aitor azpiroz

 

Aitor Azpiroz, Cyber Respond Lead at Holcim EMEA Digital Center, shares with us what supply chain attack is and some examples that show the challenges organizations face and how cyber defences need to be developed and maintained.

 

WHAT IS A SUPPLY CHAIN ATTACK AND HOW TO PREVENT IT?

 

Supply chain attack: what is and how it can affect business

In March this year, 3CX, an international VoIP IPBX software developer, announced that its desktop application client had been compromised in a supply chain attack aimed at deploying malware that could have affected any of the 600,000 companies worldwide and over 12 million users that use the application daily.

The European Union Agency for Cybersecurity (ENISA) defines the Supply Chain in cybersecurity as the ecosystem of processes, people, organizations, and distributors involved in the creation and delivery of a final solution or product that involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores) and management software.

A supply chain attack is a type of cyberattack that targets a supplier (entity that supplies a product or service to another entity) and its assets, which is then used to attack another supplier or the final customer (entity that consumes the product or service produced by the supplier). Both the supplier and the customer have to be targets. 

Historically, and still nowadays, the term supply chain attack has referred to attacks against trusted third-party suppliers breached in order to gain access to their customers. This is what happened in 2013 to Target, a US retail corporation, where the attacker accessed their systems by means of an HVAC contractor account, which ended up with the theft of 40 million credit and debit records and a $18.5 million multistate settlement.

This threat has evolved in recent years and today it also involves software developers and suppliers, given the fact that modern software is written by continuously reusing open source code from public repositories, proprietary code from software vendors and third-party APIs, among others. The attackers break into these developers and repositories in order to change source code and hide malware in build and update processes.

Example of Software Supply Chain attack. Source: ncsc.gov.uk.

Vendors are typically unaware that their apps or updates have been infected with malicious code when they are released, therefore they are signed, certified and trusted by customers in general. The malware will then be run by customers who are unaware of the situation. Hence the risk posed by this threat. 

These attacks are characterized by being targeted, complex and costly, and involving long-term planning by the attackers. In order for  a supply chain attack to be successful, several breaches are involved and coordinated, which indicates the degree of sophistication of the adversaries, who are usually state-sponsored groups, such as APT29 (Russia) in the Solarwinds attack (2020) and UNC4736 (Korea) in the 3CX attack (2023), or criminal organizations, like REvil Group (Russia), responsible for the Kaseya attack (2021).

 

Supply chain attack. #1 threat by 2030 

On March 2023 ENISA published the “Foresight Cybersecurity Threats for 2030” report, which highlights that supply chain breaches of software dependencies will be the #1 threat by 2030, stating that even with continuous code monitoring, the combination of software, hardware and component-based code will create unmonitored interactions and interfaces that will lead to new and unforeseen vulnerabilities.

Top 10 Emerging Cybersecurity Threats for 2030 identified by ENISA

 

Developing detection and response capabilities to prevent chain attacks

This type of attack is quite difficult to detect due to the high level of sophistication involved, the knowledge and resources of the attackers (state-sponsored groups and high-level criminal organizations) and also owing to the fact that just because a software product has been validated in the past does not mean that this software is secure today. 

Companies are already preparing themselves for this threat by not only performing regular security assessments of their providers and applications, but also by developing their own detection and response capabilities, such as deploying behavioral-based attack endpoint detection solutions, developing incident response plans for specific providers or applications being compromised, defining code integrity and life cycle policies and the leverage of Cyber Threat Intelligence in order to get ahead of real-time attacks, among others. 

There are government initiatives, such as the Executive Order on Improving the Nation’s Cybersecurity issued by the White House in May 2021[4], which introduced the concept of the Software Bill of Materials (SBOM). This initiative seeks to create a formal record containing the details and supply chain relationships of various components used in building software by enumerating the components in a product. The SBOM aims to help risk managers to identify the applications or services that may be affected by new vulnerabilities or supply chain breaches, in an effective and quick way. 

In the open source community we can also find initiatives to help us identify  the structure, construction, and security of open source software packages. Open Source Insights is a service developed by Google that examines software packages and constructs a full, detailed graph of its dependencies and their properties by scanning millions of open source packages from well-known code repositories such as GitHub, GitLab and Bitbucket.

 List of dependencies of the npm package Cloudinary (~250K weekly downloads) as seen on Open Source Insights

Companies are particularly vulnerable from being compromised by third-party supplier breaches, a fact that cyberattackers have exploited by extending their malicious activity to include the company’s trusted partners and software, and therefore need to be vigilant in employing all the possible means they have available to protect themselves. 

Cyber attackers will continue to seek new ways to breach security systems but, fortunately, new initiatives, software and procedures are also constantly being developed to protect businesses and organizations from this well-organized and cunning adversary.

 

aitor.png
footer logo
Contact us

ABOUT HOLCIM

Holcim builds progress for people and the planet. As a global leader in innovative and sustainable building solutions, Holcim is enabling greener cities, smarter infrastructure and improving living standards around the world. With sustainability at the core of its strategy Holcim is becoming a net zero company, with its people and communities at the heart of its success. The company is driving the circular economy as a world leader in recycling to build more with less. Holcim is the company behind some of the world’s most trusted brands in the building sector including ACC, Aggregate Industries, Ambuja Cement, Disensa, Firestone Building Products, Geocycle, Holcim and Lafarge. Holcim is 70,000 people around the world who are passionate about building progress for people and the planet through four business segments: Cement, Ready-Mix Concrete, Aggregates and Solutions & Products.

© HOLCIM 2024
Site Map Legal Notice Cookie Policy Privacy policy Whistleblowing Channel
Close search