During a supply chain attack, attackers exploit third-party dependencies in order to infiltrate a target’s system or network.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A supply chain attack uses third-party tools or services — collectively referred to as a ‘supply chain’ — to infiltrate a target’s system or network. These attacks are sometimes called “value-chain attacks” or “third-party attacks.”
By nature, supply chain attacks are indirect: they target the third-party dependencies that their ultimate targets rely on (often unknowingly). A dependency is a program or piece of code (often written in JavaScript) from third-party providers that enhances application functionality. A dependency used by an ecommerce retailer, for instance, might help run customer assistance chatbots or capture information about site visitor activity. Hundreds, if not thousands, of these dependencies can be found in a broad range of software, applications, and services that targets use to maintain their applications and networks.
In a supply chain attack, an attacker might target a cybersecurity vendor and add malicious code (or ‘malware’) to their software, which is then sent out in a system update to that vendor’s clients. When the clients download the update, believing it to be from a trusted source, the malware grants attackers access to those clients’ systems and information. (This is essentially how the SolarWinds attack was carried out against 18,000 customers in 2020.)
Before a supply chain attack can be carried out, attackers need to gain access to the third-party system, application, or tool they plan to exploit (also known as an “upstream” attack). This may be done by using stolen credentials, targeting vendors with temporary access to an organization’s system, or exploiting an unknown software vulnerability, among other methods.
Once access to this third-party dependency has been secured, the “downstream” attack — the attack that reaches the ultimate target, often via their browser or device — can be carried out in a variety of ways.
Returning to the previous example, the “upstream” attack occurs when the attacker adds malicious code to the software of a cybersecurity vendor. Then, the “downstream” attack is performed when that malware executes on end-user devices via a routine software update.
Supply chain attacks may target hardware, software, applications, or devices that are managed by third parties. Some common attack types include the following:
Browser-based attacks run malicious code on end-user browsers. Attackers may target JavaScript libraries or browser extensions that automatically execute code on user devices. Alternatively, they may also steal sensitive user information that is stored in the browser (via cookies, session storage, and so on).
Software attacks disguise malware in software updates. As in the SolarWinds attack, users’ systems may download these updates automatically — inadvertently allowing attackers to infect their devices and carry out further actions.
Open-source attacks exploit vulnerabilities in open-source code. Open-source code packages can help organizations accelerate application and software development, but they may also allow attackers to tamper with known vulnerabilities or conceal malware that is then used to infiltrate the user’s system or device.
JavaScript attacks exploit existing vulnerabilities in JavaScript code or embed malicious scripts in webpages that automatically execute when loaded by a user.
Magecart attacks use malicious JavaScript code to skim credit card information from website checkout forms, which are often managed by third parties. This is also known as “formjacking.”
Watering hole attacks identify websites that are commonly used by a large number of users (e.g. a website builder or government website). Attackers may use a number of tactics to identify security vulnerabilities within the site, then use those vulnerabilities to deliver malware to unsuspecting users.
Cryptojacking allows attackers to steal computational resources needed to mine cryptocurrency. They can do this in several ways: by injecting malicious code or ads into a website, embedding cryptomining scripts into open-source code repositories, or using phishing tactics to deliver malware-infected links to unsuspecting users.
Any attack that exploits or tampers with third-party software, hardware, or applications is considered a supply chain attack. Organizations typically work with a variety of outside vendors, each of whom may use dozens of dependencies in their tools and services.
For that reason, it may be difficult, if not impossible, for organizations to completely insulate themselves from supply chain attacks. However, there are several strategies organizations can use to preemptively defend against common attack methods:
*Stopping zero-day exploits is still a particularly challenging task for most organizations. In 2021, a zero-day vulnerability was discovered in Log4j, an open-source software library that helps developers log data within Java applications. This allowed attackers to infect and control hundreds of millions of devices, from which they then carried out further attacks, including ransomware attacks and illegal cryptomining. Read more about how Cloudflare defends against the Log4j vulnerability.
Cloudflare Zero Trust helps thwart supply chain attacks by blocking access to potentially risky websites, preventing malicious uploads and downloads, and auditing the SaaS applications (both approved and unapproved) within your organization.
Cloudflare Zaraz is a third-party tool manager that loads applications in the cloud, so malicious code cannot execute on the end-user browser. Zaraz gives users visibility into and control over the third-party scripts that run on their sites, enabling them to isolate and block risky behavior.