https://github.com/openclarity/kubeclarity

Figure-1: Software Supply Chain Attacks Case Studies

The previous segment of the series shared a primer on supply chains, what software supply chains are, why they can lead to security breaches, and how to safeguard them. This blog post highlights the seriousness of software supply chain breaches, the extent of damage they can cause, and why you must take the matter seriously. Let's start quantifying the extent of damage caused by supply chain breaches by examining a few supply chain attack case studies.

What Percentage of Security Breaches Start with Software Supply Chain?

Determining an exact percentage is difficult, as various sources report different numbers. In recent years, software supply chain attacks have risen and posed a significant threat to organizations. According to a report by Spiceworks, in 2023, Software Supply Chain attacks will increase in severity. Another report by SD Times found that supply chain attacks impacted 64% of companies primarily due to increased OSS reliance. Many breaches use the software supply chain as an attack surface, emphasizing the importance of securing the supply chain for organizations.

Top 10 Supply Chain Attacks

SolarWinds

In December 2020, the network management software company SolarWinds got hacked, resulting in a widespread breach of multiple government agencies and private companies. A total of 18,000 customers and businesses got impacted. The attack was traced back to a malicious software update added to SolarWinds’ Orion software, demonstrating the importance of secure software updates in the supply chain.

Equifax

In 2017, Equifax's credit reporting company suffered a massive data breach that affected 147 million customers. The breach was later attributed to a vulnerability in Equifax’s website software caused by a failure to patch a known security issue. This case highlights the importance of proper patch management in the software supply chain.

CCleaner

In 2017, the popular system optimization tool CCleaner was compromised and used to distribute malware. The attackers were able to inject malicious code into CCleaner’s software supply chain, demonstrating the importance of secure code signing and verification processes.

Apple XCodeGhost

In 2015, hackers targeted Chinese iOS developers by compromising the XCode development tool used to create iOS apps. The attackers added malicious code to the tool, incorporated into several iOS apps on the App Store. This case highlights the importance of secure development tools and the need to thoroughly screen third-party components in the software supply chain.

Not Petya

2017 malware attack targeted Ukraine's government and infrastructure and spread to other countries via a supply chain attack on the software company MeDoc. It was distributed through an update to MeDoc, a tax accounting program widely used by Ukrainian companies, that released the NotPetya malware. The malware used the EternalBlue exploit.

TSMC Taiwanese chip manufacturer

In 2018, the malware was spread through the company's software update system. The virus was injected into TSMC's systems when a supplier installed infected software onto some of its machines without running an antivirus scan. The attack affected over 10,000 devices in some of TSMC’s most advanced facilities.

Panasonic

In November 2021, a breach was disclosed, representing a unique supply chain attack compromising data that businesses share as part of supply chain operations due to a third party's illegal access to Panasonic servers.

Wipro

Indian IT services provider, the 2020 attack in which hackers used a supply chain attack to gain access to the company's network and steal sensitive client data. In this case, attackers used Wipro’s systems to launch phishing attacks against customers. Phishing exploits made Wipro a platform to attack some customers and highlight third-party risks from service providers.

Codecov

The 2020 attack on the US-based software company Codecov enabled hackers to gain access to the company's software development tools and potentially steal sensitive data from its clients. The attackers exploited an error in how Codecov created docker images. This process allowed the attackers to extract a credential from the Docker image.

Dragonfly 2.0 attack 

In 2014, this highly sophisticated cyber espionage campaign used compromised software updates to gain access to energy sector organizations in the US and Europe.

Numerous other supply chain attacks exist, with the log4j fiasco leading the pack. These cases demonstrate the critical importance of secure software supply chain practices and the dire real-world consequences of supply chain attacks. Let’s unpack some of these breaches and understand the source of the breach and how we can mitigate them.

Case Studies

Let's delve into some case studies of software supply chain attacks here:

SolarWinds

The attackers could infiltrate SolarWinds' build systems and insert malware, which spread among customers as part of legitimate software updates. Due to the malicious code inserted during the build process of the software update, even though it was delivered to customers via secure signing and verification checks, since the malicious injection occurred early in the chain, signing and validating software downloads couldn't catch it either. It took almost 15 months to discover the breach.

Equifax

Attackers could exploit this vulnerability because Equifax had failed to patch the affected software, even though a patch had been available for several months before the breach occurred. The attackers could then move laterally through Equifax's network and exfiltrate sensitive data belonging to approximately 147 million individuals. As a result, the primary cause of Equifax's supply chain breach was inadequately managing the security of third-party software components, combined with a failure to apply critical security patches promptly.

Diversity In Supply Chain Attacks

Though similar SolarWinds and Equifax supply chain attacks are different in several ways, just by contrasting these two, we can be mindful of the diversity in attack patterns while crafting solutions. The tabular data in Figure-2 below highlights the differences.

Figure-2: Demonstration of Diversity in Supply Chain Attacks

Attacks of this nature are just the tip of the iceberg. In addition to highlighting the different types of supply chain attacks and a broad spectrum of impacts, they emphasize the need for organizations to maintain robust security measures continuously throughout the software development and distribution processes.

Defense Strategy

Organizations must jump on software supply chain security practices to avoid similar future attacks. In addition to Implementing code signing and verification processes, conducting regular security assessments of third-party components, and implementing proper upgrade procedures enabling security practices throughout the software development life cycle. Additionally, organizations should monitor their software supply chain for signs of compromise and have incident response and remediation plans to address any security issues quickly.

Security tools that can help identify security flaws in the software components found in an organization's applications and infrastructure are a must. Mitigating attacks akin to SolarWinds using tools to continuously scan software components pre and post-deployment deployment to detect and address vulnerabilities exploited in the supply chain attack case studies.

Rescue Tools

Tools like KubeClarity could help organizations stay updated on the latest security patches and advisories for their deployed components, allowing them to take proactive steps to mitigate potential risks in supply chain attacks.

For example, KubeClarity's dashboard is a handy tool for visualizing vulnerabilities and other security risks in your software supply chain. In the example below, we see KubeClarity reporting CVEs, which is short for Common Vulnerabilities and Exposures, a list of publicly disclosed cybersecurity flaws.

While the vulnerabilities seen here in a sample application are not the exact ones that affected Equifax CVE-2017-5638 or SolarWinds CVE-2023-23836,  the report can give you an idea of how it can improve your software supply chain security by providing you visibility into potential vulnerabilities and highlighting high-severity ones that need addressing with urgency. In the subsequent blog series, we will learn more about CVEs and how to interpret them.

Figure-2: Demonstration of KubeClarity Vulnerability Report Dashboard

KubeClarity generates this list of vulnerabilities in container images and filesystems by parsing the Software Bill of Materials (SBOM) and feeding the SBOM document to specialized vulnerability scanners to generate a granular list of CVEs, as you see above. If you want to further understand SBOMs and their significance in vulnerability detection, you are on track; it is coming next.

Conclusion

I hope these helpful supply chain case studies got you thinking about building your defense mechanisms against becoming a supply chain attack case study.

Next Up

Let's double-click on SBOMs and learn what they are and how they are pivotal in preventing supply chain attacks.

--------------------------------- 

Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization.