What are software supply chain attacks?

There’s an emerging kind of threat called software supply chain attacks. Attackers target software developers and suppliers, seeking access to source codes, build processes, or update mechanisms.

The attacker’s goal is to infect a legitimate app to distribute malware. Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Trusted vendors sign and certify these apps and updates. So it is easy to users to believe the apps are safe and secure.

In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same permissions as the app. And the number of potential victims is significant, given the popularity of some apps.

Imagine if a free file compression app was poisoned and was deployed to customers in a country where it was the top utility app. That actually happened in an attack several years ago. Supply chain attacks have steadily increased since.

Software supply chain attacks – Example

A new cybercriminal operation discovered by Windows Defender ATP highlights the complexity of supply chain attacks. Attackers targeted a popular PDF editor app. They worked out the installation process and carefully probed the app vendor’s server infrastructure. They figured out that the vendor uses one of their partner vendor’s server.

Attackers made a replica of this server, and then modified a single component of the installation package, a fonts pack, to insert coin miner code. They then tricked the vendor’s website to connect to their server. As a result, the poisoned fonts pack file with malicious coin miner code was silently installed with the app.

It gets worse. Because this attack compromised a multi-tier supply chain, it could pose a threat to customers of the six other app vendors that use the same partner vendor. This is the multiplier effect of software supply chain attacks. Software supply chains are fast becoming are a popular way to distribute malware.

What steps can software vendors and developers take to ensure apps are not compromised?

  • Maintain a secure and up-to-date infrastructure and restrict access to critical build systems.
  • Build secure software update processes as part of the software development lifecycle.
  • Develop an incident response process for supply chain attacks.

How can organizations protect networks against these attacks?

  • Deploy strong code integrity policies to allow only authorized apps to run.
  • Use endpoint detection and solutions that can automatically detect and remediate suspicious activities that can indicate software supply chain attacks.

Attackers are constantly upping their game and your software is their next target. Protect yourself, your customers, and your partners by strengthening your protections against software supply chain attacks.

Take Care.