The 650% rise in targeted attacks was mainly aimed at supply chains. Supply chains were already suffering from vulnerabilities linked to the pandemic. Those vulnerabilities led to an influx in the creation of open-source software that aimed to improve supply chains – forced by the pandemic to find new ways of operating. What quickly became apparent was the supply chain software was anything but secure. The result was chaos for businesses and consumers alike. Below, we’ll look at what exactly happened and whether it was preventable.
The Sharp Rise In Open-Source Supply Chain Software Hacks
Many articles online are detailing the sharp rise in open-source supply chain software hacks. A 650% rise in supply chain software hacks alone is an astronomical rise – and that doesn’t even factor in the typical yearly increase of cyber attacks that happen anyway. There are two direct links to the spike in supply chain software hacks – how they were developed and the pandemic. Application security best practices involve consistent patching and prioritizing remediation operations, but with the time constraints of the pandemic, there simply wasn’t the time.
The other factor is time constraints – and the pressure developers faced – to develop software that would facilitate an entire supply chain. Open-source was the natural choice because it facilitates mass collaboration, which, in turn, contributed to the speedy creation and distribution of the software. The result, however, was software with inherent security vulnerabilities that hackers latched onto. They did so by infiltrating the software packages and distributing malicious code throughout the supply chain.
The issue with open-source software packages is that they typically live in online repositories. Multiple businesses will use the supply chain software in a wide range of applications, meaning the repositories become a reliable and scalable channel for malware distribution. In other words, hackers know they have reliability with multiple entry points and can then easily scale their attack throughout the entire supply chain.
The Widespread Rise In Cyberattacks
Open-source supply chain software hasn’t been the only target for cybercriminals – businesses and organizations fall victim to online attacks each day. On average, it’s around 30,000 attempts per day. One of the common entry points is phishing emails, so much so that many companies regularly carry out training to highlight the issues phishing emails can cause. Ransomware, for example, is often distributed using phishing emails. All it takes is one employee to open an email link they shouldn’t, and an entire system can be compromised.
Notably, the tech giant Acer fell victim to a phishing email scam that allowed ransomware malware to enter the company system and demand $50 million in payment to return to normal operations. Acer paid, but sensitive company data still leaked all over the internet. Another entry point is weak or leaked passwords. Ubisoft is an example of a company that recently took the precautionary measure of requiring all employees to change their passwords after a recent hack on their system.
The result of a successful hack is chaos for businesses and consumers. As with the example of the $50 million ransomware payment Acer had to pay, damages are often heavy on the finances. Reputation is also at stake; many companies have to recover their reputation with consumers who may worry their sensitive information will leak again.
Can They Be Prevented?
The increase in cyberattacks does bring into question whether they’re even preventable. Hackers now have access to sophisticated technology that can infiltrate even the most iron-clad software. One example lies within fintech technology that most of us now can’t live without – mobile banking. Hackers have developed technology that can send texts to online bankers in the same text trail as their own banks have been, making it look as though the message has come from the bank.
That’s just one example of how advanced technology now is. Still, there are some things that companies and consumers alike can do to protect sensitive information. Using the example of Ubisoft, encouraging regular password changes and ensuring those passwords are strong enough not to predict with ease can prevent hacks.
Sometimes, prevention lies with developers and the software or applications they’re developing. Taking the time to implement robust coding that’s rigorously tested could have prevented many of the attacks that happened on supply chain software.
Google’s Pledge To Improve Supply Chain Software
Many big tech giants are looking to secure supply chain software and provide businesses and consumers with the reassurance they need that hackers won’t infiltrate the system. Google is one of those companies. An update on Google’s blog revealed that the company would soon be releasing access to software packages they use within Google. The idea is that Google will give users access to security-vetted applications they can trust. That’s, assuming that Google knows what they’re doing when it comes to picking trustworthy software.
The release of the software will preview at the end of 2022 and come into play at the beginning of 2023. It will launch on Google Cloud and is officially called Google’s Assured Open Source Software Service.
The sharp increase in open-source supply chain software attacks has plateaued somewhat, but more needs to be done to secure supply chains that now heavily rely on the software. With the introduction of services such as those that Google will soon offer, supply chains should recover and find new ways to secure the entirety of the supply chain.