Say, have you heard anything about supply chains lately? Of course, you have. This phrase has entered the zeitgeist with more gusto than Taylor Swift oozing rizz in a Chiefs jersey.
When we talk about the price of things, be they groceries or concert tickets, the conversation inevitably turns to someone remarking on “the supply chain,” and the rest of us nod knowingly.
Which is to say, supply chains have entered our consciousness because we (all of us) now know that they have a real and important impact on how we acquire goods. In the last few years, we’ve seen a shortage of goods and labor, leading to higher prices.
More than ever, we are aware that supply chains are absolutely critical infrastructure and crucial to our way of life.
As a result, digital threat actors have begun attacking supply chains with ransomware, malicious code injection, and more. They intend to disrupt those chains at the source with attacks on poor-quality coding and design, as well as weak cyber security practices and other vulnerabilities.
By exploiting third-party vendors, malicious code can be distributed over a wider group of businesses. Supply chain attacks have increased an astonishing 633% in the last year, making it more critical to understand how they are done and how to respond.
What better way to understand the issues than by looking at the X most common supply chain attacks and showing you how you can prepare to fight back? Let’s get to it.
What is a supply chain attack?
A supply chain is very much—or maybe exactly—what it sounds like. It’s a number of different businesses or organizations that all work together to produce and deliver a specific product or service.
This could include any number of pursuits, including manufacturing, retail goods, and even the extraction, processing, and delivery of a wide variety of natural resources. As you can imagine, much of how these chains are managed happens in the digital world.
Supply chain attacks seek to target one or more specific points in the chain to gain access to the entire chain, or at the very least, more than just one link in that chain.
Those attacks may also originate at a smaller, less significant part of the chain in an attempt to gain access to a larger entity positioned at some point in that chain.
Supply chain management software is particularly vulnerable, and those exploiting these programs can wreak havoc across a wide range of businesses.
How common are supply chain attacks?
A 2020 report found that supply chain attacks increased 430% that year, with attackers targeting open-source software to gain access through development pipelines.
In the United States alone, approximately 61% of businesses were impacted by some kind of threat via their supply chain in 2023. An analyst from Capterra, an analyst house owned by Gartner, stated, “These numbers are likely only the beginning.”
And it’s only going to get worse, according to Gartner. They predict that by 2025, 45% of organizations worldwide will experience an attack on their software supply chains.
The five most common types of supply chain attacks
It goes without saying that in a world with an increasing reliance on supply-chain conglomerations, software security over ‘the whole mile’ is going to need to be a focus for those involved.
We also need to understand the threat better before we can actually respond to it, so let’s take a look at the five most common supply-chain attacks.
1. Open-source attacks
As more and more supply chains rely on open-source software, attackers can breach code repositories to which they add malicious code. Once that happens, known vulnerabilities are exploited, and malware is added and concealed, which is used to compromise systems and devices.
A report by Sonatype notes that nearly 10% of their survey respondents noted security breaches resulting from open-source vulnerabilities.
According to the report, only 11% of open-source projects are actively maintained, leading us to the very easy conclusion that third-party risk management will have to be a key focus now and in the future.
2. Single sign-on (SSO) attacks
Just this year, a web application security researcher named Sam Curry found that car companies like BMW, Rolls Royce, and Mercedes-Benz had experienced attacks in which “access to hundreds of mission-critical internal applications” had been compromised via improperly configured SSO protocols.
These applications included multiple GitHub instances, a company-wide internal cat tool, and internal vehicle-related APIs. Let’s let Sam explain in detail from this post:
After a few minutes, we saw that the GitHub instance had internal documentation and source code for various Mercedes-Benz projects, including the Mercedes Me Connect app, which was used by customers to remotely connect to their vehicles. The internal documentation gave detailed instructions for employees to follow if they wanted to build an application for Mercedes-Benz themselves to talk to customer vehicles and the specific steps one would have to take to talk to customer vehicles. […]
We used our employee account to login to numerous applications which contained sensitive information and achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees. One of these applications was the Mercedes-Benz Mattermost (basically Slack). We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure.
Incredibly, they were able to access hundreds of miscellaneous internal services, including “AWS and cloud-computing control panels where [they] could request, manage, and access various internal systems.”
Atlassian also experienced difficulties with SSO in 2021. By convincing Atlassian users to click on a malicious link, attackers were able to exploit Atlassian’s SSO to access and change source code. Although Atlassian was able to release patches fairly quickly, the damage had been done.
