SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond.

Supply Chain Cybersecurity Insights | 2024

The supply chain threat has been growing for many years. It is simply good criminal business. A single success against a supplier can lead to multiple opportunities against the supplier’s downstream customers. To make things easier for the attacker and harder for the downstream defenders, the supplier is often smaller and less well defended than the larger customer. It is a single door into multiple treasuries.

This threat will continue to grow. 

Government is responding, and the charge is being led by CISA with SBOMs, security by design initiatives, and the CISA OSS security roadmap. The scene is set for a battle royal, with only one side obeying the rules, starting in 2024 and probably continuing for years to come. 

The battlefield

Complexity of the supply chain

Businesses rely on third parties to deliver ready-made solutions. This is faster and more cost-effective than developing their own solutions. That third-party may be the original developer or just another link in the chain – like a SaaS or MSS provider. Those links will have their own supply chain. 

“The interconnections within supply chains introduce a layer of complexity, raising the probability of undiscovered vulnerabilities that attackers can exploit,” says Neeraj Singh, senior security researcher at WithSecure.

“This growing complexity and interconnectivity of global supply chains, and the rapidly expanding digital ecosystem attack surface with more potential vulnerabilities, provides an increased incentive for attackers to target this. Successful attacks can yield significant financial or informational gains,” adds KPS Sandhu, global head of strategic initiatives with the cybersecurity business group at TCS.

Demi Ben-Ari, CTO and co-founder at Panorays, continues, “Global expansion, diverse sourcing, and complex logistics contribute to a more intricate supply chain landscape. Cyber adversaries will strategically target vulnerabilities within interconnected supply networks, seeking to exploit weak links and gain unauthorized access.”

Singh uses the 3CX compromise, discovered in March 2023 but begun much earlier, as an example of how elite attackers (in this case Lazarus) can hide within this complexity. “The 3CX attack, which compromised the popular VoIP software provider and infected its customers is one such example. The attackers exploited a vulnerability in the 3CX web server and inserted malicious code into the software updates.”

He continued, “The interconnections within supply chains introduce a layer of complexity, raising the probability of undiscovered vulnerabilities that attackers can exploit – as seen in 3CX supply chain attack which was a software-supply-chain attack leading to another software-supply-chain attack.”

Vendor consolidation

There are two drivers behind an ongoing third party consolidation process: business efficiency and an attempt to confine the supply chain risk. For efficiency, Jason Schmitt, general manager at the Synopsys Software Integrity Group, explains, “Teams no longer have the time or budget to manage multiple vendors and integration engineering projects, and still focus enough resources on remediating security issues. As a result, the demand for integrated SaaS platforms with AI-driven intelligence and consolidated software portfolios will certainly rise.”

On paper, this reduces the third-party software risk to a single supplier – confining the supply chain risk – but in practice it may simply hide the threat within a further level of obscurity. The single supplier will still have its own supply chain that will be less visible.

Dan Lattimer, VP UK and Ireland at Semperis, warns of a further effect of this consolidation. “Organizations will likely consolidate suppliers not only to reduce the risk in their supply chain, but also to improve operational efficiency and decrease their overall spend. Alongside outsourcing to fewer companies, businesses will look more deeply at the financial stability of their suppliers, too. As a result, we may see more software companies go bust.”

The adverse side of consolidation is that it merely hides the supply chain risk while making it more complex, presenting the attackers with increasingly attractive focal points to target.

Greg Notch, CISO at Expel, describes this as the ‘hidden tax’ on consolidation. “The problem is that there is a hidden tax on these moves that is now coming due in the form of unaddressed supply chain risk that they can’t get off their balance sheets.”

Threats

Supply chain threats can be described in broad terms as criminal and nation state attackers targeting software and hardware supply chains. Criminals use the supply chain to simultaneously attack multiple targets with ransomware. Nation states are more generally interested in widespread espionage purposes. But the loose relationship between criminals and some nation state actors can also lead to the combined purpose of extortion and disruption.

The attack against Australia’s DP World in November 2023 is possibly an example of the last. By attacking one provider, multiple ports were severely impacted, affecting up to 40% of Australia’s freight trade. There have been suggestions and denials that it was a ransomware attack, and intimations that it may have involved either Russia or China (where in both cases it can be difficult to distinguish between state and criminal actors). Certainly, personal data was also stolen, which is now typical of a ransomware attack, and certainly Australia is a geopolitical target for both Russia and China because of the AUKUS (Australia, UK and US) treaty.

