When you read that software supply chain attacks increased 42% in the first quarter of 2021 over Q4 2020, you might think the cybersecurity problem was related to the traditional supply chain. Many people think of a supply chain as boxes of products on trucks and ships. Software companies don’t ship physical CDs of their latest products like they did decades ago. Instead, their supply chain is now the internet and cloud as they send out their products there. Today, the cloud is actually the ‘truck’ that delivers new applications and updates to companies.

That means threat actors can find openings in those systems and methods. Often, the attack begins when an administrator downloads a new app or updates an existing app. From there, malware embeds itself into the application. Sometimes the employee doesn’t even realize the mistake — or if they do, it’s already too late.

Almost every organization uses multiple applications to run their business. So, software supply chain attacks have the potential to be widespread and very damaging. Take a look at what’s causing the increase in these types of attacks and what the enterprise can do to protect against them.

Open-Source Problems and Supply Chain Cybersecurity

One of the biggest issues is that many organizations rely on open-source supply chain apps. Attacks on open source code increased 430% between 2019 and 2020. Not all of these attacks are related to the supply chain. However, many of the systems software companies use to distribute their products are open source. This means the numbers of supply-chain related issues are likely to grow. Threat actors are becoming even more skilled at attacks on open-source code.

To find out how widespread the problem is, take a look at the Contrast Security 2021 State of Open-Source Security Report. The study found that the average application includes 118 libraries, with only 38% of the libraries being active. This creates a major risk for malware or malicious code being inserted into an inactive library without anyone detecting it. Because the average age of the libraries is 2.5 years, apps may have unseen problems in older libraries. The report also found that the average Java app contains 50 open-source library vulnerabilities. That means there is a 16% chance each library has an opening for attackers.

Using Red Team Tests Against Supply Chain Attacks

Because real-world experience is the best way to learn to work as a team and use your controls in real-time, organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.

The biggest benefit of these events is that your team can learn first-hand exactly what the attacks look like. From there, they can develop detailed processes for how to respond in the most effective manner. Through these tests, blue teams can reduce mean time to detect and mean time to respond. By doing both of those, they can limit damage of supply chain attacks from open-source openings. When researching a partner to conduct attack tests, look for one that will provide detailed feedback about your team’s performance that you can use to change your processes and tools.

Reduce Dependency Confusion Issues

A new problem is approaching that’s likely connected to the rise in supply chain attacks — dependency confusion. Groups that use internal and third-party libraries in their apps are at risk to supply chain attacks through a dependency confusion, in which attackers create a fake package on an external library. The package has the same name as one on the internal library, so that package manager picks it up when the correct package on the internal library is not available. While previous similar attacks relied on developers misspelling the package name, dependency confusion is more reliable for threat actors and more damaging, even more so when the attacks are automated.

The best protection against dependency confusion is increasing the visibility and security of libraries, packages and dependencies. When you protect the names of your system’s libraries and packages, threat actors are less likely to be able to create a fake package with a duplicate name. By using a package manager that supports namespaced modules, you can reduce dependency confusion attacks because packages with the same name cannot be used in two different places. Other strategies include only using reputable open-source libraries and requiring developers to verify package source before installing.

Tools for the Future

Because the cloud is likely to remain the delivery method for software going forward, supply chain attacks are going to be a considerable issue and challenge for the foreseeable future. Installing new updates and applications is something businesses and consumers do daily, often without thinking. By carefully evaluating the process and tools you use for the delivery of software products, you can reduce the amount and impact of these types of attacks.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…