The Hidden Danger in Your Software: Understanding Supply Chain Attacks


Posted on by Tatyana Sanchez

The rise of attacks targeting the software supply chain has increased over the years, with more than 75% of software supply chains experiencing cyberattacks in 2024. These attacks, which exploit vulnerabilities in the complex web of dependencies, libraries, and tools used to develop and deploy software, have the potential to cause widespread damage for organizations, not just financially, but also to their brand reputation and image.

The Evolving Nature of Supply Chain Attacks

Software supply chain attacks have evolved over the past years. As Viswanath Chirravuri, Software Security Director at Thales, stated in his RSAC 2024 presentation, “Historically, you would see an attacker targeting something accessible, like a web application, a network, hardware, or a host that is actually deployed and being operated.” However, he stated in his opinion, “Cyberattacks have evolved by targeting the supply chain of everything in computers.” Chirravuri said that the attacker's goal is to attack the supplier of the supplier of the other supplier, and so on, to reach the customer who has the assets that will ultimately benefit the attacker. Figure 1 shows the full workflow of the general supply chain attack process. Chirravuri stated that attack surfaces for the software supply chain mostly start at the application source code, where a third-party library can be compromised.

Fig 1 feb

Figure 1. Source: RSAC 2024 Presentation

Categories of Software Supply Chain Attacks

As a panelist in one of the RSAC 2024 presentations, Erin Joe, Cybersecurity Executive, Office of the CISO at Google Cloud, discussed two main areas of supply chain attacks. One area is how threat actors exploit vulnerabilities to gain access to something already within our digital supply chain. The second area involves threat actors using implants, which means introducing something malicious into the product itself—what Joe considers a true supply chain attack.

Joe provided an example of a supply chain attack focusing on the second area, implants. North Korean threat actors were able to implant malicious code into trading software at 3CX. 3CX acknowledged that an employee downloaded that trading software onto their laptop, which allowed the threat actors to gain access to the build environment and the application's desktop. They then placed another implant into the trading software, which was subsequently downloaded by their customers.

Joe stated, “This is the first time I've seen cascading events in a supply chain attack. It tells us how we can better secure our human element and secure access to critical environments and data with things like Zero Trust.”

Douglas McKee, Instructor at SANS and Executive Director of Threat Research at SonicWall, and Ismael Valenzuela, Faculty and Senior Instructor at SANS, touched on a couple of more categories/areas of supply chain attacks, specifically focusing on software. In their RSAC 2024 presentation. McKee listed two main categories of software supply chain attacks:

  • Breach-Based: When a vendor or company is breached, they may modify code or their operational procedures, and their customers become infected as a result of that third-party breach.
  • Library or Software Development Kit (SDK): When a library or SDK has a vulnerability, users of products that utilize that underlying library or dependency inherit that vulnerability through the supply chain. McKee stated, “It’s not the vendor or third party that has the vulnerability, but the underlying library.”

McKee went on to say that, in order for organizations and users to defend against supply chain attacks, they must “Understand the dependencies of the larger products being used. Without this understanding, when a vulnerability is reported, organizations will not know if they are affected.”

Essential Best Practices

A fundamental understanding of where their products, libraries, and dependencies are stored and handled is critical for organizations to mitigate risk in their software supply chain. Diana Kelley, CISO of Protect AI, stated in a RSAC 2022 podcast, “It’s all about the stuff you run your business with, the partners you do business with, and making sure you understand their risks and dependencies.” The software organizations buy, and the dependencies from third-party vendors, and even when organizations partner to buy it, it’s also about their third, fourth, and fifth-party vendors they are buying from; they all matter, Kelley stated.

Organizations should implement Zero Trust and understand the risks and dependencies of their partners and third-party vendors. This will help defend against malicious actors attempting to infiltrate their software supply chain.

Bill Malik, VP of Infrastructure Strategies at Trend Micro, listed other best practices organizations should use to secure their software supply chain in his RSAC 2023 presentation:

  • Identify the Consumers: Who would be impacted if such vulnerabilities were found?
  • Understand Agreements: What agreements do you have with your suppliers to notify you of changes that could impact you, whether in specification or SaaS?
  • Segment Networks: Segments networks to limit the impact of potential breach.
  • Create a Cyber emergency Response Team: Establish a dedication team responsible for handing cybersecurity incidents.
  • Patch and Update: Continuously patch and update your software.
  • Authenticate: Implement strong MFA to verify the identity of users at every entry point.

In conclusion, even if an organization doesn't consider itself to have an internal software supply chain, it's crucial to recognize that their third, fourth, and fifth-party vendors do. These vendors have their own dependencies and libraries, creating a complex web of potential vulnerabilities. Without understanding the risks associated with these external dependencies, organizations remain blind to potential software supply chain attacks and unable to effectively protect themselves. Therefore, understanding vendor risks and implementing the best practices outlined above are essential for any organization seeking to secure its software ecosystem.

To learn more about supply chain attacks, we invite you to register for our upcoming webcasts this month, The Spy Who Hacked Us: Espionage, Cybersecurity, and the Supply Chain and Beyond the Basics: SCRM from a Hacker's Perspective where the speakers explore the supply chain landscape.


Contributors
Tatyana Sanchez

Content & Program Coordinator, RSAC

Protecting Data & the Supply Chain Ecosystem Hackers & Threats

supply chain software integrity exploit of vulnerability patch vulnerability & configuration management hackers & threats zero trust Pen Testing / Breach Simulation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs