Want to try it for yourself?
What is a software supply chain attack?
Today’s software supply chains are mostly built with third-party resources that help expedite and streamline the software delivery process. Usually, organizations have to bake these resources into their systems to some extent, granting these outside sources access to internal infrastructure so they can function within the systems properly.
If an attacker finds a weak link within one of these external sources, it could end up adversely affecting the entire system. This is why supply chain security matters.
There are many kinds of supply chain threats, a few common types are:
Third-party software providers
Third-party data stores
Watering hole attacks
All of these attacks are low effort and offer a big payoff for malicious users. A bad actor simply needs to tamper with one of these third-party sites or vendors, then (by default) they gain access to thousands of users. This is the true danger of the supply chain: if the top of the chain (e.g., a third-party provider or website) becomes compromised, anything downstream will immediately be at risk as well. Attackers often take advantage of these downstream users by either delivering malware that can remotely control their devices and steal information or by extracting sensitive data directly from their files.
Third-party software providers
Today’s organizations often use third-party software providers for a variety of needs, both directly and through transitive dependencies. An attacker would simply need to compromise this third-party software in order to gain access to hundreds or thousands of clients who use the product.
A website builder’s templates or plugins can be compromised, putting the inner workings of these websites at risk of attacks.
Third-party data stores
Businesses often use third-party companies for processing and storing their data, including anything from sensitive customer information to details on the organization’s security posture, employees, and strategies.
Watering hole attacks
A watering hole attack targets a website frequently visited by users to perform data-sensitive tasks. Generally, these types of attackers target public websites from a particular industry, organization, or group of people. Attackers will use these websites to deliver malware to site visitors, usually by redirecting users from the legitimate site to a spoofed one.
Help Net Security found that software supply chain attacks jumped over 300% in 2021. Because software supply chain attacks can affect several businesses and customers at once, they often make headlines and become somewhat infamous.
Here are some examples of these well-known supply chain attacks that caused significant damage to third-party vendors and their users:
In this early 2020 attack, bad actors embedded malicious code into an update to SolarWinds Orion, an infrastructure monitoring and management platform. SolarWinds users then applied this infected update on their devices, granting the attackers backdoor access to sensitive data from a number of businesses and several government agencies.
A year later, an early 2021 attack on email security vendor Mimecast was one of the many downstream results of the SolarWinds breach. Mimecast used the SolarWinds Orion platform. When attackers embedded infected code into SolarWinds, Mimecast was affected, alongside about 18,000 other SolarWinds customers.
This infected code automatically installed software chain malware into Mimecast’s system, compromising sensitive data such as Mimecast-issued certificates, customer server connection information, email addresses, and user credentials.
Dependency confusion 2021
Last year, a new type of cyber supply chain attack — dependency confusion — was discovered by Medium contributor and programmer Alex Birsan. He was able to gain access to internal systems and exfiltrate data from industry giants like Yelp, Tesla, Apple, and Microsoft.
Alex performed this attack by creating npm or yarn packages with the same names as private internal packages. Because his packages with identical names were more recent than the company’s legitimate ones, the system pulled the malicious public packages by default. Although Alex wasn’t a black hat hacker, his discovery of the dependency confusion vulnerability proved that the naming conventions behind npm/yarn packages had the potential to put huge internal systems in jeopardy.
About five years ago, attackers infected millions of Asus computers. They used Asus updates to deliver malware that had the potential to take control of users’ computers.
Malicious attackers accomplished this by creating a backdoored version of Asus Live Update, a utility that is pre-installed on Asus laptops. To deliver it, they infiltrated Asus’s servers, then pushed the malicious software through the Live Update utility. It was difficult to detect because the attackers used a legitimate software certificate along with the "ASUSTek Computer Inc." name. A few security firms estimate that tens of thousands of users ended up with this backdoored version of the update on their computers, leaving their devices vulnerable to being taken over and controlled remotely by malicious actors.
