Protecting Supply Chains from Highly Contagious Attacks

Hackers are using supply chain attacks to infiltrate a large number of organizations using a single, targeted attack. According to a report from the security company, Anchore, 64% of respondents have been impacted by supply chain attacks in the last 12 months. They collected data from 425 IT, security and DevOps leaders at large enterprises, and a third reported that the impact on their organizations was moderate or significant. Following an influx of recent high-profile software supply chain attacks, 46% of respondents reported that their organization has a significant focus on securing the software supply chain and an additional 14% have prioritized this area.

With cyber-attacks continually evolving, it is undeniable that the industry needs to be prepared with evolving solutions. Yet, the key challenge is understanding why supply chain attacks are becoming so frequent and how they cause such large-scale destruction.

Misplacing Trust

Supply chain attacks are caused by hackers infiltrating a system, typically through tampering with the manufacturing process of a physical component or during the distribution of a software component. By infecting legitimate applications with malware, a malicious code is allowed to run with the same trust and permissions as the original application. Metaphorically speaking, it is like poisoning the water supply at the source, rather than each individual drink of a target group. The action is more efficient in targeting a multitude of victims.

Trusted and legitimate applications offer malware and malicious codes a veil of security to be distributed throughout the rest of the chain with the same trust and permissions as the original application. The reliability and trust offered by these applications allow the hacker to have a widespread infiltration without detection, as end-users would have no reason to believe a third-party vendor is anything but legitimate.

Malpractice can occur at any stage of the product’s lifecycle, with each step offering a new opportunity for infiltration. One weak link could be the demise of the entire supply chain. It is irrelevant how much security the end-user has, as supply chain hacks happen much earlier in the product’s life, leaving all end-users vulnerable to attack. The size and complexity of many large-scale operations mean more steps in the supply chain, more chances for hackers to infiltrate and fewer chances of detection as they do not always have a clear map of the entire chain.

Attacking at the Core for Widespread Devastation

Technology is being used in more areas than ever before. With increased amounts of IoT infrastructure for health, financial and military data, hackers have access to increasingly sensitive information with disastrous consequences. These industries have extremely large-scale businesses with complex supply chains, offering extra opportunities for attack.

In September 2021, researchers revealed that a UEFI (unified extensible firmware interface) bootkit had been used by attackers to backdoor windows systems as early as 2012. This malware can circumvent Microsoft Windows driver signature enforcement to load its own unsigned driver used for document theft, keylogging and screen monitoring by periodically capturing screenshots by modifying legitimate Windows boot manager binary. Attackers infiltrate early in the system boot process, allowing malware to bypass security measures and put its malicious driver into action at system start-up. This highlights the importance of securing the entire supply chain, holding each level accountable. It does not matter how sophisticated the security measures of the end user are; if a manufacturer in the supply chain has a weakness, it may lead to the demise of the whole system.

The cyber espionage group ‘Dragonfly’ is another example of a sophisticated supply chain attack that has targeted energy companies across Europe and North America recently. The group has been known to target companies via their supply chains, first gaining access to legitimate industrial control system (ICS) software, then replacing files with their own infected versions. By using legitimate files as trojan horses for their own malware, they are able to flow through the supply chain unidentified. The same concept applies to hardware and IoT devices; attackers are able to identify the weakest link in the supply chain and tamper with devices before they are distributed to the vendor. The malware passed through these chains may contain remote access functionalities, giving the hackers some control over the system it has been installed on. The burgeoning amounts of personal data, identity information and financial information stored within devices increase the risk and devastation for supply chains and the appeal for hackers.

Identifying at the Point of Attack

Until now, it has been difficult to truly know whether a system or device has been tampered with, and it was near impossible to determine the security status of multiple endpoints within a network. The latest firmware integrity measurement (FIM) specification, released this year by Trusted Computing Group, provides an official, definitive guide to verifying the integrity of equipment bought by the enterprise. It provides a framework to establish the integrity baseline of the firmware running on a device to compare and detect any threats throughout its lifecycle. For large production chains, where a supply chain map is extremely complex to track, this is a significant advancement.

One of the main assumptions of supply chain attackers is that their malware is undetectable as it travels through the supply chain. However, whether a secondary manufacturer or the end-user of a device, it is possible to verify the integrity of devices and networks within entire systems. This will put a level of trust and assurance back into supply chains and manufacturers, as threats should be transparent at all levels. Additionally, any weak access points can be identified and strengthened, limiting the number of compromised devices and mitigating potential future attacks.

Protecting Supply Chains

The sooner the threat is identified, the less damage it can cause to the rest of the supply chain, ensuring compromised hardware and software do not continue its journey to end-users, where attacks may be critical. By verifying the integrity of hardware and software at each point in the supply chain, the weaker points can be identified and strengthened before a breach is made, mitigating the chance for hackers to infiltrate undetected.

What’s Hot on Infosecurity Magazine?