News icon

Digital Banking Resources

Software Supply Chain Attacks Are Up — What Does This Mean for Digital Banking?

November 12, 2021

If you’re an online business, highly organized hacker teams could be coming for your code. Software supply chain attacks on public and private codebases surged by an astonishing 650% in 2021. That’s a serious threat for digital banks and credit unions, especially since it comes at a time when they are pushing ahead with digital transformation to keep up with end-user demand. Find out how software supply chain attacks evolve, know the risks, and learn how financial institutions can protect themselves. 

What Are Supply Chain Attacks?

Unlike denial-of-service (DoS), phishing, or malware attacks, which directly target a vulnerable network, software supply chain attacks target the less secure elements in the supply chain as a whole. That could be anywhere from the software vendor’s codebase to their customer’s network to actual hardware, for example, a compromised ATM. The goal is the same — to wreak havoc, demand a ransom, or compromise secure accounts — but the route is more circuitous (and harder to detect). 

The Cybersecurity and Infrastructure Security Agency identifies three types of supply chain attack: 

Hijacking updates

Software vendors regularly distribute updates and patches from central servers to their customers. Hackers can insert malware into these updates, potentially giving them control over the networks they serve. In 2017, for example, Russian hackers hijacked updates on a popular tax accounting software in Ukraine, causing widespread instability. 

Undermining code signing

Where codebases are protected with authentication, hackers self-sign the certificates that would otherwise guarantee the identity and integrity of code. In doing so, they can hijack the software update process, inserting malicious code as if they were the vendor. 

Compromising open-source code

Hackers insert malicious code into publicly accessible open-source code libraries. Developers use these blocks of code to build their third-party platforms. In fact, over 85% of enterprise software codebases use open-source components. One technique hackers use is “typosquatting” to lure developers toward bogus libraries that look almost identical to the trusted ones, tricking them into inserting malicious rather than secure code into their platform. 

The ingeniousness of these attacks stems from the fact that software vendors are typically trusted sources within the supply chain. Most organizations, including banks and credit unions, are primarily focused on keeping cyberattackers outside their firewall. Few will suspect that the threat could come from within. 

Why Financial Institutions Are at Risk

The key feature of supply chain attacks, which fall under the category of advanced persistent threat attacks, is that they take considerable time and dedication to execute. That means they usually come from organized, technically skilled teams, not lone hackers looking to exploit third-party weaknesses. 

For banks and credit unions, which traditionally invest the bulk of their manpower and IT budget in securing their perimeters, exposing rogue code lying dormant in the supply chain is an extra challenge to take on. Nevertheless, financial institutions are particularly vulnerable because they rely heavily on privileged access to run third-party software. Since these tools (such as antivirus software, remote access software, etc.) need to communicate regularly with both the vendor network and end-user device, hackers have a compelling opportunity and incentive to pounce. In some cases, hackers will deliberately interrupt network communications to leave customers without a critical security patch. 

What Financial Institutions Can Do

Today, any online business needs to communicate digitally with a network of vendors, end-users, and third-party partners on an ongoing basis. That’s increasingly true for banks and credit unions, who are on a mission to move away from on-premise legacy IT toward the cloud-based mobile services their end users demand. The specific challenge for financial institutions is that their IT and cybersecurity resources are already stretched thin, particularly in addressing regulatory and compliance requirements. 

The Priorities for Banks and Credit Unions

  • Implement a documented vulnerability management program that includes technical reviews of vendor security control design and their fourth party vendor dependencies.
  • Implement robust supply chain management systems (if not already in place), which include regulator authenticated updates for software and restricted privileges and access to all software components.
  • Perform an audit of shadow IT (software that is installed without explicit approval), then review current and future software licenses to remove any redundant or out-of-date software. 
  •  IT managers need a complete inventory of software licenses held by the organization and visibility of the support offered by the software vendor for each license. 
  • Crucially, supplier risk should be treated as an ongoing threat, not a concern to only address at the beginning of the vendor relationship. 

Remember that supply chain attacks may take months to succeed and lie undetected for long periods. That’s all the more reason why banks and credit unions need to focus on partnering with secure cloud platforms from a trusted financial institution.  

References:

CISA – Defending Against Software Supply Chain Attacks

ENISA – Understanding the Increase in Supply Chain Security Attacks