Security research

How supply chain attacks work and 7 ways to mitigate them

Publisher
Pentest-Tools.com
Updated at

Your organization is a connected network of vendors, software, and people that keep your business operational. Each of these elements has various degrees of access to sensitive information which a bad actor can use as entry points in supply chain attacks.  

According to the 2022 Software supply chain attacks report, 62% of organizations surveyed have been impacted by these threats. Enisa’s report on the threat landscape for supply chain attacks highlights that, in 66% of cases, malicious hackers focus on the supplier’s code, while in 62% of cases they rely on malware as the main attack technique. Additionally, Gartner estimates that, by 2025, 45% of organizations worldwide will experience attacks on their software supply chains.

Therefore, it’s essential for offensive security pros to help decision-makers understand the real business risks these attacks bring on. 

As a penetration tester or security consultant, identifying and reporting supply chain risk can set you apart, especially if you can explain the potential fallout in business terms. So let’s help you do just that.

What is a supply chain attack? A quick refresher

Supply chain attacks are a growing type of threat that primarily targets software developers and service or technology providers with the goal to infiltrate a company’s infrastructure through a third-party supplier with access to sensitive data.

Malicious actors use these attacks to gain access to source code, development processes, or update mechanisms so they can distribute malware by infecting legitimate programs. 

Supply chain attacks are a very successful method of introducing malicious software into targeted organizations. This happens because supply chain attacks rely on the trusted relationship that exists between a manufacturer or supplier and a client. 

But what tactics do these attacks use?

Let’s dig into more details. 

How supply chain attacks work

The most common scenario for a supply chain attack is when a third party or a partner – the supplier – has access to critical data or a part of the internal infrastructure. With these rights, threat actors compromise the third party’s security mechanisms and gain legitime access to the resources granted to the third party vendor. 

For example, attackers inject malware before the program code is built and signed. This hides the malicious code behind regular security signatures and makes it more difficult for antivirus tools to detect it. 

In other cases, attackers introduce malware into legitimate software releases and upgrades via updates, patches, or compromise the email infrastructure dedicated to sending legitimate emails to customers.

One of the most interesting things about this attack is that its efficiency increases with the number of collaborative tools used by organizations/customers. 

The 3 main entry points threat actors focus on when launching supply chain attacks are:

  • email servers

  • software update infrastructures

  • CI/CD pipelines.

Companies often manage and share third-party apps such as email clients, web browsers, or software products like the Office suite, Windows OS, and its components. For instance, VMware has many products – like VMware workstations, VMware tools, vCenter, or VMware ESXi – which big organizations use at scale. 

The key for a malicious actor is to penetrate the defense of a small company and implant its own malicious software there. These kinds of SMBs often act as a supplier for bigger companies and have less protected infrastructures. 

The most common scenarios for supply chain attacks are:

  • Compromised software building tools or updated infrastructure

  • Hijacked code-sign certificates or malicious programs signed under the development company's name

  • Specialized code that has been hijacked and distributed into hardware or firmware components

  • Pre-installed malware on devices (e.g. cameras, USB, phones, etc.)

To better understand how this attack works, here’s a visual representation of its flow:

supply chain attacks flow

4 examples of supply chain attacks and their consequences

Moving forward, let’s look at some of the most notorious supply chain attacks. We’ll see what specific concerns offensive security can flag from there to explain to decision-makers and combat such attacks.

1. The SolarWinds supply chain attack 

SolarWinds is probably the most illustrative example of this type of attack. Adversaries used the SUNBURST backdoor as the main attack vector to compromise SolarWinds’ Orion management platform. 

They installed malware through a third-party vendor using a Remote Access Trojan (RAT) in the latest update of the SolarWinds Orion, an IT monitoring and management package. 

Data shows that the SolarWinds cyberattack impacted over 100 companies, including government institutions, telecommunications firms, and Fortune 500 large companies. IronNet’s 2021 Cybersecurity impact report highlights that, on average, this incident cost affected companies 11% of their annual revenue. In this particular cyberattack, cybercriminals targeted (and exploited) application servers and associated software update channels. 

As a penetration tester, you can help organizations better secure their infrastructure by detecting and reporting critical vulnerabilities found in key components of the supply chain (e.g. collaboration platforms like Jira, BitBucket, or GitLab).   

2. The CCleaner supply chain attack

CCleaner, one of the most well-known tools for software maintenance, was also at the center of a supply chain attack, which impacted over 2.3 million devices

This attack happened in three stages: 

  • First, attackers compromised an unattended workstation of one of the CCleaner developers, which was connected to the Piriform network (the CCleaner developing network). To do that, they used the remote support software tool TeamViewer. 

  • With this backdoor, attackers tried the lateral movement technique to get access to a second unattended computer connected to the same network. They compiled a version of ShadowPad, a backdoor that allows attackers to download further malicious modules or steal data.

