Supply chain attacks

Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.

How supply chain attacks work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.

Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.

The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.

Types of supply chain attacks

  • Compromised software building tools or updated infrastructure

  • Stolen code-sign certificates or signed malicious apps using the identity of dev company

  • Compromised specialized code shipped into hardware or firmware components

  • Pre-installed malware on devices (cameras, USB, phones, etc.)

To learn more about supply chain attacks, read this blog post called attack inception: compromised supply chain within a supply chain poses new risks.

How to protect against supply chain attacks

  • Deploy strong code integrity policies to allow only authorized apps to run.

  • Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities.

For software vendors and developers

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.
  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and don’t let the software updater accept generic input and commands.
  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information

For more general tips on protecting your systems and devices, see prevent malware infection.