It’s Time to Panic About Supply Chain Attacks

Written by Rachel Torrence, a Content Developer at Synology

Take a minute to consider the device, browser, and network connection you are using to read this article. You’ve likely used this device to make purchases, conduct business, schedule healthcare appointments, and maybe even pay taxes. Cybercriminals want that data, and one way to get it is to infiltrate the company that manufactures and maintains your device.

Who is that company?

If you’re using an iPhone or Mac, the obvious answer is Apple. It’s their logo on the back, after all. However, the situation is much more complex than just one vendor, even for something as tightly integrated as Apple products. Every "smart" device relies on a complex chain of data providers, hardware, servers, and third-party software. Increasingly, cybercriminals are drilling down to attack vulnerable segments of the supply chain, resulting in massive data breaches.

The Situation

In June, authentication provider AU10TIX leaked identification documents for customers of Fiverr, Uber, PayPal, Coinbase, and many others. AU10TIX provides an essential “KYC” (know your customer) process used by many apps to avoid fraudulent transactions, and this is not the first attack against this part of the supply chain. Earlier this year, attackers breached a similar company, World-Checkr, revealing over 5 million confidential records used to screen potential customers for connections to financial crimes.

Related:R Programming Bug Exposes Orgs to Vast Supply Chain Risk

In February, Change Healthcare suffered a ransomware attack. This company provides revenue and payment cycle management that connects payers, providers, and patients in the U.S. The attack disrupted healthcare services across the nation for weeks and allowed crooks to make off with medical records of a "substantial portion of people in America." Its parent company, UnitedHealth, said that the total costs of this incident were likely to exceed $1 billion. This follows a string of other attacks on healthcare-related providers (UK - Synnovis, France - Viamedia, and Almerys).

These are just a handful of publicly known breaches, but they represent a troubling trend: cyberattacks that target industry information supply chains to obtain valuable personal information. This type of attack has existed for as long as personal information has been stored digitally, but the methods of obtaining this data are becoming more widespread, with the potential to cause crippling damage to the targets.

In March of this year, a lone developer single-handedly prevented the backdooring of numerous Linux distributions, including Debian and Red Hat Fedora. The nearly ubiquitous tool on Linux distributions, XZ Utils, provided data compression and decompression functions. Malicious contributors spent years gaining the trust of the volunteer project maintainer, eventually taking over more and more updating responsibilities. After nearly two years of contributions, the malicious contributors snuck in cleverly obfuscated code that would have enabled them to backdoor servers by hijacking and injecting code into SSH sessions.

Related:Linux Security in the Cloud Era: Best Practices for Protecting Your Cloud Workloads

What happened was described by experts as one of "the best-executed supply chain attacks" that almost succeeded. While these types of attacks are (currently) rarer, they're also significantly more challenging to detect and could have huge ramifications if missed. While the XZ Utils attack resulted from malicious actors exploiting a vulnerable development process, we don't have to look far to find project managers demonstrating a lack of care sufficient to experience the same exploitation.

Pushing Back the Tide

An obvious question amid these alarming incidents is, “Why isn’t the government doing something about this?” In the United States, an executive order from 2021 focused on setting criteria for identifying risks in the security practices of developers, suppliers, and the final software product. With legislation like the NDAA and TAA, the U.S. is further scrutinizing security over time, although the development of this awareness is slow.

Related:Open-Source Malware vs. Vulnerable Components: Knowing the Difference Matters

Recent European Union legislation, particularly the Network and Information Security (NIS) 2 Directive set to go into action later this year, likewise pushes the European market towards adopting better security postures. This legislation pushes developers to conduct thorough risk assessments and improve management, emphasizing supply chain security.

Staying ahead of the curve

Until legislation and standard security practices can catch up to the reality of supply chain attacks, individuals, businesses, and organizations trying to protect themselves have a difficult task. One effective tool for larger-scale IT procurement is the Software Bill of Materials (SBOM), a comprehensive list of all software components used in a particular system. This enables organizations to gain visibility into exactly what their IT infrastructure runs and if their system has known vulnerabilities.

There is no silver bullet in IT security, but SBOMs provide transparency into the traditionally opaque “black box” of IT hardware and software. By conducting frequent security audits, companies can proactively identify and address vulnerabilities, forcing a vendor to respond faster and pushing the industry to be more accountable.

For IT professionals and decision-makers, it is essential to prioritize supply-side security in all systems. Ensure that vendors are transparent about the software and services they use and are committed to regular security audits. As the cybersecurity scene continues to heat up, it’s better to panic today than to be caught unaware later.

About the Author

Rachel Torrence is a Content Developer at Synology and has worked in the tech industry for four years. Synology works with admins and IT managers across numerous industries, with a focus on data security and privacy.