Software supply chain attacks are becoming increasingly common, which is bad news because of the severity and reach of such attacks, according to Cyble threat intelligence researchers.
Cyble detected 90 supply chain breach claims made by cybercriminals on the dark web in a six-month period between February and mid-August, which works out almost exactly to one every other day. As supply chain attacks can be orders of magnitude more expensive than other breaches, the cost and damage created by even a few such attacks is high.
The Cyble blog noted that while attacks resulting from infiltration of an IT supplier’s code base – as happened to SolarWinds in 2020 and Kaseya in 2021 – are relatively rare, the code, dependencies and applications that make up the software supply chain are “a source of near-constant vulnerabilities and cyberattacks that place all organizations at risk.”
Even when supply chain breaches don’t reach codebases, they can still lead to sensitive data being leaked “that could give attackers a critical advantage in breaching other environments, including phishing, spoofing and credential attacks,” the researchers wrote. “And because of the interconnectedness and increasing digital nature of the physical supply chain, any manufacturer or supplier with downstream distribution can be considered a cyber risk.”
Cyble researchers looked at the frequency and nature of supply chain attacks in 2024, along with defenses that can minimize risk.
Supply Chain Attacks Become Common
Cyble’s dark web monitoring found 90 cybercriminal claims of successful supply chain attacks in the period from February 2024 to mid-August 2024.
IT providers were by far the biggest target, accounting for a third of those breaches, followed by technology product companies, which experienced 14 of the 90 breaches. Aerospace & defense (9 breaches), manufacturing (9 breaches), and healthcare (8 breaches) were the next most frequent victims.
Despite the heavy concentration in a few industries, 22 of the 25 sectors tracked by Cyble have experienced a supply chain attack in 2024 (chart below).
The U.S. experienced by far the greatest number of supply chain breaches claimed on the dark web – 31 in all – followed by the UK (10), Germany and Australia (five each), and Japan and India (four each).
A Look at Supply Chain Attacks in 2024
The Cyble blog focused on eight attacks in particular, which varied in severity, from codebase hijacks affecting more than 100,000 sites to attacks that shut down essential services. Here are a few of those attacks:
jQuery: The July supply chain attack on the JavaScript npm package manager involved trojanized versions of jQuery, the popular JavaScript library. The attackers modified the legitimate jQuery code to exfiltrate sensitive form data from websites in an attack that hit multiple platforms and package names. The attack “underscored the urgent need for developers and website owners to verify package authenticity and scrutinize code for suspicious modifications to mitigate supply chain attacks.”
Polyfill: The late June attack hit over 100,000 websites, using a fake domain to impersonate the Polyfill.js library to inject malware that redirected users to sports betting or pornographic sites. “The attack highlighted the risks of using external code libraries and the importance of vigilance in website security,” Cyble researchers said. “The incident underscored the security implications of third-party scripts and the potential for malicious takeovers of widely deployed projects.”
Programming Language Breach: Threat actor (TA) IntelBroker, posting on BreachForums, claimed to have unauthorized access to a node package manager (npm) and GitHub account “pertaining to an undisclosed programming language,” along with access to “private repositories with privileges to push and clone commits.” Here is a screenshot of the claims:
CDK Global Inc.: On June 19, automotive dealership software provider CDK Global Inc. was hit by a ransomware attack that disrupted sales and inventory operations of many North American auto dealers for weeks, including large dealer networks such as Group1 Automotive Inc., AutoNation Inc., Premier Truck Group, and Sonic Automotive.
Access to More than 400 Companies: IntelBroker struck again on June 15, offering access to more than 400 companies compromised via “an undisclosed third-party contractor.” The data reportedly included access to Jira, Bamboo, Bitbucket, GitHub, GitLab, SSH, SFTP, DA, Zabbix, AWS S3, AWS EC2, SVN and Terraform. Open-source research based on the companies’ revenue and location suggested some of the biggest organizations involved could be Lockheed Martin Corporation, Samsung Electronics Co Ltd, General Dynamics, and Apple Inc.
Zero Trust and Resilience Help Control Supply Chain Risk
The Cyble researchers recommended a number of defenses against supply chain attacks, built around zero trust and cyber resilience principles and code security. These practices include
- Network microsegmentation
- Strong access controls
- A strong source of user and device identity and authentication
- Encryption of data at rest and in transit
- Ransomware-resistant backups that are “immutable, air-gapped and isolated as much as possible”
- Honeypots for early breach detection
- Secure configuration of API and cloud service connections
- Monitoring for unusual activity with SIEM, Active Directory monitoring, and data loss prevention (DLP) tools
- Routinely assessing and confirming controls through audits, vulnerability scanning and penetration tests
Secure Development and Third-Party Risk Management
Cyble also recommended code security best practices – both for developers and for partner and supplier audits – and threat intelligence services like Cyble that can help assess partner and vendor risk.
“Cyble’s third-party risk intelligence module evaluates partner security in areas such as cyber hygiene, dark web exposure, spoofing activities, and attack surface and network exposure, noting specific areas for improvement, while Cyble’s AI-powered vulnerability scanning capabilities can help you find and prioritize your own web-facing vulnerabilities,” the Cyble blog said.
“As more organizations make security a buying criterion, vendors will be forced to respond with better security controls and documentation,” the report concluded.