Cyber-attacks against the supply chain ecosystems continued to ramp up through the year 2021 with high-profile attacks such as Log4j, Kaseya VSA, and many others. Attackers including APT actors have been observed to be attacking particularly software supply chains leveraging the unknown vulnerabilities in open-source projects.
Supply chain professionals will need to revise their vision in 2022 and beyond to account for continuous and yet-unforeseen disruption to global networks due to cyber-attacks.
Major Supply Chain Attacks in 2021
According to the “Recent Cyber Events 2021: Considerations for Military and National Security Decision Makers” report authored by independent researchers at the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE), the following is the chronological view of the supply chain attacks that happened in 2021:
- A set of vulnerabilities in the Apache logging service Log4j were found in December 2021.
- On the source code hosting site GitHub, a vulnerability in registering the npm package without user authentication was discovered in November 2021.
- The ransomware organization REvil disseminated malware through the update file of Kaseya’s endpoint management solution, VSA, in July 2021, causing the most concern about supply chain security.
- The misuse of Microsoft’s code signing was another serious attack in 2021. Microsoft signed rootkits dubbed NetFilter and FiveSys, which were discovered in June and October, respectively.
- Six packages containing concealed crypto-mining malware were posted to the Python Repository PyPI in April 2021.
- The update server of Gigaset, a German smartphone manufacturer, was hacked in April 2021, and malicious updates including malware were disseminated to its Android smartphones.
- A security specialist revealed proof of concept in February 2021, claiming that a new attack approach is known as ‘Dependency Confusion’ could compromise the systems of 35 businesses, including Apple and Microsoft.
- A malicious malware was injected into the uploader script of Codecov, a DevOps platform firm, in January 2021, stealing credentials and confidential information. Parts of the source code of many customers, including security firm Rapid7 and Japanese e-commerce firm Mercari, were exposed.
- BigNox, a Hong Kong-based software company that distributes the Android emulator NoxPlayer for Windows and Mac, had its update server hacked in January 2021, and malicious code was disseminated through it.
8 Tips to Protect Your Organization from Supply Chain Attacks
1. Assess open-source dependencies to prevent software supply chain attacks
If you’re an open-source maintainer, knowing about your project’s attack surface and possible threat vectors throughout the supply chain can feel overwhelming, if not impossible. Software composition analysis and assessment tools can help to detect and remediate risks.
2. Continuous scanning of GitHub repositories for the unwanted leaks of secrets
It is possible to receive near real-time warnings that secrets have been published to a repository or, even better, to prevent the secrets from being published in the first case, depending on the scenario. The Events and Search APIs are two GitHub APIs that give near-real-time information on commits and can be scoped by repository, organization, or user.
3. Implement zero-trust policies
By removing implicit trust from your system’s architecture, zero trust helps to prevent security breaches. Rather than automatically trusting users within the network, zero trust necessitates verification at each access point.
4. Be aware of who your vendors are and train them
Ensure that every service provider who contributes to your extended supply chain is aware of your firm. Decision-makers may find business links they were previously unaware of due to the huge extent of cyber ecosystems and newly introduced shadow IT. Vendor visibility allows for better tracking and security control. To defend against cyber-attacks, often, a cultural shift is required. Employees, vendors, and partners must be informed of what they can do with sensitive data and information, as well as what they cannot do. Conduct training classes to inform employees about all areas of security, including corporate policies, password security, and social engineering attack methods.
5. Extend your threat intelligence program to third-party risks
Your supply chain includes vendors, suppliers, service providers, resellers, agents, channels, joint venture partners, intermediaries such as credit card processors, utilities, charities, subscription services, contractors, affiliates, rating agencies, government agencies, and trade associations.
Organizations and applications collaborate to deliver goods in the supply chain. This could be accomplished using physical or software security. Each additional link, on the other hand, means more high-risk endpoints. Ensure that all integrations and risks are double-checked. After all, you can’t protect something you don’t understand.
6. For supply chain validation, investigate blockchain and other Hyperledger technologies
A technique that validates every modification throughout the supply chain with an incontestable source and timestamp is the golden grail of supply chain protection. This is possible thanks to blockchain and other Hyperledger technologies, which eliminate the need for centralized management and control. End-to-end blockchain and Hyperledger will, in the end, give supply chain transparency and defend weak portions from hidden attacks.
7. Implement honeytokens
Your company can avoid significant risks by employing honeytokens. Honeytokens act as data decoys, attracting hackers to assets that appear to be valuable. As hackers work their way towards the decoys, a signal is sent to the firm, alerting the IT and/or cyber security teams to the existence of hackers, which they may deal with straight away.
8. Keep up with the new regulations, frameworks, and standards while being proactive to meet these mandates
Emerging frameworks in different parts of the world:
- The EU Directive on the Security of Network and Information Systems’ supply chain guidance.
- The EU General Data Protection Regulation (GDPR) regulation, specifies the responsibilities of both data controllers and data processors.
- The U.K. National Cyber Security Center supply chain security guidance.
- SAFECode Software integrity documents.
- The Open Group Trusted Technology Forum.
In the U.S., the federal government is focusing on contractual mandates:
- Contractual mandate to adhere to NIST SP 800-171 for any vendor receiving Controlled Unclassified Information (CUI).
- Contractual mandate to self-score in a centralized system regarding adherence to the above.
- A newly emerging mandate to have independent, third-party assessors assign a cybersecurity maturity certification to all vendors in the Department of Defence supply chain.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access.