CodeCov, a code coverage tool, works by generating machine-readable reports and uploading them to a server as developers run tests. Attackers leveraged a curl|bash script that CodeCov used to upload reports to its server by gaining access to the `private write, public read` CDN bucket that hosted the server, then making alterations to the bash script. This altered bash script was used to infiltrate clients’ CI pipelines and steal environment variables from CodeCov’s customers.
As we’ve seen from these recent supply chain attacks, attackers can infiltrate a business’s software supply chain from any number of third-party providers or components. Because of this, the supply chain can seem like a very broad attack surface.
But generally speaking, there are a few particular attack vectors that attackers will often leverage:
Source code: Attackers can tamper directly with proprietary code, as was the case for SolarWinds. They simply need to obtain high-access user credentials, gain access to a repository, or leverage a vulnerability in the code that was written by the developers and not flagged by a static code analyzer.
Dependencies: Organizations can leverage any number of third-party dependencies such as app libraries, OS packages, and base images. If any of these dependencies — whether direct or transitive — are compromised, a vulnerability is created for every company that uses them.
Build tooling: CI/CD pipelines, along with other development build tools, are designed to enable automation. They’re intended to foster rapid changes and perform tests automatically with little to no human intervention. Because of this, it can be difficult for development teams to identify a build tool that has been infected, such as in the CodeCov attack.
Deployments: The Solarwinds and Asus attacks have something in common: They both deployed malicious code during an update. To prevent a possible software supply chain attack, businesses must perform due diligence to ensure that all deployments are secure, especially if they are leveraging automated continuous deployment (CD) practices.
Businesses can prevent software supply chain attacks by implementing security measures into their development and release process. Security requires sharing responsibility across business units and baking security into every stage of development — a DevSecOps approach.
Software composition analysis
Software composition analysis (SCA) is a great place to start. SCA provides a full picture of your software’s dependencies, so you can take timely action if anything goes wrong with a third-party vendor or component. The essence of SCA is understanding what’s inside your software and knowing precisely where any third-party components are located. Snyk Open Source is a SCA tool that leverages industry-leading intelligence to keep your applications secure.
Building out a software bill of materials (SBOM) is essential in implementing SCA. SBOMs provide detailed, written documentation on which applications contain which components.
Static application security testing
Static application security testing (SAST), another essential security practice, specifically focuses on scanning your organization’s in-house source code and flagging commonly exploited vulnerabilities such as potential opportunities for injection or generally insecure design. Snyk Code is a SAST that integrates directly into most IDEs, scanning code as it’s written and providing actionable remediation advice.
Container image scans
Container image scans are essential for identifying any risk within your CI build agent images or application base images. Container scanning tools — like Snyk Container — enable you to get recommendations of secure base images, continuously monitor for container vulnerabilities, and remediate any open source dependency vulnerabilities used in base images and Dockerfile commands.
Lastly, empowering and enabling developers to understand and leverage security tools results in shifting security left, and building strong policies and a secure software development lifecycle (SDLC) is important for mitigating a variety of risks, including supply chain attacks.
The best way to bake security into your everyday development processes is to include tools such as SCA, SAST, and container scans at every stage of development. In addition, it’s important to establish and enforce strong security policies. One of the best ways to do this is by implementing automated policy as code (PaC), to provide guardrails for your developers so they don’t have to manually keep up with lists of rules and regulations.
Snyk’s software supply chain security solution leverages Snyk Open Source and Snyk Container to scan and monitor dependencies and base images for any existing and new vulnerabilities that affect your projects. Both of these solutions are backed by the cutting-edge Snyk Intel Vulnerability Database which can deliver vulnerabilities an average of 47 days faster than other database options that are on the market. It also detects supply chain malware and malicious packages. Additionally, your organization can use Snyk Advisor to find healthy packages and public container base images before putting them into development.
Next in the series
Supply Chain Security Risks & Best Practice
What are the biggest threats to your organization’s software supply chain, and what are the best practices to facilitate supply chain security?Keep reading