3. Security certificate attacks
As you know, your security certificate is used to provide people with the assurance that your website or your product is safe to use. Unfortunately, hackers have found ways to sign code with stolen certificates in an effort to add malicious code to websites and services.
This technique allows hackers to read and modify encrypted data as it makes its way between computers and networks.
One of the most famous examples of this process is the Mimecast incident from 2021. Around 10% of their user base was affected, and hackers were able to access Microsoft 365 exchange servers, potentially gaining access to thousands of email accounts.
4. Attacks via connected devices
At any point in a supply chain in which there is a connection, one can find the opportunity to exploit a device that connects to the network to plant malware. Those who connect to your network generally have a wide range of devices, including laptops, phones, tablets, USB keys, etc.
All a hacker has to do is find a way to get that malware onto a device, and then these devices, in turn, proliferate the malware across the network. This can happen in many ways, including phishing emails, malicious links, or even physically at the source.
Where we need to be careful, however, is how we allow those devices to connect, which devices we allow to connect, and the permissions we give them once that’s done.
The reality is that it’s impossible to know what is on every device we allow to connect to a network. Still, the important part is that we remain vigilant and ensure users have the cyber security awareness they need to minimize these threats.
5. Distributed Denial of Service (DDoS) attacks
A DDOS attack is when hackers send massive amounts of traffic to a server to prevent normal users from being able to access the services or websites that they use. By sending this unrelenting traffic to the server, they’re able to disrupt the day-to-day operations of those along the supply chain.
Frustratingly, these attacks are often just meant to keep businesses at any point on the supply chain from operating normally, which causes other businesses to see their own disruptions.
As an example, a Domain Name Server (DNS) business called Dyn was the unfortunate target of a DDoS attack in 2016. The attack originated from devices commonly vulnerable to infection, such as webcams and DVRs, that had been corrupted with Mirai malware.
Once that was done, they were used in tandem to launch an attack against Dyn’s infrastructure via a botnet attack that denied users access to sites like Amazon, Twitter, and even Netflix.
These attacks on critical infrastructure are becoming increasingly common along the supply chain, with businesses injecting malicious code into their networks without even knowing they’re doing so.
How to prevent supply chain attacks
While the above may seem daunting, there are still steps that you can take to prevent supply chain attacks before they happen. Here are just a few you should consider:
Third-party risk management
With so many different businesses along the supply chain, it’s imperative to do your due diligence on any third-party vendors that can connect to your network. Research previous breaches and investigate how that business eliminates attacks to prevent them from infecting your system.
Implement zero-trust architecture
Zero-trust architecture means you’re building a network that assumes everyone is an actual or potential vulnerability and adopts an ongoing authentication process of credentials and behavior.
The basic principles of Zero Trust Network are as follows:
- Strong user authentication – The use of multi-factor verification (MFA) or biometrics and access and identity management (IAM) software.
- Principle of least privilege – There is no such thing as full access; authorizations are narrow according to needs and roles.
- Data segmentation – It’s unsafe to keep all resources in one storage area for anyone to access upon gaining entry; with Zero Trust, data is tagged according to different security levels, and access is limited accordingly.
- Continuous monitoring – All systems, resources, and users undergo ongoing verification with user and entity behavior analytics (UEBA).
With proper implementation, it’s a strategy that can prevent attacks that would otherwise be costly.
Be prepared to respond
While we can always hope for the best (by which we mean that you’ve taken measures to prevent supply chain attacks), preparing for the worst is also important. An incident response plan is a plan of action for how you will handle and report data breaches.
It’s especially important along the supply chain as it may cause other businesses to be affected, and you’ll want to get ahead of any potential attacks on other networks connected to your own.
Have procedures in place, define roles and responsibilities, and you’ll be able to address attacks efficiently and transparently.
Security awareness training
The most important thing you can do to prevent supply chain attacks is to invest in cyber security awareness training for your employees. Because all of your employees can connect to the network, it’s important that you involve everyone, not just the IT and cyber security people.
Reduce the risks of supply chain attacks
With so many potential sources of attacks on the supply chain, you’re going to want to be prepared in every way possible. We’ve seen some examples of the most common supply chain attacks above, but there are many more ways your network can be exploited.
To protect your data, we can’t recommend cyber security training for third-party risk management enough. With the proper training, your users will be able to keep your critical operations online, increase your productivity, and identify weaknesses in third-party ecosystems.
