What is a software supply chain attack?
A software supply chain attack involves the infiltration and corruption of a software company’s product. The attacker inserts malicious code into a software component that is then compiled into a software package update. The compromised package is subsequently made available to customers of the software provider as an update to the package they are currently using. The update becomes the vehicle for hackers to then penetrate the IT environments of the software company’s customers.
The most recent examples of these kinds of attacks include SolarWinds Orion software and Kaseya’s Virtual System Administrator (VSA) software. Both software packages are used by companies to monitor and manage their IT environments. In December 2020, it was discovered that hackers had inserted malicious code into an Orion software update that was subsequently distributed to hundreds of companies and government agencies. The apparent aim was theft of intellectual property and espionage. In July 2021, it was discovered that hackers infiltrated Kaseya’s systems and inserted malicious code into a VSA software update. This update was distributed to approximately 60 managed service providers (MSPs), allowing the hackers to insert malicious changes and infect over 1,000 companies with ransomware.
What does a managed service provider do?
A managed service provider delivers services, such as network, application, infrastructure, and security, via ongoing and regular support and active administration either on customers’ premises, in their own data center (hosting), or in a third-party data center. MSPs often provide hosting for an organization’s data as well as its systems.
What factor did trust play in these incidents?
What is the cost to compromised organizations?
Some of the ways to protect your organization
These are simplified explanations of some (but not all) of the steps you should be taking. For more detail on how to protect yourself and your customers, be sure to watch our Supply Chain Cyber Attack webinar.