If the supply chain gets stuck, production quickly comes to a standstill. Attacks on the supply chain for IT software and hardware are threatening more and more small and medium-sized companies. Updates for services and software represent a dangerous vulnerability, especially since cybercriminals hope that hijacking an update will spread the attacks to numerous victims. In addition to upgrading their cyber defenses, small and medium-sized businesses should also review their supply chains for sourcing software, hardware, and updates.
The aim of an attack on the IT supply chain is to manipulate the production process of third-party software from development to updates so that malicious code is played out instead of an update. This IT supply chain is vulnerable and cybercriminals are increasingly attacking it. Because such attacks are efficient for them: If they attack software packages and platforms from the providers of software and information systems, they reach several victims at once. It makes little sense for the hacker to attack one company after the other with a complex attack when perhaps tens of thousands of companies and organizations use a widespread application or service and are thus efficiently within reach of the companies. The attack on the Solarwinds supply chain in December 2020 affected around 18,000 of the 300,000 Solarwinds customers worldwide. In addition to a mass attack, very targeted attacks via the supply chain are also possible.
Scenes of a supply chain attack
A compromised supply chain is difficult for affected customers to detect. Therefore, the cyber criminals have enough time to cause damage – such as data exfiltration, attacks on systems or interrupting processes.
These attacks differ from the previous attacks aimed at individual customers and pose a challenge even for experts. It is not for nothing that the European Union Agency for Cyber Security, ENISA, rates the danger even for companies whose IT defense is right is well positioned.
An attack can start at several stages in the supply chain for developing, deploying or updating the software. Compromising the supplier IT does not constitute a supply chain attack. This includes modifying the code sources and writing scripts.
Depending on which link in the supply chain the hacker starts with, the skills required of him or the options for defending himself against manipulation will vary. The following phases in the supply chain can be distinguished as starting points for an attack:
- Phase One – Programming: These attacks are relatively easy to detect. They start with targeted emails, exploits and malicious websites to gain access to the programming code. It’s relatively easy for a hacker to change the code at this point. But what they changed is visible in the log logs.
- Phase Two – Versioning: Attackers can launch an attack using a Remote Desktop Protocol (RDP) with little effort. Weak passwords and exploits of an application help them. They can also play out modified versions in a reduced or delayed framework because they have direct access to the source code and logs and leave few traces. But the changed code proves the manipulation.
- Phase Three – Implementation (Build): This is where it gets more demanding for the hackers, but unfortunately also for the defense. The means are the old ones and attackers use RDP attacks, weak passwords and exploits in the application. But you need a good understanding of scripts. Because the necessary modifications of the individual builds require a lot of time and are complex. The modified code can be hidden. The defense would also have to check the successive script versions individually to detect manipulations.
- Phase Four – Signing the Components: If the attacker intervenes now, he does not have to manipulate code. It simply replaces the actual code with malicious code. But a validation in the supply chain concept will reject this false update. Therefore, hackers have to meet some minimum criteria for legal updates in their fake programs.
- Phase Five – Delivery: Here too, an attacker only has to replace the components. But the malicious components then have no signature and can be recognized by it.
How can small and medium-sized companies protect themselves?
Although the attacks take place in the supply chain of the update supplier, the attacks also affect small and medium-sized companies. In order to arm yourself against the damage of a supposedly legal update, you should take the following measures:
1. a implement comprehensive cybersecurity, which includes Endpoint Detection and Response (EDR), but which also sees and reports suspicious data connections thanks to threat intelligence. A common symptom of a successful supply chain attack is communicating with a malicious command and control server. Companies with limited IT resources in particular should also make use of a managed detection and response (MDR) service and thus the expertise and time of IT security analysts. Only through the combination of EDR and MDR do those responsible see any anomalies occurring.
2. Equally important Education of employees about phishingto prevent identity hijacking in the supply chain process.
3. It is central to the Knowing and continuously reviewing a company’s supply chain processes. Does an IT manager even know which software or service updates he is getting from whom and when? What hardware does it acquire and how do you protect yourself from getting malware through it? Every security officer should ask their IT supplier the following questions:
- Is the provider’s software/hardware development process documented, traceable and verifiable?
• Addressing known vulnerabilities in product design and architecture, runtime protection, and code review is addressed?
• How does the vendor keep a customer informed of emerging vulnerabilities?
• What possibilities does the provider have to fix “zero-day” vulnerabilities – ie the vulnerabilities that are present in software from the start and are only discovered later?
• How does the supplier manage and monitor the production processes of a software and an update?
• What does the provider do to protect its updates from manipulation and malware?
• What type of background check is performed on vendor employees and how often?
• How secure is the deployment of the updates?
If you get a software update, you have to be sure that you don’t get malicious malware: Ultimately, you have to pay for the consequences of a successful supply chain attack yourself. Caution and a well-considered selection of suppliers in connection with comprehensive IT security are the best helpers against a type of attack whose risk potential is far from exhausted.