Every organization relies on the software supply chain. Familiar applications are built on webs of open-source code, APIs, and third-party integrations that keep them running smoothly. This interdependent dynamic is why onboarding a new tool means choosing to trust its entire development ecosystem, rather than just the tool itself.
Software supply chain attacks, which exploit this phenomenon, are an increasingly common attack method for breaching the corporate network. Gartner predicts that "by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain, a three-fold increase from 2021."
Rather than directly breaching a target’s network, attackers will often exploit the weaknesses in the third-party applications or open-source code their target relies on. This provides indirect access to the target’s network.
That said, software supply chain attacks are sometimes more opportunistic than targeted. Rather than working backward from a target to figure out their suppliers, an attacker may compromise something widely used, like open-source code or a specific application, and then reap whatever benefits come. These attacks are attractive because they offer considerable payoff relative to the amount of effort required.
Attackers gain access to third-party resources in a variety of ways, using stolen account credentials or exploiting zero-day or unpatched vulnerabilities. Then, they use this privileged access to launch a downstream attack. Software supply chain attacks can take different forms including:
Third-party network access. If a third party or supplier is compromised, an attacker can use their privileges to steal data from customer and partner organizations, spread malware, and more. For example, in the Kaseya attack, the cyber criminal gang REvil exploited a vulnerability within the servers used for the company’s remote monitoring and management solution. REvil then used those elevated privileges to deploy ransomware to hundreds of Kaseya customers.
Software/application updates. Devices can download malware hidden within update packages. In 2017, Russian attackers adopted this method when they embedded the NotPetya malware within an update for popular Ukrainian accounting software. The attack’s reach spread far beyond Ukraine, with the White House assessing global damages of the attack at $10 billion.
Open-source code packages. Companies will often use open-source (or publicly accessible) code to maximize efficiency in software development. However, when vulnerabilities are found within this code, organizations that use it are at risk. In addition to exploiting known vulnerabilities, attackers can also plant malicious code into these packages as another means to spread malware.
Note also that while software-based attacks are the most pervasive, with 66% of attacks focusing on supplier code, supply chain attacks can take different forms. For example, microchips, laptops, Internet of things (IoT) devices, and operational technology (OT) can all be compromised. Firmware, or the software embedded into a piece of hardware, can also be targeted.
The SolarWinds attack is arguably the most well-known example of a software supply chain attack. In December 2020, cybersecurity provider FireEye reported that they had fallen victim to an attack. Russian cyber criminal group Nobelium had targeted FireEye’s IT monitoring supplier, SolarWinds, and inserted malicious code into one of their software update packages. In total, 18,000 organizations downloaded the infected update.
SolarWinds demonstrates that an attack on a trusted, well-intentioned supplier could result in an attack on the organization that uses it.
For example, consider Apache’s December 2021 disclosure of a severe vulnerability in its open-source logging library Log4j. Log4j is so commonplace that Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said, “everyone should assume they are exposed and vulnerable.” Attackers wasted no time exploiting the vulnerability and continue to do so.
While large-scale attacks or high-profile victims often make the news, the software supply chain style of attack is not exclusively used against large companies. Attackers may also use this method for smaller campaigns — like those targeting development environments — that won’t necessarily make headlines. This means that this style of attack may be even more common than research suggests.
So, if no suppliers are attack-proof, how can companies respond to supply chain attacks? Reducing the excessive trust organizations give third parties is a good place to start. Implementing a Zero Trust architecture can make a big difference in this area.
Unlike perimeter-based models, which grant trust to users and devices inside a network, Zero Trust assumes attackers exist within a network. Zero Trust architecture assesses users, devices, and workloads based on identity and context and makes access decisions dynamically. More specifically, Zero Trust architecture defends the corporate network against software supply chain attacks by:
Managing third-party access. Zero Trust access management tools make it easy to customize access levels by users, devices, or workloads. Organizations can set strict standards for how third-party users connect and can enforce least-privilege access.
Preventing lateral movement. If attackers breach a network, Zero Trust architecture limits their ability to move throughout it and cause further damage. For example, Zero Trust promotes microsegmentation, which means attackers must reauthenticate to reach different zones within a network.
Protecting applications. Zero Trust can effectively hide internal applications from the Internet, protecting them from attackers. This way, even if an internal application contains a vulnerability, attackers cannot access it.
Guarding against malware. DNS filtering can block command and control attacks, which may be hidden in software updates. In these attacks, malware on a device signals to a server that it is ready to receive the attacker’s instructions. DNS filtering can block the DNS request required to establish this connection.
Defend your organization against software supply chain attacks; extend Zero Trust rules to SaaS and self-hosted applications with Zero Trust Network Access and enforce least-privilege access for third-party users, employees, and IoT devices. Cloudflare Gateway blocks access to suspicious sites, prevents data exfiltration, and protects users from command and control attacks.
Cloudflare Zero Trust is part of Cloudflare One, a Secure Access Service Edge (SASE) architecture, which securely connects remote users, branch offices, and data centers to the applications and Internet resources they need.
Why software supply chain attacks are a growing cause for concern
The impact that some of the major attacks have had
The various entry points attackers can exploit to launch these attacks
How to secure the software supply chain