Can a website be vulnerable to a supply chain attack?

Cyber attack + blog + Website security Z. Oualid todayOctober 11, 2021

Background
share close

Over the last few years when supply chain attacks have become the main type of attacks used by hackers to penetrate systems, I’ve got a lot of questions about it from my clients. One of the most common questions about this attack was, can a website be vulnerable to a supply chain attack?

Websites are the most vulnerable kind of software to a supply chain attack. In fact, most websites are usually developed by third-party companies. Those companies are usually small or medium ones that do not take the security aspects of their network seriously.

In this blog post, I will explain why websites are so vulnerable to supply chain attacks with realistic examples and how you can protect your website from them.

What makes websites vulnerable to a supply chain attacks?

Before we start talking about what makes a website vulnerable to this attack, I would like to first explain what a supply chain attack is. A Supply chain attack happens when at least one of the company’s suppliers or service providers gets hacked, and then this hack is used by the attacker to target the client.

Websites are the most kind of software that gets subcontracted by big companies. Unfortunately, most companies do not take seriously the security aspect of their websites, and those who care about security only check the software development security best practices.

However, in supply chain attacks the hacker does not look for the source code vulnerabilities. The idea is to find vulnerabilities in the supplier’s network to try to infiltrate it and then put backdoors in your website source code.

Most small companies do not take security seriously, not because they don’t care but, it is just because they don’t have the right budget to put in place a good security plan.

Basically, all kind of subcontracted software is vulnerable to supply chain attack, the only thing that makes websites the most vulnerable type is the fact it is the most subcontracted kind of software. Even companies that have no software to work with, may at least buy a website for their business.

In my opinion, the most vulnerable type of website that can easily be vulnerable to a supply chain attack is the one based on a CMS. The reason behind this is that most of those CMS-based websites use multiple plugins from multiple suppliers that could easily be victims of a cyber-attack.

Some statistics about supply chain attacks happened between 2020 and 2021

Detecting a supply chain attack is really a very difficult and complex task to do and it may take a lot of time before it gets successfully discovered. Moreover, classifying an attack as a supply chain attack is even more complex and will require additional investigations.

According to a report performed by the European Union Agency for Cyber Security (ENISA), between 2020 and 2021, 24 supply chain attack was reported.

62% of those attack was performed using a malware infection and exploited the trust relationship between the supplier and the client.

According to the same report in 66% of the supply chain attack that has occurred between 2020 and 2021, the supplier didn’t even know how they’ve got hacked. In addition, only 9% of the clients that was a victim of this attack did not know how they got compromised. This shows the gap in terms of information security between the service provider and the client and explains the increase in the number of supply chain attacks in the last few years.

How supply chain attack occur?

Supply chain attacks occur in two steps. The first one happens when the company’s supplier gets hacked and the second one is when the client gets hacked. This type of attack takes a long time to be successful which a lot of patience. In addition, the supply chain attacks require a lot of money to be performed which therefore can only be used if the target is worth it.

To perform the first step which is attacking the supplier, attackers usually use one of the following techniques:

  • Infecting the supplier systems with a malware
  • Use social engineering to penetrate the network, as usually most companies does not invest in educating their employees about information security problems.
  • Exploiting known and unknown software vulnerabilities
  • Exploiting configuration vulnerabilities.

Once the attacker is in the supplier network, he tries to gather as much information as possible about his real target which is the client. The idea here is to correctly prepare for his next step, which is infiltrating the client’s network.

To penetrate the client systems, the attacker usually exploits at least one of the following things, which usually exists between a service provider and his clients:

  • Trusted relationships, for example in some situation client give the software development company a test environment into their own network to better try the application before implementing it in the final production environment. This access can easily be exploited by the attack to spread his malware or to put some backdoors.
  • Inject malicious source codes in a legitimate one to infect the final application and steal the client user’s data.
  • Performing a phishing campaign from the supplier environment. Having access to the supplier network usually means a full control over the messaging server.

Other attack techniques could also be used in a supply chain attack for both attacking the supplier and the client. However, in the blog post, I tried to focus only on the most commonly used ones.

How can you protect your website from supply chain attacks?

As I said, detecting a supply chain attack is a very complex task that requires both advanced skills and big budgets. In addition, most of those attack exploits the trust relationship that is established between the supplier and his client, which make it even harder to stop.

However, here are some recommendations that you need to follow to at least reduce the risk of being a victim of a supply chain attack:

  • When we speak about quality of service and the pricing, people usually tend to go with the cheaper prices. However, this strategy always lead to a less secure products with multiples vulnerabilities that can easily be victim of a supply chain attack. Therefore, try to make a sort of balance between the budget you have and the level of security you need for your website.
  • Do not make a bland trust into your service provider, always check the products you acquire to ensure no backdoors are on it.
  • It is preferred that you create a test environment outside the actual production one.
  • Keep monitoring your website
  • Ask your service provider to respect to at least implement basic security best practices.
  • Educate your team about this attack and all security problems (phishing, social engineering …)
  • Perform a security code review, whenever you perform an update.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post
XDR without siem

todayOctober 5, 2021

close

blog Z. Oualid

Can XDR survive outside of SIEM?

The XDR technology is one of the most confused not well-defined solutions that actually exist in the market. This technology has evolved from EDR and NDR to reach some SIEM ...


Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *