The software supply chain is increasingly targeted by cyber bad actors, according to security researchers at Microsoft in the company’s most recent Security Intelligence Report. Attackers will target both software developers and suppliers in an attempt to gain access to source code, updating processes or internal servers. The goal is to get their malware onto a software application that will be deployed to multiple users. Once the software is on a system, then so is the malware with all of the same permissions. “Supply chain concerns went beyond apps and into the cloud and included malicious browser extensions, compromised Linux repositories, and multiple instances of back-doored modules. To address this threat, organizations are moving towards a transparent and trusted supply chain model,” Diana Kelley, Microsoft Cybersecurity Field CTO, said in the report.
Once the software is affected it can then make its way onto other software that’s more widely deployed. This is what happened in the case of a common PDF editing application, according to Microsoft.
“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload,” Microsoft wrote last year, adding that the “app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation.”
This wasn’t the work of a nation-state or a savvy cyber hacker, but “petty cyber criminals trying to profit from coin mining using hijacked computing resources,” Microsoft said.
There is a lot of trust in the world of technology. If there is a software that meets a businesses’ needs, then that business will likely buy it and trust that as long as it is updated and patched on a regular basis, it will be safe. These software supply chain attacks try to take advantage of this trust, Microsoft said.
“By poisoning software and undermining delivery or update infrastructures, supply chain attacks can affect the integrity and security of goods and services that organizations provide,” the report said.
Microsoft does offer some best practices for software developers to follow. Software updates for operating systems should be installed as soon as possible and multi-factor authentication should be required for admin privileges. Secure socket layers and digital signatures should also be important parts of the software development process, Microsoft recommends. But it will also be important to check in on current software suppliers to make sure they are practicing safe cyber.
“We recommend reviewing your IT outsourcing contracts and service level agreements (SLAs) as well as supply chain vendors to ensure they are compatible with rapid security response,” Microsoft said.