The Dark Side of Convenience: Understanding the Dangers of Digital Supply Chain

The digital supply chain is revolutionary in how it powers global connectivity and efficiency. This modern technological phenomenon underpins countless daily conveniences.... online shopping and delivery, digital banking, remote work, food delivery, video chatting with friends or family in distant locations, or watching a favorite movie on a streaming service to name just a few. And let’s not forget about critical infrastructure services that supply clean water from faucets, electricity on demand, long haul transportation of people and goods, and reliable food and agriculture as just a few examples. None of these modern luxuries are possible without a digital supply chain pushing ones and zeros at lightning speed across cyber space.

Yet with any great technological advance comes risk. A recent survey of IT decision-makers found that 77% of organizations had detected the presence of unknown participants in their software supply chains in the previous 12 months. Digital supply chains have become a playground of sorts for attackers looking to capitalize on any available intrusion vector. Third-Party Risk Management (TPRM) mitigates some of this risk, but there is no perfect formula especially when DevSecOps and software bill of materials (SBOM) practices are not standardized.  

The greatest danger possibly lies in the ubiquity of software-as-a-service (SaaS) – exploitation of one zero-day vulnerability can impact millions of digitized assets connected to the internet. Weaponized supply chains give attackers exponential power over years past. Furthermore, exploiting human trust can break down digital supply chain links, opening attack paths for hackers across the attack surface. By 2025, Gartner predicts that 45% of global organizations will have experienced attacks on their software supply chains which is a three-fold increase from 2021.

How Attackers Leverage Digital Supply Chain Vulnerabilities

The Human Link

Enterprises rely on hundreds if not thousands of external and third-party connections that fuel business needs; everything from SaaS products to paper shredding services, each has a digital nexus. At the core of these relationships are people that leave a digital trail of their conversations, habits, and exploitability, if you are looking through an attacker’s lens. Attackers are skilled copycats. They know how to impersonate business relationships in the digital realm, tricking victims into performing actions that help achieve their goals and objectives. When it comes to digital supply chains, the risk incurred from human interaction cannot be overlooked.

Business email compromise (BEC) is a tried-and-true, successful tactic. However, attackers know how critical the supply chain is, so they’ve developed techniques known as vendor email compromise (VEC) which specifically targets supply chain relationships and the people behind them. VEC takes advantage of trusted relationships and the urgency of business requests in the supply chain by targeting digital communications. The fundamental premise is relatively simple – compromise email accounts at one company and use it to target another company in the same supply chain. A recent study reported that the average cost of a VEC attack is $183k with the largest observed being $1.6 million. This often requires initial credential compromise to insider email accounts followed by a reconnaissance phase to observe how communication happens between people in the targeted supply chain. Ultimately, attackers insert themselves into communication threads as trusted third-party vendors ensuring that requests seem legitimate.

The outcome of VEC attacks can be damaging – stolen funds, exfiltrated data, or attackers gaining an initial foothold into a larger targeted network for persistence in the supply chain to launch bigger attacks in the future.

Do you need to test your organization’s susceptibility to VEC social engineering attempts? Consider a Red Team assessment that includes social engineering to identify areas where teams can improve vigilance against attempts by malicious attackers to exploit the people you rely on.

Third-Party Software Supply Chain Attacks

A software supply chain attack can hum long along quietly for long periods of time within an enterprise surreptitiously collecting and exfiltrating sensitive information. Attackers hide in plain sight, taking advantage of flaws they compromise in the five stages of the software supply chain lifecycle (SCL). The ubiquitous nature of software is the crux of any compromise impacting the subsequent software supply chain. Exploitation of just one flaw in a commonly used software can wreak havoc worldwide.

A software supply chain attack is defined by a threat actor that employs malicious code in a software vendor’s network to compromise the code before it reaches any of the software customers. The software code may be tampered with before it is ever released to customers or later by compromising patches and updates on end-user machines. Compared to VEC, this is a sophisticated attack vector that generally requires time, resources, and advanced capabilities. This is a driver for why the majority of observed software supply chain attacks are conducted by nation-state advanced persistent threat (APT) groups.

A few common methods to launch software supply chain attacks are:

• Hijacking updates: Attackers manipulate an update by compromising the vendor’s network and adding malware into the outgoing update or changing the update to ensure control over the software’s functionality for future operations.
• Undermining codesigning: Attackers hijack codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. This gives attackers control of software updates by impersonating a trusted vendor and inserting malicious code into an update.
• Compromising open-source code: Attackers insert malicious code into publicly accessible code libraries that are then adopted by unwitting developers to perform specific functions into their own third-party code.

With the multitude of cyber-focused issues facing enterprises, software supply chain attacks present an exceptionally heightened danger for two primary reasons:

• Privileged access: It is common for third-party software solutions to be implemented into networks and systems with elevated privileges during installation to ensure maximum effectiveness. This can be a big win for an attacker and provide a potentially easier attack path. Additionally, software products are integrated into just about every system on a network; therefore; compromise mechanisms inserted into software can provide attackers access to some of the most mission critical systems.

• Frequent communication: Third-party software products usually need frequent lines of open digital communication with the vendor’s servers to provide updates, patches, and monitor security threats. Attackers can use this connectivity to send harmful software updates to unknowing customers on a massive scale or prevent updates from reaching customers ensuring the vulnerabilities remain as such.

