Software supply chain: the new Eldorado for hackers

As security measures are tightened, hackers are using new entry points that are less protected by companies: the software supply chain. These attacks are as dangerous as they are difficult to detect. Given the 600% increase in the number of attacks last year, how can we protect ourselves against these attacks, which affect 90% of businesses?

On 20 June 2023, the directors of SolarWinds, including the CISO, were summoned by the US securities regulator for a “securities data breach”. This warning comes two years after the Sunburst cyber attack. For the record, in 2020 hackers compromised an update to the company’s Orion IT management platform, giving them remote access to infected computers via the now infamous Log4J.

According to the US government, the attack was carried out by the Russian intelligence agency SVR. As a result of this attack, not only major companies such as Intel, Microsoft and VMWare, but also numerous US agencies and institutions and their 18,000 customers were stolen and infected, with ramifications for long-term damage.

With Sunburst, the IT world discovered software supply chain attacks. An attack that involves infecting software that is massively deployed within organisations. This type of attack has increased by more than 600% over the past year, and more than 90% of organisations have already been impacted by an attack targeting their software supply chain.

 Software supply chain: a definition

In practical terms, the software supply chain is similar to the traditional logistics supply chain. It consists of processes and people who produce applications and interact throughout the development chain. Developers produce applications and deposit them in directories that undergo several manipulations before being deployed in execution environments, most often Kubernetes.

Attacking an application’s runtime environment is nothing new. In the 1980s, the computer scientist Kenneth Thomson was the first to introduce a backdoor into a C compiler. His idea was to introduce a hack of the login function to gain access to all these systems. Since then, this technique has flourished and forms the central axis of many attacks.

Why the rise in attacks? 

This upsurge in supply chain-related compromises is based essentially on two factors:

1. Interconnection and hyperconnection are becoming increasingly widespread via APIs inserted into the software chain. Entering via these APIs provides an easier attack surface for attackers, but above all gives them the opportunity to move from one system to another;

2. Developments in security policies, particularly MFAs or EDR tools, which encourage hackers to find new entry points.

This is without taking into account the fact that many attacks are opportunistic, and most often rely on third-party suppliers to target an end-user. In the case of the compromised Orion server, attackers introduced a backdoor into the SolarWinds artefacts that are then deployed to end customers. Once activated, this malware exfiltrates data from these hundreds of Orion customers.

Why is it so difficult to secure?

The supply chain is complex. Many tools and interactions are present throughout the chain. In an enterprise application, it is not uncommon to find a large number of open source libraries – 500 on average. These libraries, often an agglomeration of various codes, are all vectors of attack. According to RUN-Throughs Cybersecurity Proving Ground, 81% of databases have at least one open source vulnerability. This vulnerability was also the vector for the SolarWinds attack.

As with other types of attack, identity theft is the primary vector of compromise. If a developer’s identity is stolen and they have their login, the hacker can upload compromised data or packages, exfiltrate passwords, and so on. Worse still, there are many vulnerabilities within containers: secrets, identifiers stored in the registry, and so on. Armed with the login, a hacker can move around easily, identify the images and libraries used and carry out other fraudulent manoeuvres.

Even more permissive, the token will give write rights, allowing the hacker to position malware that will then be deployed in the company, or to carry out typosquatting. The latter technique consists of identifying a widely used package, compromising it and renaming it in a way that is similar to the legitimate package in order to encourage the developer to use it. Secondly, the hacker can go to the stack overflow site and ask questions about the package in order to encourage developers to discover it.

Finally, another common vector: the company. If your supply chain is compromised, you could be an attack vector for your own customers.

What are the risks?

The risks of these supply chain attacks are numerous and depend mainly on the motivations of the attacker: data theft, destruction, risk to image. If you supply software solutions, the main risk is to your image, and therefore to your finances. For example, Solarwinds lost 40% of its value following the Orion attack.

How to protect against attacks via the software supply chain

As we can see, securing the supply chain is critical for business. Countering this type of attack requires a tool-by-tool approach, as well as a more restrictive security policy.
On the tools side, the priority is to deploy an intrusion system that analyses behavioural anomalies. For example, to analyse open source libraries, which we have seen present a major risk, you need to use an SBOM tool to draw up an inventory of your applications and detect anomalies.

For identity management, in addition to MFA tools, it is advisable to implement a ‘least privilege’ strategy. The aim is to be very careful when creating tokens with regard to permissions and to limit as far as possible the scope of privileges granted to limit the field of action in the event of an attack.

To avoid another Log4J, it is essential to implement a scanning tool and use it throughout the chain to detect a threat linked to an intrusion or abnormal behaviour. A single vulnerable element left undetected can be an open door to a new attack.