The 650% increase in targeted attacks primarily targeted supply chains. Supply chains were already suffering from pandemic-related vulnerabilities. These vulnerabilities have led to an influx of open-source software creation aimed at improving supply chains – forced by the pandemic to find new ways to operate. What quickly became apparent was that the supply chain software was anything but secure. The result has been chaos for businesses and consumers. Below we will see what exactly happened and if it was preventable.
The sharp rise in open source supply chain software hacks
Numerous articles online detail the sharp increase in open source supply chain software hacks. A 650% increase in supply chain software hacks alone is an astronomical increase – and that’s not even taking into account the typical annual increase in cyberattacks that happen anyway. There are two direct links to the spike in supply chain software hacks – how they were developed and the pandemic. Application Security Best Practices involve consistent patching and prioritization of remediation operations, but with the time constraints of the pandemic, there just wasn’t the time.
The other factor is the time constraints – and the pressure that developers face – to develop software that would facilitate the entire supply chain. Open-source was the natural choice because it facilitates mass collaboration, which, in turn, contributed to the rapid creation and distribution of software. The result, however, was software with inherent security vulnerabilities that hackers latched onto. They did this by infiltrating software packages and distributing malicious code throughout the supply chain.
The problem with open source software packages is that they usually reside in online repositories. Multiple companies will use supply chain software in a wide range of applications, which means repositories become a reliable and scalable channel for malware distribution. In other words, hackers know they are reliable with multiple entry points and can then easily scale their attack across the entire supply chain.
The general increase in cyberattacks
Open source supply chain software hasn’t been the only target of cybercriminals – businesses and organizations are victims of online attacks every day. On average, it’s about 30,000 attempts per day. Phishing emails are one of the most common entry points, so much so that many companies run regular trainings to highlight the problems that phishing emails can cause. Ransomware, for example, is often distributed using phishing emails. All it takes is one employee to open an email link they shouldn’t, and an entire system can be compromised.
Notably, the tech giant Acer fell victim to a phishing email scam that allowed ransomware malware to enter the company’s system and demand payment of $50 million to resume normal operations. Acer paid, but the company’s sensitive data was still leaked all over the internet. Another entry point is weak or leaked passwords. Ubisoft is an example of a company that recently took the precautionary step of requiring all employees to change their passwords after a recent hack into their system.
The result of a successful hack is chaos for businesses and consumers. As in the example of the $50 million ransomware payment that Acer had to pay, the damage is often financially heavy. Reputation is also at stake; many companies need to regain their reputation with consumers who may fear that their sensitive information will leak again.
Can we prevent them?
The increase in cyberattacks calls into question their preventability. Hackers now have access to sophisticated technology that can infiltrate even the most armored software. One example is the fintech technology that most of us can no longer live without: mobile banking. Hackers have developed technology that can send text messages to online bankers in the same text track as their own banks, making the message appear to be from the bank.
This is just one example of the current state of technology. Still, there are some things businesses and consumers can do to protect sensitive information. Using Ubisoft’s example, encouraging regular password changes and ensuring those passwords are strong enough to not be easily predicted can prevent hacks.
Sometimes prevention falls on developers and the software or applications they develop. Taking the time to implement robust and rigorously tested coding could have prevented many attacks that have occurred on supply chain software.
Google’s commitment to improving supply chain software
Many big tech giants are looking to secure supply chain software and provide businesses and consumers with the assurance they need that hackers won’t infiltrate the system. Google is one such company. An update on Google’s blog revealed that the company will soon release access to the software packages it uses within Google. The idea is that Google will give users access to secure apps they can trust. That is, assuming Google knows what it’s doing when it comes to choosing reliable software.
The release of the software will be previewed in late 2022 and will go live in early 2023. It will launch on Google Cloud and is officially called Google’s Assured Open Source Software Service.
The surge in open-source supply chain software attacks has leveled off somewhat, but more needs to be done to secure supply chains that now rely heavily on software. With the introduction of services such as those Google will soon offer, supply chains are expected to recover and find new ways to secure the entire supply chain.