Let’s revisit the infamous Solar Winds Orion product supply chain attack of December 2020. This is a well-documented and highly sophisticated instance of a software supply chain attack conducted by an advanced persistent threat actor (APT) that intentionally compromised the Solar Winds commercial software application. Although discovered and publicly disclosed in December 2020, there is evidence of confirmed compromises dating back to March 2020 and additional forensic evidence highlighting files associated with attack planning as far back as December 2019. Authorities now know that that attack was orchestrated by Russian APT actors that found the vulnerable backdoor approximately 14 months before the compromise was publicly announced. The United States Cyber Coordination Group (UCG) categorized this attack as a “serious compromise” that required “a sustained and dedicated effort to remediate.”

It is generally believed that supply chain attacks are rare, but there is evidence that they are increasing in sophistication. April 2023 brought news of a nation-state backed supply chain attack that enabled a secondary supply chain attack against 3CX, a VoIP software provider. This is the first known attack of this kind – a supply chain attack that intentionally launches another. Investigations revealed that 3CX was compromised in 2022 when an employee installed a software package called X_TRADER from Trading Technologies that had been previously injected with malware by the exact same North Korean attackers. This led to eventual compromise of both Windows and macOS build environments at 3CX and new threat observed by the cybersecurity community.

Third-Party Software Vulnerabilities Disrupt the Digital Supply Chain

While third-party software vulnerabilities are seemingly more benign, don’t be fooled. They are certainly just as dangerous from a software supply chain threat perspective. Luckily, software vulnerabilities are often discovered and disclosed to vendors before attackers ever have the chance to use them in the wild. However, after a vulnerability is disclosed by a security researcher, the race against time begins with attackers trying to develop exploits faster than vendors can deliver patches.

Software dependencies are impossible to avoid, so it is key to know your organization’s software inventory like the back of your hand. With industry data suggesting that 99% of codebases contain open-source code and 85-97% of enterprise codebases are derived from the open-source community, suffice it to say that the software dependencies that your organizations run on can introduce vulnerabilities at any time. Enterprises that don’t maintain a current, comprehensive inventory of hardware and software assets coupled with a lack of capability to identify vulnerable assets are left in a precarious position when third-party software vulnerabilities are disclosed. Offensive solutions like continuous attack surface management provide key proactive risk mitigation to rapidly hunt down supply chain vulnerabilities that have a widespread potential impact across expansive perimeters.

Remember the great Apache Log4jshell zero-day debacle of December 2021? On Thursday, December 9, 2021, Apache released details outlining a critical vulnerability in Log4j, a logging library used in millions of Java-based applications. Log4Shell, CVE-2021-44228, received a rating of 10 on the CVSS scale and was truly pervasive, affecting everything from enterprise software to web applications and well-known consumer products impacting both infrastructure and applications. In many cases, consumers simply shut down their servers to avoid becoming an immediate victim. Log4j was such an omnipresent instance in the software supply chain that on January 4, 2022, the United States Federal Trade Commission (FTC) reminded organizations of their duty to “take reasonable steps to mitigate known software vulnerabilities” to avoid FTC legal action.

Ultimately, Log4j was the software supply chain gift that kept giving during the December holiday season in 2021. As security teams worked with fervor to apply the release of Log4j 2.15.0, two more Log4j vulnerabilities were discovered followed by evidence that it was being used to install Dridex and Meterpreter malware families. Ultimately, it was revealed that approximately 10% of all assets were vulnerable to Log4Shell which included a wide range of servers, web applications, containers, and IoT devices.

By now you might be thinking that the software supply chain is simply doomed to succumb to compromise. The good news is that vulnerabilities are often disclosed quickly giving vendors the opportunity to release fixes as fast as possible, especially when rated very high on the CVSS scale. There are several companies and bug bounty programs that actively find and publicly disclose vulnerabilities, as well. Be sure to check out our Advisories section for the latest from our security experts.

The moral of the story is to patch as quickly as possible when needed to avoid becoming a cog in the wheel of software supply chain vulnerabilities. Adopting continuous attack surface management can significantly improve response time to software supply chain vulnerability detection and alleviate the burden of overworked security teams hunkered down on the front lines.

Offensive Security Recommendations to Protect Your Digital Supply Chain

There are countless recommendations to boost digital supply chain security, but some address the root problems in more detail. Below are several suggestions to consider when evaluating supply chain cybersecurity:

Enhance Security Programs

• Require continuous ASM for supplier partnerships and/or third-party security assessment programs. See examples like Meta, Google, and Amazon who utilize Bishop Fox services for vendor assessments like this.
• Develop an incident response plan that includes the supply chain vendors in the remediation actions.

• Offer frequent training and communication to the entire workforce, from the top down, to increase awareness about VEC, phishing, and tactics used by attackers to exploit human interactions. Empower your workforce to use two-way communication when they see social engineering in the wild by allowing them to report (and be rewarded) to your security team.

Enhance Technical Considerations

• Use offensive solutions that include human validation to eliminate false positives and continuously illuminate the full breadth and depth of the attack surface.
• Use third-party partners that adhere to documented standards and regulations, like the OWASP Software Component Verification Standard (SCVS) or Application Security Verification Standard (ASVS).
• Implement least-privileged access models and network segmentation. Remove unnecessary access points from third parties.