What is a supply chain attack?

During a supply chain attack, attackers exploit third-party dependencies in order to infiltrate a target’s system or network.

What is a supply chain attack?

A supply chain attack uses third-party tools or services — collectively referred to as a ‘supply chain’ — to infiltrate a target’s system or network. These attacks are sometimes called “value-chain attacks” or “third-party attacks.”

By nature, supply chain attacks are indirect: they target the third-party dependencies that their ultimate targets rely on (often unknowingly). A dependency is a program or piece of code (often written in JavaScript) from third-party providers that enhances application functionality. A dependency used by an ecommerce retailer, for instance, might help run customer assistance chatbots or capture information about site visitor activity. Hundreds, if not thousands, of these dependencies can be found in a broad range of software, applications, and services that targets use to maintain their applications and networks.

In a supply chain attack, an attacker might target a cybersecurity vendor and add malicious code (or ‘malware’) to their software, which is then sent out in a system update to that vendor’s clients. When the clients download the update, believing it to be from a trusted source, the malware grants attackers access to those clients’ systems and information. (This is essentially how the SolarWinds attack was carried out against 18,000 customers in 2020.)

How is a supply chain attack carried out?

Before a supply chain attack can be carried out, attackers need to gain access to the third-party system, application, or tool they plan to exploit (also known as an “upstream” attack). This may be done by using stolen credentials, targeting vendors with temporary access to an organization’s system, or exploiting an unknown software vulnerability, among other methods.

Once access to this third-party dependency has been secured, the “downstream” attack — the attack that reaches the ultimate target, often via their browser or device — can be carried out in a variety of ways.

Returning to the previous example, the “upstream” attack occurs when the attacker adds malicious code to the software of a cybersecurity vendor. Then, the “downstream” attack is performed when that malware executes on end-user devices via a routine software update.

What are common types of supply chain attacks?

Supply chain attacks may target hardware, software, applications, or devices that are managed by third parties. Some common attack types include the following:

Browser-based attacks run malicious code on end-user browsers. Attackers may target JavaScript libraries or browser extensions that automatically execute code on user devices. Alternatively, they may also steal sensitive user information that is stored in the browser (via cookies, session storage, and so on).

Software attacks disguise malware in software updates. As in the SolarWinds attack, users’ systems may download these updates automatically — inadvertently allowing attackers to infect their devices and carry out further actions.

Open-source attacks exploit vulnerabilities in open-source code. Open-source code packages can help organizations accelerate application and software development, but they may also allow attackers to tamper with known vulnerabilities or conceal malware that is then used to infiltrate the user’s system or device.

JavaScript attacks exploit existing vulnerabilities in JavaScript code or embed malicious scripts in webpages that automatically execute when loaded by a user.

Magecart attacks use malicious JavaScript code to skim credit card information from website checkout forms, which are often managed by third parties. This is also known as “formjacking.”

Watering hole attacks identify websites that are commonly used by a large number of users (e.g. a website builder or government website). Attackers may use a number of tactics to identify security vulnerabilities within the site, then use those vulnerabilities to deliver malware to unsuspecting users.

Cryptojacking allows attackers to steal computational resources needed to mine cryptocurrency. They can do this in several ways: by injecting malicious code or ads into a website, embedding cryptomining scripts into open-source code repositories, or using phishing tactics to deliver malware-infected links to unsuspecting users.

How to defend against supply chain attacks

Any attack that exploits or tampers with third-party software, hardware, or applications is considered a supply chain attack. Organizations typically work with a variety of outside vendors, each of whom may use dozens of dependencies in their tools and services.

For that reason, it may be difficult, if not impossible, for organizations to completely insulate themselves from supply chain attacks. However, there are several strategies organizations can use to preemptively defend against common attack methods:

  • Run a third-party risk assessment: This may include testing third-party software prior to deployment, requiring vendors to adhere to specific security policies, implementing Content Security Policies (CSP) to control which resources a browser can run, or using Subresource Integrity (SRI) to check JavaScript for suspicious content.

  • Implement Zero Trust: Zero Trust ensures that every user — from employees to contractors and vendors — is subject to continuous validation and monitoring inside an organization’s network. Verifying user and device identity and privileges helps ensure that attackers cannot infiltrate an organization simply by stealing legitimate user credentials (or move laterally within the network if they do breach existing security measures).

  • Use malware prevention: Malware prevention tools, like antivirus software, automatically scan devices for malicious code in order to prevent it from executing.

  • Adopt browser isolation: Browser isolation tools isolate (or sandbox) webpage code before it executes on end-user devices, so any malware is detected and mitigated before it reaches its intended target.

  • Detect shadow IT:Shadow IT’ refers to applications and services employees use without the approval of their organization’s IT department. These unsanctioned tools may contain vulnerabilities that cannot be patched by IT, since they are unaware of their use. Using a cloud access security broker (CASB) with shadow IT detection capabilities can help organizations better catalog the tools their employees are using and analyze them for any security vulnerabilities.

  • Enable patching and vulnerability detection: Organizations that use third-party tools have a responsibility to ensure that those tools are free from security vulnerabilities. While identifying and patching every vulnerability may not be possible, organizations should still do their due diligence to find and disclose known vulnerabilities in software, applications, and other third-party resources.

  • Prevent zero-day exploits:* Often, supply chain attacks make use of zero-day exploits that have not been patched yet. While there is no foolproof method for anticipating zero-day threats, browser isolation tools and firewalls can help isolate and block malicious code before it executes.

*Stopping zero-day exploits is still a particularly challenging task for most organizations. In 2021, a zero-day vulnerability was discovered in Log4j, an open-source software library that helps developers log data within Java applications. This allowed attackers to infect and control hundreds of millions of devices, from which they then carried out further attacks, including ransomware attacks and illegal cryptomining. Read more about how Cloudflare defends against the Log4j vulnerability.

How does Cloudflare stop supply chain attacks?

Cloudflare Zero Trust helps thwart supply chain attacks by blocking access to potentially risky websites, preventing malicious uploads and downloads, and auditing the SaaS applications (both approved and unapproved) within your organization.

Cloudflare Zaraz is a third-party tool manager that loads applications in the cloud, so malicious code cannot execute on the end-user browser. Zaraz gives users visibility into and control over the third-party scripts that run on their sites, enabling them to isolate and block risky behavior.

FAQs

What is a supply chain attack?

A supply chain attack occurs when attackers exploit third-party tools or services to infiltrate a target's system or network. These attacks are indirect because they target the dependencies, such as programs or code snippets, that an organization relies on for its applications and services, rather than the applications and services themselves.

How is a supply chain attack carried out?

The process typically starts with an upstream attack, where the attacker gains access to a third-party system using stolen credentials or by exploiting software vulnerabilities. Once they have control, they launch a downstream attack by adding malicious code to the third-party tool, which then executes on the ultimate target’s devices through routine software updates or browser interactions.

What are some common types of supply chain attacks?

Common methods include:

  • Software attacks: Disguising malware within legitimate software updates

  • Browser-based attacks: Running malicious code on end-user browsers via JavaScript libraries or extensions

  • Magecart attacks: Using malicious scripts to steal credit card data from checkout forms

  • Watering hole attacks: Identifying and compromising websites frequently used by a specific group of users to deliver malware

Why is open-source code a risk for supply chain security?

Open-source packages help developers build applications faster, but they can also contain known vulnerabilities or concealed malware. Attackers may tamper with these packages to infiltrate any system or device that uses the affected code.

What is shadow IT, and why is it a security concern?

Shadow IT refers to applications and services that employees use without approval from their IT department. These unsanctioned tools are dangerous because they may have vulnerabilities that IT cannot patch or manage since they are unaware the tools are being used. This exposes organizations to supply-chain attacks from unexpected sources.

How does Cloudflare help organizations stop supply chain attacks?

Cloudflare Access blocks access to risky websites and audits both approved and unapproved SaaS applications. Additionally, Cloudflare Zaraz manages third-party tools by loading applications in the cloud, which prevents malicious scripts from executing directly on the user's browser.