Why 2023 is the year for software supply chain attacks

Supply chain attacks have exploded, becoming a front of mind issue for many CISO’s in recent years. 2023 is set to be a record breaking year with software supply chain attacks already increasing by 742% between 2019 and 2022. The challenge is pervasive enough that Gartner predicts by 2025, 45% of organizations will have experienced attacks on their software supply chains.

Threat actors are increasingly exploiting software supply chain vulnerabilities because 3rd party applications and organizations rely on them to increase their agility. But companies need to take steps to prevent a breach caused by exploited supply chains. 

Monitoring external facing assets for vulnerabilities can enable organizations to mitigate weaknesses in their security posture before they are exploited.

What is a software supply chain attack?

Software supply chain attacks often target open source code or third-party APIs used by developers. Developers use these off-the- shelf components because it decreases development times and enables organizations to be more agile. However, relying on 3rd party software means that vulnerabilities can be unintentionally introduced. For example, a recent study conducted by Veracode found that 90% of third-party code does not comply with enterprise security standards such as the OWASP Top 10. 

On average, a software project has 203 open source dependencies, introducing countless potential vulnerabilities. Furthermore, software vendors also use open source code, in fact 80% of all code in modern applications comes from open sources. As a result, much of the software you use today  could be vulnerable to a software supply chain attack. 

What’s the risk of third party software?

According to Gartner, 60% of organizations work with over 1,000 third parties. The expansion of third-party software in businesses is growing exponentially as organizations look for more specialized services and find it difficult to maintain software in-house that can meet the demands of a rapidly-changing environment. As well as the headache of maintaining the technological stack when people leave… 

Organizations are increasingly dependent on third party software as part of their technology architecture, this makes supply chain attacks an attractive attack vector for threat actors.

And since third party software is often at the heart of key operations like emailing, CRM systems, and accounting systems they can be a salient target. A notable example is the theft of usernames and passwords for 76 million households and 7 million business accounts from JP Morgan Chase. The breach was caused by an unmonitored asset, a website built by a third-party vendor in support of a charity, which threat actors took advantage of to infiltrate core systems. 

How difficult are software supply chain vulnerabilities to detect?

Discovering successful software supply chain vulnerabilities has far reaching implications if they are discovered too late. Planting malicious code that can be distributed to numerous customers via the same software update or installation package can spread like wildfire for example.

The Log4j vulnerability is an infamous example of how a widely trusted software can be exploited. According to Google's analysis, the vulnerable log4j-core library was detected as a direct or transitive dependency in around 17,000 Java packages hosted on the Maven Central repository, which is the most prominent repository for Java packages. 

When the vulnerability was first discovered many organizations struggled to even identify if any of the software and applications they used were vulnerable.

There are Log4j instances that continue to survive and remain unpatched. As per findings by Rezilion, there are more than 90,000 internet-facing applications and still in 2022 over 68,000 servers that remained susceptible and accessible to the public. 

Detection rather than prevention is key when constructing your supply chain security strategy.

Predictions for software supply chain attacks in 2023

In 2022, 82% of CIOs said they felt their software supply chains were vulnerable and in that same year over 88,000 malicious open source packages had been discovered. 

So what does the rest of 2023 and the future hold? How will security teams seek to manage? 

1. Hadrian predicts that threat actors will increasingly utilize supply chain attacks - why attack a single target when dozens or even hundreds of targets can be attacked simultaneously.
2. The risks associated with reliance on open source software will further emphasize the need for developers to take a more prominent role in security-related decisions.
3. Threat actors will increasingly target smaller third parties to attack bigger companies by proxy, otherwise known as Island Hopping.

How can I prevent a software supply chain attack?

The identification of vulnerabilities in Log4j, and other cases involved organizations raising the red flag and subsequently the wider community making collective actions to address it within their infrastructure. However, this method is unsustainable and organizations must have strategies that can enable them to identify and defend for themselves. 

The use of third-party components and dependencies significantly expands the attack surface, as each component represents a potential vulnerability that can be exploited by attackers. Hadrian's AI Orchestrator is capable of quickly identifying complex attack paths and vulnerabilities that may be unknown to security teams by leveraging a combination of passive data sources, active scanning, and machine learning models. 

To discover more, read my insights on the GoDaddy attacks.