What is a software supply chain attack?
A software supply chain attack involves the infiltration and corruption of a software company’s product. The attacker inserts malicious code into a software component that is then compiled into a software package update. The compromised package is subsequently made available to customers of the software provider as an update to the package they are currently using. The update becomes the vehicle for hackers to then penetrate the IT environments of the software company’s customers.
The most recent examples of these kinds of attacks include SolarWinds Orion software and Kaseya’s Virtual System Administrator (VSA) software. Both software packages are used by companies to monitor and manage their IT environments. In December 2020, it was discovered that hackers had inserted malicious code into an Orion software update that was subsequently distributed to hundreds of companies and government agencies. The apparent aim was theft of intellectual property and espionage. In July 2021, it was discovered that hackers infiltrated Kaseya’s systems and inserted malicious code into a VSA software update. This update was distributed to approximately 60 managed service providers (MSPs), allowing the hackers to insert malicious changes and infect over 1,000 companies with ransomware.
What does a managed service provider do?
A managed service provider delivers services, such as network, application, infrastructure, and security, via ongoing and regular support and active administration either on customers’ premises, in their own data center (hosting), or in a third-party data center. MSPs often provide hosting for an organization’s data as well as its systems.
What factor did trust play in these incidents?
What is the cost to compromised organizations?
Some of the ways to protect your organization
These are simplified explanations of some (but not all) of the steps you should be taking. For more detail on how to protect yourself and your customers, be sure to watch our Supply Chain Cyber Attack webinar.
These Stories on Jefferson Wells
The content and opinions represented here should not be relied upon or construed as legal, financial and/or medical advice.
The law is changing literally every single day and can vary from state to state and even city to city. Please consult with your own Legal, HR and Finance resources and consider state and local law variations before making any policy or procedure changes.
No Comments Yet
Let us know what you think