The U.S. government has made significant strides in reducing direct cyberattack risks through programs such as the Cybersecurity and Infrastructure Security Agency (CISA), as well as by issuing guidelines on enhancing responsibility and community-driven threat detection. Yet more needs to be done to prevent supply chain attacks.

An organization’s attack surface extends far beyond its own facilities. And while those territories might not be in their direct line of sight, they require the same level of cybersecurity attention. The expanding global marketplace exposes supply chains to ever-greater risk to a company's bottom line and brand.

According to one report, 97% of businesses have experienced a data security breach as a result of an inefficient supply chain. Supply chain attacks surged by 42% between 2021 and 2022, affecting approximately seven million people.

Missed Wake-Up Calls

Attacks on supply chains aren’t new. Target's infamous 2013 incident was a supply chain breach. The attackers gained access to the retailer by using credentials obtained from its HVAC vendor, Fazio Mechanical Services. Fazio had access to Target’s systems, which allowed it to remotely monitor and maintain the temperature of individual stores across the U.S. Hackers used a phishing campaign to breach Fazio’s credentials, which they then used to gain access to Target's network. Full names, phone numbers, e-mail addresses, payment card numbers and credit card verification codes were among the information stolen by the hackers.

Another major supply chain breach occurred in 2018, with Ticketmaster. Inbenta, a Ticketmaster software supplier, was compromised. A hacking group infiltrated Inbenta and introduced malicious JavaScript into the vendor’s code, which was used by the Ticketmaster website. The malicious script functioned similarly to a credit card skimmer or key logger; therefore, any data given to the website was also transferred to a drop server operated by the attacker, allowing the hacking group to steal credit card information.

Six years later, the SolarWinds hack offered another example of how a supply chain attack could affect thousands of businesses. The attacker gained access to the SolarWinds build system and uploaded a malicious DLL file, which was then distributed to SolarWinds customers. The malicious file granted remote access and went unnoticed for more than six months. And just last December, it was discovered that threat actors had been accessing GoDaddy's source code for several years, in which at least two other breaches had been linked to the same exposure. In March of 2020, 28,000 customers had their login credentials compromised by a threat actor, and in November 2021, one gained access to the company's managed WordPress code base by exploiting a compromised password. All of these incidents demand the question: why are supply chain attacks continuing to increase in 2023?

Security Issues Within the Supply Chain

Supply chain security is complicated; it requires safeguarding networks of endpoints with distinct functions. Traditionally, a supply chain network consists of hardware, software and managed services provided by third-party businesses.

The need for greater resilience, transparency and speed has transformed supply chain networks into more adaptable, digital and interconnected components. As a result, more data than ever before passes across these connections. 

The risk profile for systems managing supply chain activities is getting higher. In terms of the cybersecurity attack surface and movement of components across supply chains, attackers can exploit a security flaw in one link and compromise the functionality of the entire network.

The Supply Chain’s Weakest Link

Open-source software might be the chain's weakest link, which is especially alarming given that open-source components make up approximately 85% of applications. In 2022, there was a 742% year-over-year increase in open-source software supply chain attacks targeting vulnerabilities in upstream ecosystems such as JavaScript, Java.NET and Python.

Nevertheless, open source will continue to be used by software developers without hesitation, and this vector must be included as part of the strategy to secure a company and ensure that third-party suppliers perform their own proper security checks.

If vulnerabilities are discovered in unmaintained open-source components, the organization and its end users may be jeopardized. While difficult, many of these calamities can be avoided by implementing a vulnerability scanning methodology that employs technologies such as source code analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST). Finding and addressing known vulnerabilities is beneficial, but it doesn’t guarantee that a company is totally secure.

Overall, if an organization uses open-source software, it must be on high alert for supply chain attacks. Hackers have become more strategic in exploiting open-source software and code in recent years, and this year will be no exception. Bad actors will closely observe the code and its components to gain a comprehensive understanding of its weaknesses, and the most effective ways to exploit them.

Kevin Kirkwood is deputy chief information security officer at LogRhythm.