Cybercriminals favour software supply chain attacks
In 2021, ENISA (European Union Agency for Cybersecurity) issued findings that pointed to a fourfold increase in supply chain attacks within the EU. According to the ENISA report - ‘Threat Landscape for Supply Chain Attacks’, their analysis of 24 attacks found that strong security protection was no longer enough alone for organisations once attackers had already shifted their attention to suppliers. These types of attacks are fast becoming the darlings of the cybercriminal fraternity. Perhaps the most wide-reaching example of this approach was back in 2020 with the now infamous SolarWinds attack.
In essence, this particular attack saw hackers breaching the infrastructure of SolarWinds to then maliciously use that access to produce and distribute so-called ‘trojan horse’ updates to users. And these weren’t just any users. SolarWinds revealed that amongst its customers were 425 of the US Fortune 500 as well as the top ten US telcos, the top five US accounting firms and practically all branches of the US Military, the Pentagon and even the State Department. This software supply chain attack also allowed cybercriminals to access the network of US cybersecurity firm FireEye, and whilst the attackers responsible were not initially named, the Washington Post went on to report the hacking arm of Russia's foreign intelligence service being behind the attack.
Security in software supply chains needs addressing
Irrespective of who did what to whom, the attack certainly triggered a response at the very highest level - President Biden issued an Executive Order focussing on bolstering the nation’s cybersecurity, which was followed very closely by a similar move by the UK government. For many, this would have been an alarming introduction to the notion of a software supply chain attack. Security in the software supply chain means addressing an often chaotic network of all the resources needed to design, develop and distribute software. What has been interesting to note since the SolarWinds attack is how quick cybercriminals were to jump onto this particular bandwagon and target third-party providers in software supply chains -- especially in the Web. By targeting companies with a strong web presence, threat actors made web supply chain attacks a key attack vector over the course of 2021.
Every story has a first page and the emergence of web supply chain attacks follows the growth of the JavaScript development ecosystem. Today’s fully-developed digital services such as online banking and e-commerce are powered by extremely advanced algorithms and tools. To support this complexity and reduce time-to-market, companies started to source these algorithms and marketing/business tools from third parties and integrate them directly into their websites. This in turn has led to a majority of all the code running on the average website today, coming from third parties.
And it’s this reliance on third parties that gives cause for security concerns. This is the perfect breeding ground for a web supply chain attack. By breaching a third-party service provider, and injecting malicious code into the actual service, cybercriminals can spread their bad intentions across every website that uses it. Just recently, we saw DeFi platform SushiSwap breached by a web supply chain attack that resulted in the theft of $3 million in Ethereum coins.
Retake the visibility and control over their website supply chain
Organisations affected by a web supply chain attack have no control over this sequence of events, they rarely get any real-time visibility of these attacks and, subsequently, such attacks can continue quietly in the background completely unchallenged - sometimes for months on end.
There is no magic bullet when it comes to third-party code. It remains inextricably woven into the very core of web development and companies can’t feasibly stop using third-party code altogether. DevSecOps is certainly a step in the right direction. A real change of thinking within the software industry that calls for a more robust integration of security into modern app development and deployment. DevSecOps can help to secure supply chains by ingraining security controls throughout the entire SDLC. The applications of these principles can help businesses to retake the visibility and control over their website supply chains that is critical if they are to have any semblance of control over their web supply chain. To really bulletproof levels of security, organisations need to do this continuously at runtime and monitor every user session for signs of malicious behaviour.
Web supply chain attacks were certainly a favourite MO by cybercriminals over the course of 2021. As we look into next year, organisations need to do a lot more to protect themselves against this type of threat. Can we expect them to mutate like a new variant of COVID? If we consider recent attacks, this is very likely to happen. But fortunately, companies now can easily take the first step into gaining this much-needed visibility of their websites at runtime by applying solutions and methodologies to prevent these attacks. The flipside of not doing so could prove to be very costly.
