We use cookies to ensure that we give you the best experience on our website.

Supply Chain Cyber Attacks Statistics. Quadruple by 2021, Says EU Agency

The Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya's VSA software was used to push a malicious PowerSheII script The VSA software

Hackers prey on targets with a large “attack surface.” The more open ports to exploit, open machines to corrupt, or even open humans willing to open suspicious emails, the larger the attack surface. Supply chains, by linking together hundreds if not thousands of firms, present the perfect attack surface. 

 Supply chain cyber attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers.  

 Supply chain cyber attacks are expected to quadruple in 2021 compared to last year, requiring an urgent introduction of novel protective measures. Such attacks often go undetected for a long time, and, like Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance.

Threat Landscape of Supply Chain Attacks:

  • The attack on Italy Lazio’s vaccine portal appears to be part of a supply chain attack and is therefore not an isolated incident. Such an incident that targets healthcare during a deadly, global pandemic is a crime against humanity.
  • Open-source software libraries in the Python Package Index, better known as PyPI, contain problematic or potentially exploitable code.
  • The Kaseya ransomware incident, encrypting the files of over 1,500 businesses.
  • The SolarWinds supply-chain attack affecting upwards of 18,000 customers
  • Microsoft admits signing rootkit malware drivers with their code signing certificate.
  • The compromised Codecov Bash Uploader in use by over 29,000 customers—Feds later suspected hundreds of customer networks were hacked.
  • Japanese government offices using Fujitsu’s ProjectWEB tool suffered breaches.
  • Enterprise password manager Passwordstate from Clickstudios delivered malicious updates.

In ENISA’s report titled, Threat Landscape for Supply Chain Attacks, out last week, the agency thoroughly describes both the types and real-world examples of software supply chain attacks. https://t.co/50sojta173?amp=1

Recommendations for customers include:

  • Identifying and documenting suppliers and service providers;
  • Defining risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;
  • Monitoring of supply chain risks and threats;
  • Managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
  • Classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.

ENISA recommends suppliers:

  • Ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
  • Implement a product development, maintenance and support process that is consistent with commonly accepted product development processes;
  • Monitor security vulnerabilities reported by internal and external sources, including third-party components;
  • Maintain an inventory of assets that includes patch-relevant information.

Here are few recommendations from Metmox:

There is no silver bullet that can 100% eliminate the possibility of supply chain attacks. However the following can help:

  • Regularly security testing/assessments - Source code scanning and application penetration testing
  • Apply security patches in a timely manner 
  • Implement zero-trust architecture in alignment with how data moved across the networks, and how apps and users access sensitive information
  • Implement a defense-in-depth approach
  • Deploying application firewalls or network segmentation, which restricts access to application programs or object source code
  • Use MFA to verify logins across the network
  • Complying with relevant policies and/or regulations such as SOC 2, HIPAA, GDPR, CCPA, NIST, COBIT, and ISO-27001/2, and providing evidence of up-to-date certification
  • Operating an employee security awareness program

Supply chain attacks are not new but they also aren’t going away. Gone are the days of buying cheap software and not worrying about it. Metmox GRC services provide comprehensive Vulnerability Assessment, Penetration Testing, Web Application Scanning, Static Application Security testing, Dynamic Application Security Testing, Hardening and Standardization, Third party Risk Assessment and Compliance Readiness services.  https://metmox.com/governance-risk-and-compliance/