Product reviews, deals and the latest tech news

Defending your business against growing software supply chain attacks

The allure of software supply chains is difficult to ignore by attackers, who know they can rapidly and easily obtain access to a wide breadth of sensitive information in exchange for juicier rewards.

Software supply chain assaults increased by almost 300% between 2000 and 2021, with a 300% annual growth rate. Of those businesses, 62% say they have been affected by cyberattacks.

Experts have issued a warning that the attack will not abate. In fact, by 2025, 45% of global enterprises will have experienced a ransomware attack on their digital supply chains, according to research from Gartner.

Zack Moore, manager of security products at InterVision, stated, “No one is secure.” Supply chain assaults have affected all levels of industry and government during the past two years.

Historically, assaults on software supply chains have been most visible in cases like the SolarWinds incident and the Log4j flaw. In both cases, assaults on the software supply chain were made public, and the full extent of the consequences is yet unknown.

According to Michael Isbitski, head of cybersecurity strategy at Sysdig, “SolarWinds became the poster child for digital supply chain risk.”

His final example was Microsoft Exchange, which he argued was equally influential but “soon forgotten.” He mentioned that the FBI and Microsoft are still monitoring ransomware attempts that aim to exploit weak Exchange installations.

Midway through 2021, ransomware agents broke into Kaseya, another company that serves as an example. Therefore, over 2,000 users of the IT management software supplier got a hacked version of the application, and between 1,000 and 1,500 users had their systems encrypted in the end.

Moore remarked, “The direct costs of such an attack are enormous.” The long-term effects, however, are far more concerning. The time and money required to get back on your feet might be staggering.

But why do attacks on the software supply chain persist?

Moore claims that the growing use of third-party code is to blame for the relentless attacks (including Log4j).

Because of this, both distributors and suppliers are increasingly exposed, and he added that exposure is typically correlated with a greater compensation.

“ransomware perpetrators are increasingly comprehensive and employ non-conventional techniques to approach their targets,” Moore added.

Using suitable segmentation procedures, ransomware agents may, for instance, go after IT management software systems and their parent firms as their intended victims. Then, after they’ve broken in, they’ll use that connection to spread malware throughout the parent company’s affiliates and reliable vendors.

Moore argued that the increased stakes contribute to the current prevalence of supply chain assaults. As a result of supply chain interruptions, the sector is at a critical juncture.

Inexpensive with a substantial payoff

Crystal Morin, a threat research engineer at Sysdig, has noted that supply chain assaults may be carried out for little money, need little time, and provide a large potential payoff. In addition, several firms in the security industry openly reveal their methods and tools online, and they routinely publicise their results in great detail.

Morin said that “less-skilled attackers can imitate established threat actors or quickly master advanced approaches” due to the availability of tools and knowledge.

Zack Newman, senior software engineer and researcher at Chainguard, added that ransomware assaults on the supply chain allow bad actors to spread their net. A breach in one link of the supply chain can have far-reaching effects on hundreds or thousands of businesses farther down the chain. However, the attack surface shifts as an attacker zeroes in on a single business or government agency.

Instead of waiting for a security flaw at a single company, Newman argues that an attacker only has to locate a single flaw in any of the organisations upon which the target relies for software.