Is Your Software Supply Chain at Risk of Cybercrime?

If your business operations rely on computers, you may be at risk of cyber crime through the software programs that you rely on. The latest Internet Threat Security Report from Symantec™, a global cybersecurity solutions leader, indicates that software supply chain vulnerabilities have become a big target and that the trend is likely to continue.

There was at least one large software update supply chain attack reported every month in 2017. That was a dramatic jump from an average of three per year from 2013 to 2016.

The typical attack scenario involves an attacker replacing a legitimate software update with a malicious version, which can be distributed quickly and covertly to intended targets. The computer of any user applying the software update can automatically become infected, consequently giving the attacker a hold on that network.

There are a handful of methods by which cyber criminals are conducting software update supply chain attacks. Here are the common attack methods noted by Symantec:

1. Compromising the software supplier directly. This is the most straightforward attack path. In this method, an attacker switches the update package with a modified malicious version. This may be achieved through a successful spear phishing attack against a developer, or by using any other common attack vector, such as infected websites or credential theft.
2. Hijacking Domain Name Servers, domains, IP routing or network traffic. Instead of compromising the software supplier directly, attackers can also compromise the communication path used to distribute the update. For example, visitors to a domain can be redirected to the attacker’s server, through DNS hijacking or similar “man-in-the-middle” techniques. Or it could be as simple as a lapsed domain being grabbed up by an attacker, who then registers it and uses it to control data sent back to the domain’s visitors.
3. Hijacking third-party hosting services. Some software vendors use cloud-based platforms to distribute updates. Once attackers are able to steal the login credentials used by a developer, it can be an easy next step to upload infected binaries that will be downloaded and installed by unwary IT support teams.
4. Other supply chain attack methods. There are other ways that your supply chain can be abused. For example, vendors who are given network access to maintain a software system or other IT asset may act maliciously, or may become a conduit through which attackers obtain unauthorized access. In addition, supply chain attacks can also be conducted against hardware, not just software. When a computer or other device is infected before it is even installed, the resulting compromise can be extremely difficult to detect.

To help protect your software supply chain, you can:

• Test new software updates, even seemingly legitimate ones, in a test environment first in order to detect any suspicious behavior.
• Monitor the behavior of all activity on your network to help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.

Given the increase in software supply chain attacks in 2017 and the success of a number of campaigns, Symantec suggests that it’s likely that attackers will continue to leverage this attack method.

The figures and statistics referenced herein are contained in the Symantec™ Internet Security Threat Report, Volume 23, 2018. For more insights on the digital security threat landscape, you can read the full report at https://www.symantec.com/security-center/threat-report, then visit travelers.com/cyber.