There are essentially two types of software supply chain attack,
- Software Compromise to third party components of software,
- Watering Hole Attacks
Watering Hole Attacks
Software products have many facets and features that require real human capital and investment to implement. As a compromise in software development, software vendors may use code from third party libraries, plugins or even adapt existing software to reduce investment and enhance their product offering.
In cases where software vendors do not produce all parts of their applications they rely on the trust and value the third party software they have incorporated in to their product to ensure that software is not tampered or altered to behave maliciously or insecurely for their customers.
Having third party libraries that have been compromised or have been poorly selected may result in,
- Vulnerable parts of the software being exposed for attackers to utilise.
- The software being used for ways not intended by the vendor, such as allowing the malicious code to evade detection by operating through otherwise trusted code. DLLs (Dynamic Linked Libraries) are parts of a program that can sometimes be altered by attackers to perform functions not intended by the vendor of the software to perform malicious activity such as encrypting files or providing remote code execution.
- Features of the third party library may be unused by the customer but left in their default state could provide attackers privileged access.
An example of a watering hole attack could be,
- Feedify, a website push notification service was compromised and attackers were able to have their altered JavaScript run on websites that use the software.
- SolarWinds Orion, an IT management and remote monitoring product was attacked and compromised by altering updates pushed to customers, which in turn meant their customers were compromised by this attack. The update added a backdoor to customer’s IT systems, which was used to install malware.
- Kaseya VSA (Virtual System Administrator), another unified and remote monitoring IT product was compromised through SQL to install ransomware on affected and monitored machines and lock out owners in 2021.
Software Compromise
Magecart was also able to attack British Airways and steal customer payment data by altering a portion of the British Airways website to include software designed to strip the information and send it to the attackers. In this instance British Airways used software called Modernizr, a JavaScript library designed to detect capabilities of a customers browser to tailor user experience was altered to include AJAX to send payment data when submitted to another URL controlled by the attackers for storage and sale.
This example however using similar methods is not a watering hole attack, as the code was directly altered by the attackers on the victims website, trying to pass off as legitimate software from the vendor.
Where software compromise becomes extremely useful to attackers is when software vendors have their software built into environments more secure than their own, as attackers then have access to a weaker component in the supply chain. There may be a very secure environment that uses all of the latest and best practice to secure their environment but if they are reliant on third party software then they are only as strong as the weakest in the chain, like SolarWinds Orion or Kaseya VSA (Virtual System Administrator).
To protect companies from software supply chain attacks they could,
- Incorporate immutable backups to prevent ransomware, immutable backups are essentially backups that cannot be altered by ransomware directly as they are immutable, thus ransomware would need direct access to the backup facility to encrypt the backups.
- Use trusted third parties with good standing software security practices and modern tech stacks. Know the risks associated with partners and suppliers.
- Monitor resources for unauthorised alterations and increase visibility in to your supply chain.
- Audit third party libraries for unauthorised changes.
- Act quickly to security incidents in third party components like vulnerabilities and compromise.
- Close off or remove un-used features in third party libraries.
- Hash and monitor component signatures to detect changes and prevent your software running unauthorised functions.
- Secure your environment and silo components to prevent lateral movement.
- Build all products in-house. A very expensive and probably unrealistic solution except for the largest most specialised companies.
There are many methodologies to supply chain attacks that make it hard for even the most determined blue team to keep up with and monitor.