  • Then, threat actors installed another payload on four computers in the Piriform network (as a mscoree.dll library) and a build server (as a .NET runtime library). This allowed attackers to replace the official version of the CCleaner program with their backdoored version of the CCleaner, which was pushed to millions of users.

Security researchers at Cisco Talos detected the malicious version of the software, which was distributed through the company's official website for more than a month, and notified Avast immediately. 

The malicious version of CCleaner had a multi-stage malware payload designed to steal data from infected computers and send it back to an attacker-controlled command-and-control server.

3. The FishPig supply chain attack

Another interesting supply chain attack was against the FishPig software, a vendor for the Magento e-commerce platform which provides Magento-WordPress integration software. 

Cybercriminals injected the malicious code into the license source code aka license.php, but it wasn’t detected for some weeks. During this time, the software was downloaded approximately 200.000 times

The malicious payload included some PHP code for interaction with the compromised license through which it downloaded a binary designed to install the Rekoobe remote access trojan. 

The impact was high enough for researchers to say

“Any Magento store that installed or updated paid Fishpig software since then is now likely running the Rekoobe malware”.

4. The XZ Utils Backdoor in Linux (CVE-2024-3094)

At the end of March 2024, a Microsoft software engineer unintentionally discovered a SSH backdoor in a toolset that comes installed by default on most modern Linux distributions.

The SSH backdoor in XZ Utils (CVE-2024-3094), the compromised toolset, would allow remote unauthenticated attackers to achieve remote code execution on the infected systems by passing the authentication in place.

While the backdoored package only managed to find its way into unstable releases (e.g. Debian unstable, Fedora Rawhide, etc.), this critical SSH vulnerability stands out through the calculated approach of the bad actor. Investigations showed that the first suspicious contributions on Github date as far back as 2021. 

Given how deeply embedded open-source software is in the technical infrastructure everyone uses, the challenges of handling a supply-chain attack against its core components are massive. 

CVE-2024-3094 reminded the tech community that supply chain attacks still don’t get enough attention and that ethical hackers can do more to highlight this risk and help organizations tackle it.

xz utils backdoor timeline (CVE-2024-3094)Original poster: https://twitter.com/fr0gger_/status/1774342248437813525/photo/1 

Common attack vectors and patterns in supply chain attacks

The NCSC (National Counterintelligence and Security Center) published a list of supply chain attacks classified based on the vector used to spread the malicious code. 

Here are 5 examples of common attack vectors adversaries used to compromise companies in 2021:

  • VGCA 

  • VeraPort 

  • Twilio SDK

  • GoldenSpy

  • Copay 

Source: The Director of National Intelligence 

As we can see, most cyberattacks that exploit supply chain risk focus on a segment from a PKI (Public Key Infrastructure) to bypass the mechanism which grants integrity, authenticity, and non-repudiation. 

It also helps to know the 3 common patterns you can find in most supply chain attacks:

  • Malware distribution

  • Exploiting the trust chain between the supplier and the final client

  • Attacks focus on the code of the infected product. 

Attack surface management is a helpful technique that allows organizations to identify where deviations occur. It guides immediate action because this type of attack highlights how cybercriminals relentlessly search for unprotected network protocols and infrastructures that companies use on a daily basis.

How pentesters can demonstrate the risk of supply chain attacks

As an offensive security pro, you focus on understanding how vulnerabilities are exploited in threats like malware, ransomware, or supply chain attacks. In most cases, it helps to know, identify, and prove:

  • the type of vulnerability (Remote code execution, Local File Inclusion, Unrestricted File Upload, etc.) 

  • the type of software, its purpose, and its widespread use.

For example, remote code execution in a software collaboration tool indicates it can be used in a supply chain attack. 

To put things into perspective, in 2022, through focused scans running with the Network Vulnerability Scanner (Sniper modules option), our team detected approximately 23 targets impacted by one of the CVEs involving Exchange servers which could be used for supply chain attacks.

To better prevent and report these issues at scale, you can use a dedicated tool like our Sniper Auto-Exploiter and validate the impact of high-risk CVEs, extracting evidence for your reports. 

In addition, Sniper’s feature Network Graph offers a helpful view of the inbound and outbound connections that show all paths a supply chain is made of.

sniper-summary

Sniper’s modules offer detection through the Network Scanner and also automatic exploitation capabilities that extract solid evidence, especially for a Remote Code Execution vulnerability. This feature helps you report and mitigate the widespread exploitation of vulnerable Microsoft Exchange Servers, one of the most relevant targets in this attack. 

Microsoft Exchange servers exposed around 250.000 organizations vulnerable to supply chain attacks and also generated the risk of a potential attack spreading to other organizations from various areas like banking, universities, law or government agencies, etc. 

