Skip to main content
close search
site logo
Dive Brief

Software supply chains increasingly under cyber attack

Published March 4, 2019
Matt Leonard's headshot
Reporter
Getty Images

Dive Brief:

  • The software supply chain is increasingly targeted by cyber bad actors, according to security researchers at Microsoft in the company's most recent Security Intelligence Report
  • Attackers will target both software developers and suppliers in an attempt to gain access to source code, updating processes or internal servers. The goal is to get their malware onto a software application that will be deployed to multiple users. Once the software is on a system, then so is the malware with all of the same permissions.  
  • "Supply chain concerns went beyond apps and into the cloud and included malicious browser extensions, compromised Linux repositories, and multiple instances of back-doored modules. To address this threat, organizations are moving towards a transparent and trusted supply chain model," Diana Kelley, Microsoft Cybersecurity Field CTO, said in the report. 

Dive Insight:

Once the software is affected it can then make its way onto other software that's more widely deployed. This is what happened in the case of a common PDF editing application, according to Microsoft.

"Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload," Microsoft wrote last year, adding that the "app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation."

This wasn't the work of a nation-state or a savvy cyber hacker, but "petty cyber criminals trying to profit from coin mining using hijacked computing resources," Microsoft said. 

There is a lot of trust in the world of technology. If there is a software that meets a businesses' needs, then that business will likely buy it and trust that as long as it is updated and patched on a regular basis, it will be safe. These software supply chain attacks try to take advantage of this trust, Microsoft said.

"By poisoning software and undermining delivery or update infrastructures, supply chain attacks can affect the integrity and security of goods and services that organizations provide," the report said.

Microsoft does offer some best practices for software developers to follow. Software updates for operating systems should be installed as soon as possible and multi-factor authentication should be required for admin privileges. Secure socket layers and digital signatures should also be important parts of the software development process, Microsoft recommends. But it will also be important to check in on current software suppliers to make sure they are practicing safe cyber.

"We recommend reviewing your IT outsourcing contracts and service level agreements (SLAs) as well as supply chain vendors to ensure they are compatible with rapid security response," Microsoft said.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Quest Transport Selects Next-Generation Fuel Delivery with Titan Cloud’s Downstream Fuel Platf…
From Titan Cloud
November 05, 2024
Automated Logistics Systems Simplifies Customs Clearance with Descartes Foreign Trade Zone Sol…
From Descartes Systems Group
November 18, 2024
AutoStore™ Strengthens Leadership Team with Keith White as Chief Commercial Officer
From AutoStore
November 04, 2024
Vector Global Logistics Wins U.S. Chamber of Commerce Foundation’s 25th Annual Citizen Award
From Vector Global Logistics
November 05, 2024
Editors' picks
Latest in Risk and Resilience
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell