Attacking the supply chain - should your business be worried?

News
By published

Hackers target multiple companies at once with supply chain attacks

Image Credit: Lolloj / Shutterstock (Image credit: Image Credit: Lolloj / Shutterstock)

In 2018, supply chain attacks became a common occurrence in headlines covering some of the biggest data breaches to date.  

Just recently, we saw major enterprises such as British Airways, Ticketmaster, and Newegg breached by the hacker group, Magecart. These skimming attacks exploited the use of third-party tools on companies’ websites and enabled hackers to harvest details of over 420,000 credit cards.

Common supply chain attack objectives

Firstly, where confidentiality is violated and a 3rd party gains unauthorized access to information. Secondly, whereby an attacker seeks to negatively affect integrity; by causing the system to malfunction which effectively makes the end user mistrust the information and the information system (this can also be if you cause the end user to do unintended things e.g. friendly fire). Thirdly, to reduce availability and you thereby make the system and information / resource unavailable when it is needed. Finally, where resources are used for illegitimate purposes. In this scenario, resources are being used for potentially harmful reasons and violating the confidentiality, integrity or availability of other resources that trust the information asset being attacked by the adversary.

Unlike typical cyber attacks, supply chain attacks provide two major advantages to attackers. First, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies); as such, the potential return of investment of the attack is higher. Second, and unlike common cyber attacks, supply chain attacks can remain undetected by perimeter defences, as they are often initiated by an embedded change to a component of the system which is trusted by default; then, an approved delivery mechanism such as a software update delivers the supply chain attack without arising any suspicion by network defenders.

It may seem surprising that big companies are relying on third-party tools for their own applications. However, using third-party code has become the status quo in today’s fast-paced, highly competitive digital landscape. Current statistics highlight that two-thirds of the average web application’s code come from third parties. While this bodes well for development teams to bring to market highly advanced apps in record time, it poses a major security challenge for companies.

Image Credit: Geralt / Pixabay

Image Credit: Geralt / Pixabay (Image credit: Image Credit: Geralt / Pixabay)

Third-party tool providers lack enterprise-grade security 

Yet, third-party code has the same permissions as all the code that companies develop in-house. This is the reason behind supply chain attacks: going after the weakest link in the software development chain to breach high profile targets. In the eyes of the attackers, individually breaching 1,000 high-profile companies is far less interesting than breaching a small company (or even an independent developer) and hacking their code - immediately infecting thousands of big companies with one single attack.

Enterprises must do better to prevent supply chain attacks. For decades, companies have directed security budgets into protecting the periphery and backend of their web assets. However, compromised third-party code remains undetected by perimeter defences and can easily go live with no detection. Attacks such as Magecart, malicious crypto miners or credential-stealing browser extensions are able to breach end-users by hijacking the client-side of applications. And yet client-side security has long been an afterthought, so most companies do not detect any breaches until several months later.

Entrusting third-party providers to meet the required security standards is not the answer either. If we go through every supply chain attack to date, we see that the magnitude of these data breaches ties in with the time that companies took to detect them. Breached companies had zero visibility over what was going on in the client-side of their own applications.

With supply chain attacks displaying signs of increasing in frequency and magnitude, it’s time for enterprises to focus on in-depth security. There must be a focus on auditing third-party code and employing real-time monitoring of the webpage. By gaining complete client-side visibility, enterprises are able to immediately detect malicious client-side injections such as Magecart. As a result, they can completely mitigate supply chain attacks, ensuring that the users’ data remains untouched.

We recently celebrated Data Protection Day. However, we should always be spreading awareness regarding the importance of ensuring that users have full rights to their personal data protection and privacy. Also, as end-users, we should always be aware of the best practices that allow us to keep our data safe. As companies, it is our duty to employ effective measures to prevent hackers from using our web assets as a vehicle to steal the users’ personal information. 

Pedro Fortuna, CTO and Founder at Jscrambler

  • Protect your systems from the latest cyber threats with the best antivirus
Pedro Fortuna
Pedro Fortuna

Pedro Fortuna, CTO and Co-Founder, Jscrambler.

Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Latest in News
The Russo brothers posing for a photograph and Herman carrying a Volkswagen camper van in The Electric State
'We're optimists': AI enthusiasts Joe and Anthony Russo defend its use in movies and TV shows, but admit there are 'very real dangers' around its application
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
The Steam Logo on a mobile phone in front of a wall of games.
Today’s Steam Spring Sale features my absolute favorite game of all time - here's when the sale starts and all the key info
More about security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.

Microsoft warns about a new phishing campaign impersonating Booking.com
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.

Thousands of iOS apps found to expose user data and leak Stripe keys
Squarespace

Build a website for less with 10% off Squarespace subscriptions
See more latest
Most Popular
13-inch and 15-inch MacBook Air M4 in Sky Blue
The new Apple MacBook Air M4 has a weird quirk with its performance cores - but it's nothing to worry about
The Russo brothers posing for a photograph and Herman carrying a Volkswagen camper van in The Electric State
'We're optimists': AI enthusiasts Joe and Anthony Russo defend its use in movies and TV shows, but admit there are 'very real dangers' around its application
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Dune Awakening screenshot showing the exploration of The O'odham
Latest Dune Awakening trailer provides a deeper look at open-world exploration on the planet Arrakis
close-up of soundbar mesh with Sonos branding
Sonos reportedly cancels its streaming video player, but I hope it resurrects one part of it, because it could be huge
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Emily takes a selfie in front of her apartment window in Rome in Emily in Paris
Emily in Paris season 5: everything we know so far about the hit Netflix show’s return
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants