulnerabilities: As many supply chain systems move to the cloud, misconfigurations or weak credentials in cloud settings can become an entry point for cybercriminals. Also, cloud services typically interact with each other via APIs. If these are not securely designed or configured, they can become potential entry points for attackers. In multi-tenant cloud environments, underlying components (like the hypervisor) are shared. A vulnerability in these shared components can affect multiple clients.
- Phishing/ Social Engineering Attacks: Cybercriminals might target employees of a company with phishing emails, luring them to click on malicious links or attachments. This can lead to the installation of malware or unauthorized access to supply chain software. In one example, an attacker sends an email to an employee. This email may appear to come from a trusted vendor, customer, or internal department. The email contains an attachment (e.g., a fake invoice or order) which, when opened, executes malware designed to steal login credentials or provide remote access to the attacker. In another email, it contains a link that leads to a fake login page, designed to look identical to the company's legitimate supply chain software login page. Unsuspecting employees enter their login details, which are then captured by the attacker.
Now, let’s discuss strategies for how organizations can tackle these software supply chain vulnerabilities.
- Software Bill of Material (SBOM): Maintain a clear inventory of all software components, prioritizing key components to secure the most critical software pieces.
- Regular Updates and Patches: Ensure that all components are regularly updated. A majority of attacks exploit known vulnerabilities in outdated software.
- Employ Application Security Testing: Use application security testing tools throughout the software development and integration process.
- Adopt Zero-Trust and Least Privilege Models: Implement practices like allowlisting to prevent unauthorized access and lateral movement. Give users, systems, or processes only the minimum access rights they need to perform their tasks and no more. Also, use network segmentation to prevent compromised components from affecting others.Assess Third-party Providers: Ensure third-party software integrates securely by evaluating their security postures.
- Boost Developer Security Competency: Train and coach developers on security-first practices.
- Promote Security Awareness Training: Equip staff against phishing and social engineering through regular cyber awareness training programs.
- Monitor Continuously: Use tools to detect real-tim threats and vulnerabilities.
- Conduct Regular Backups/Have Immutable Backups: Ensure backups are secure and unalterable.
- Rapid Incident Response: Act swiftly to minimize damage when anomalies are detected.
- Ensure Multi-Factor Authentication: MFA helps strengthen security to development & deployment environments, code repositories, CI/CD tools, as well as helps ensure secure third-party access.
The software supply chain, crucial to modern business practices, is facing an escalating wave of cyber-attacks. Analogous to the detailed networks found in goods and services supply chains, software presents its own maze of intricacies. By adopting these tactics, organizations can bolster their protection against such software supply chain vulnerabilities.
To learn more about how GSI’s cybersecurity practice can help, please contact us today.