To exploit an Exchange server, a threat actor could use social engineering to attack the supply chain with the goal to spread a legitimate email to customers or another partner company and compromise their infrastructure as a result. 

Should your client or organization be affected by a critical vulnerability in its most used software, you can jump straight into action and use Sniper to validate its real impact. For instance, you can cover various high-risk vulnerabilities in Exchange servers to get proof of compromise and understand the risks:

Each of these exploits consists of a chain of multiple vulnerabilities detectable with our Sniper modules.

This visual diagram above shows a scenario for exploiting an Exchange server (ProxyLogon)

Combat supply chain attacks with these 7 mitigation strategies

As a security researcher, I recommend having at least two stages of security evaluation of the critical infrastructure:

  • First, do an audit of your own infrastructure to validate all endpoints’ input and interaction between exterior and interior flows. You can implement this kind of mechanism through: an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System), a vulnerability scanner, periodic logs checks, and manual verification to assess how correct the traffic data and evidence provided by the vulnerability scanner are. 

  • The second stage consists of implementing a cooperative policy with a third-party software vendor for a security audit of their infrastructure. Even if you trust the vendor, recent supply chain attacks reveal how difficult it is to ensure protection against them. The main focus of this collaborative process is to identify critical vulnerabilities that a potential threat actor could use to compromise the supply chain (e.g. remote code execution, authentication bypass, arbitrary write files, etc.).

Here are 7 actionable strategies you can use in your ethical hacking reports to help customers reduce the impact of supply chain attacks: 

1. Implement the principle of least privilege

Organizations often provide their employees, partners, and software unnecessarily broad access and rights. These excessive permissions facilitate supply chain attacks. Try to implement the principle of least privilege and only provide the permissions they actually need to do their jobs. 

Pro tip: In case of an attack, the threat actors will be limited only to the compromised operating system and won’t be able to go further to deploy their malicious code.

2. Deploy network segmentation and Zero Trust

Third-party software and partner companies do not require complete network access. To divide the network into zones depending on business functions, make sure to use network segmentation. As a result, even if a supply chain attack compromises a part of the network, the rest remains secure, while Zero Trust ensures that only authorized parties can gain access in the first place.

Pro tip: Applying this measure, you get more control over your network traffic and streamline your security policies. 

3. Follow DevSecOps best practices 

Add powerful security practices in the development workflow to help you detect fraudulently updated software and respond to changes quickly. 

Pro tip: This kind of measure is often ignored but it is highly recommended because serious security breaches often originate in a bad chain of developing operations.

4. Assess critical assets

Start by understanding precisely which components are your organization's most valuable IT assets. Then, examine the worst-case scenario and use it as the foundation for building your incident response plan. 

Pro tip: This method can also help to distribute existing resources to areas where they’ll have the most impact in critical situations.

5. Conduct regular vendor checks

Take the time to examine the complexity of the product before implementing a new application or technology. Check the vendor's help forums to see whether other users encountered similar issues and how fast the seller reacts to complaints. 

There are types of programs that use old, outdated software code with no regular review for critical vulnerabilities, which you should absolutely avoid. Creating a culture of open and transparent communication with selected software providers and gaining a comprehensive knowledge of their security procedures is also essential.

Pro tip: This practice will help your company make more informed business decisions and build better vendor relationships, reducing security and non-compliance risks.     

6. Review Remote Monitoring and Management (RMM) tech

If your company has an external technology partner who receives access to your infrastructure using RMM technologies, be extra careful. If that organization's RMM tools are compromised, attackers may obtain direct access to your network.

Pro tip: Do a monthly (or yearly) review of your RMM tools and check if they lack any security updates.  

7. Help management understand the risks

Because supply chain security is less known than other aspects of IT security, it is vital to explain business impact and its risks in plain terms to management and other non-security decision-makers. This way, your company can take the necessary actions to prevent such attacks: identifying key risks, building a risk-management framework, monitoring, and reviewing 

Pro tip: Make sure the team responsible for developing, deploying, or integrating the vendor’s software is well-trained to recognize the possible types of attacks (e.g. phishing attacks, data breaches, or other security incidents).

Develop an incident response process for supply chain attacks

As a pentester, you focus on helping decision-makers prioritize supply chain security and use the right risk management processes to better respond to these attacks. 

One challenging aspect is helping others understand how a serious vulnerability opens up the business to serious and costly implications. For example, threat actors often use RCE to compromise services or programs from inside the network to trigger another supply chain attack. 

If, as a pentester, you execute a successful remote code execution for a client, I recommend investigating the internal network further and looking for more vulnerable entry points. 

If the exposed target has enough potential to carry out a supply chain attack, work with business owners to implement a good incident response process. This way, you can help the organization handle such attacks quickly and minimize risks across business areas (e.g. financial, reputational, compliance, etc.). 

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software.

Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.