How Do Supply Chain Attacks Work?
Suppliers and third-party partners might be the weak link in an organization’s cybersecurity. Therefore, most companies’ corporate security highly depends on their external partners. Supply chain attacks, which often target specific organizations by compromising partners and suppliers high in the supply chain, are hard to detect and usually overlooked. According to a recent report, supply chain attacks have increased in frequency of occurrence by a shocking 300%. ENISA notes that 66% of the attacks focus on compromising software suppliers’ code to affect customers. These alarming numbers are causing a lot of sleepless nights as customers ponder what to do once attackers breach their suppliers.
Hackers use supply chain attacks to infiltrate targets through third parties and suppliers with access to their network systems. It is a highly effective method since most businesses depend on multiple suppliers and partners to run critical daily operations. Supply chain attacks have provided cybercriminals a playing field to breach organizations with hardened cybersecurity measures but through their less protected suppliers. Also, supply chain attacks are unpredictable and deceptive, rendering traditional cybersecurity strategies futile and insufficient.
In other words, supply chain attackers aim to exploit the mutual trust and relationships built between partner companies to compromise organizations that observe best cybersecurity practices. For any supply chain to work, cybercriminals must identify weak links in the supply chain, which may be your organization’s vendors or trusted partners. They then exploit the weak security controls to inject malicious code into the vendor products, networks, or systems and maintain backdoor access. The attackers can manipulate the injected code to grant themselves specific permissions and abuse them to compromise the vendor’s customers.
The Dynamics of the Firmware Supply Chain
Firmware supply chain attacks are incredibly damaging. It takes only a second for an attack to unfold if a computer runs on firmware with injected code. During computer boot-up, the operating system executes the malware and exposes the entire system to attack risks, data exfiltration, or remote installation of dangerous malware, such as ransomware.
Additionally, firmware supply chain attacks are devastating, and you may not detect them unless you use special security software and expertise to monitor and secure your systems. Unfortunately, firmware supply chain attacks are increasing rapidly since the firmware supply chain is highly complex and comprises multiple contributors. Remarkably, the firmware may require various components from different vendors for any computing device. The firmware implemented in hardware is usually a multi-sourced process that draws original design manufacturers, original equipment manufacturers, several open-source repositories, and component vendors. As a result, addressing security vulnerabilities may be a lengthy process before a working patch reaches customers. A patch may take an average of six to nine months or more to roll out, which presents supply chain attackers with an expansive attack surface for compromise.
Meanwhile, with CISOs barely managing to protect their companies from numerous, continuously evolving threats, adding firmware vulnerabilities is a lot to contend with. But people, departments, and organizational units connect devices with compromised firmware to internal networks daily. Therefore, attackers can inject malware into the firmware of devices like printers, mobile phones, security cameras, and VPNs.
Currently, firmware supply chain attacks are becoming preferred by hackers looking to steal sensitive information like intellectual property and trade secrets. For example, cybercriminals from nation-states usually leverage firmware supply chain attacks to steal sensitive information from the military and corporations. Recent attacks like the SolarWinds hack illustrate how attackers can infiltrate firmware code in the supply chain and compromise thousands of organizations at a go.
Why do these attacks matter?
A new report revealed that many organizations, especially those in the financial sector, are often overwhelmed when addressing firmware security challenges in the supply chain. 92% of CISOs involved in the study said that they believe cyber adversaries use advanced techniques to weaponize firmware in the supply chain that their security teams cannot secure against. The same study revealed that three out of four CISOs acknowledge that their organizations lack awareness of firmware security blind spots. Thus, it is no surprise that 88% of organizations have experienced a firmware-related attack since 2021.
These findings illustrate that firmware security threats in the supply chain are hard to detect and protect against. At the same time, firmware attacks matter since firmware security is a strong foundation for a secure IT environment. If attackers breach the firmware, an organization’s elaborate defensive measures may not protect it from an attack. Hackers can compromise the firmware to control a machine and use it as a gateway to bypass security systems and gain unauthorized access to the enterprise data.
Accordingly, the US Department of Commerce and Homeland Security released a report in 2022 containing findings of an assessment performed on critical infrastructure supply chains. The findings concluded that firmware vulnerabilities could cause a single point of failure in affected devices that could enable enterprise-wide attacks on networks and information systems.
Hence, as businesses invest massively in security tools to protect their applications, databases, and networks, they must remember that building a strong cybersecurity foundation begins by securing the firmware.
Stronger Firmware Security: not just necessary - it's a priority
Firmware supply chain attacks execute after deploying a compromised device. Therefore, it is vital to analyze the firmware of new devices before deploying them to a network. The process requires matching the firmware against secure firmware images from the same vendor to determine anomalies and the presence of malicious code.
However, since attackers can compromise the vendor itself instead of individual firmware images, applying multiple analysis methods can increase the odds of identifying a firmware compromise in the supply chain. For example, a static analysis of extracted firmware to monitor its behavior can pinpoint malicious activities.
More importantly, you can minimize the possibility of suffering a firmware supply chain attack by understanding all supply chain partners involved in its development.
The following questions can provide deeper insights into the firmware supply chain:
- Do you perform secure code reviews?
- How do you protect data at rest and in motion?
- Do you perform external and internal penetration testing?
- What are your security best practices for implementation that we should follow?
- Do you have internal processes and reviews of your vendors who may have access to your data?
About Pulsar Security
Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.
Corey Belanger
Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.