Modern technology is making our life easier, but it also makes us more vulnerable in the face of the attacker. From multinational organizations, all the way down to individuals with a simple smart device, everyone is equally at risk of a supply chain attack, which has gained in popularity over the last year.
As the world becomes more familiar with the concept of cybersecurity and aware of possible threats, threat actors are becoming even more creative, finding new ways to deliver and execute malicious payloads.
The supply chain is the network of all the individuals, organizations, resources, activities, and technology involved in creating and selling a product. All the links in the supply chain have a trusted relationship, making it worthwhile for the attacker to hack into one link's network and spread to every other link through an established connection, without setting off any red flags. This is how hackers gain a foothold on the network, in these kinds of attacks.
There are two main types of Supply Chain attacks: hardware and software. We are going to discuss the latter.
Software Supply Chain attacks usually include adding a malicious code or a whole module (backdoor) into legitimate software, which allows the malicious code to remain undetected by most security products.
This is exactly what happened in the SolarWinds Supply Chain attack (2020). For reference, SolarWinds is a company that produces a network and applications monitoring platform called Orion. Hackers compromised the infrastructure of the company and then distributed malicious updates to clients. According to CSO, “SolarWinds stated that its customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. The SolarWinds software supply chain attack also allowed hackers to access the network of US cybersecurity firm FireEye”.
Another attack in which the same technique was used is the Asus Supply Chain attack (2019). According to Kaspersky, “The attack leveraged a malicious version of ASUS Live Update, a utility that automatically updates system components such as BIOS, UEFI, drivers, and applications. The malicious version included a backdoor trojan that reaches out to a C2 server to download additional payloads. It is estimated that at least half a million people installed the backdoored version of ASUS Live Update after an ASUS server that delivers the tool was compromised.”
Software supply chain attacks leverage other techniques too, as witnessed in the recent Kaseya Supply Chain Attack. A vulnerability in the vendor’s software was used to gain access into clients’ networks. According to the firm, "Zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and code execution, allowing them to infect endpoints with ransomware.” The company estimates that the attack affected between 50 direct customers and between 800 to 1,500 businesses down the chain.
For a threat actor, a successful execution of a Supply Chain attack is like winning the lottery; one successful infiltration can reward the attacker with access to the vendor’s entire client base. Most organizations do not have visibility over their vendor’s software, potentially granting hackers access to an organization for months. Such a strategic position holds value for threat actors at all phases of the cyber kill chain. This makes Supply Chain attacks terrifying for many organizations. We trust our software vendors to uphold high-security standards, however they are still being compromised at an alarming rate.
As it turns out, most security products are exceptional at mitigating malware that exhibit familiar patterns of behavior , but can fall short against novel, unknown threats. In the case of supply chain attacks, Minerva’s award-winning and patented approach stops threats prior to execution, before the malicious file can gain a foothold on the network, without the need of prior knowledge about the malware and without the need for prediction or analysis. It is crucial to prevent the attack from running in the first place, as it might already be too late.