At this stage, it is difficult to know who attacked DP World, or why they did so.

Criminal gangs

“Ransomware gangs know that most company supply chains are very fragile and are working to build the ultimate payload to compromise as many systems, as quickly as possible,” warns Michael Adjei, senior systems engineer at Illumio. “In 2024, we will see a huge increase in attacks on the software supply chain.”

He cites the MOVEit 2023 breach by the Cl0p ransomware group as an example of what to expect. It has been estimated that more than 1000 MOVEit customers were subsequently affected, and the PII of around 60 million individuals was stolen. There are suggestions that Cl0p ‘earned’ more than $100 million – all from one initial zero-day breach at one supplier.

Nation state

Nation States have long been interested in supply chain attacks for two primary reasons: the potential for widespread espionage and IP theft, and the ability to position themselves within critical industries to cause large-scale disruption and/or provide leverage in geopolitical extremis. However, unlike criminal hackers, elite government hackers prefer their activity to remain under the radar; and there are fewer known instances in the public domain.

The SolarWinds attack is one example. Irrefutable attribution is impossible, but it is likely — and the US government believes — it was undertaken by Russia’s Foreign Intelligence Service (SVR). The primary downstream targets indicate espionage as the main motivation. SolarWinds suggested that up to 18,000 companies could have been compromised, but only around 100 are known to have been actively targeted. Of these, the primary verticals involved were government agencies, CNI providers, and technology companies — that is, companies of strategic interest to an adversarial nation.

Ransomware does not appear to be the motivating factor, and although some SolarWinds customers suffered subsequent ransomware attacks, this may have been from other attackers rather than the initial actors.

North Korea stands apart from other adversarial nations. It mixes both ransomware and financial theft with espionage, and uses supply chain attacks in both areas. One of its more recent attacks was against the Taiwanese software provider CyberLink. The North Korean actor thought to be behind the attack is known to steal sensitive data, move downstream from the initial attack point, and deliver malware to establish persistent access. We may see further outcomes from the CyberLink breach in 2024.

It is almost certain that nation state activity against supply chains will increase during 2024. The motivating factors increase with worsening global geopolitical conditions. The biggest danger, however, is that it will happen without us knowing much about it.

Hardware supply chain

Potential attacks against the hardware supply chain should not be ignored. Known instances are fewer in number than software supply chain attacks, but a successful compromise introduced at the hardware manufacturing level could be hard to detect and catastrophic in successful use. The threat is sufficient for CISA to have published a Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management in September 2023.

We can expect attempts to compromise the hardware supply chain to continue in the years ahead.

Software supply chain and OSS

The majority of supply chain attacks focus on the software supply chain. This will continue and probably worsen. “In 2024, the software supply chain will continue to be a high-value target for advanced threat actors,” warns Dagmawi Mulugeta, staff threat researcher at Netskope Threat Labs. “Over recent years, attacks on all four components—source, build, dependencies, and deployment—have escalated dramatically. This will continue into the coming year, where we will see even more creative exploits at the source stage, where attacks will range from injecting backdoors to outright theft of proprietary algorithms and everything in between.”

Erez Yalon, VP of security research at Checkmarx, agrees with this. “Securing the software supply chain is a broad issue and challenge – covering a range of weaknesses and security gaps. To exploit these, attackers will find new attack surfaces and use these for more intricate exploitations,” he warns.

One of the primary weaknesses remains open source software (OSS). It is attractive to attackers because it is used by everyone and is ubiquitous — and the log4j incident demonstrates its reach.

“Open-source software will be an increasing element of supply chain attacks as we continue to see a growing number of ‘citizen developers’,” comments Greg Ellis, GM of application security at Digital.ai. “AI will make it easier for citizen developers to generate code, which in many cases will get posted to open-source repositories. So, not only will there be a greater possibility of inadvertent vulnerabilities, but we will also see an increase in the pace at which targeted attacks on OSS and supply chains can be generated and returned by leveraging AI.”

AI is the unknown quantity almost everywhere in cybersecurity, and 2024 is likely to be the year in which the AI hype resolves into reality — often in ways we do not yet understand. But just as it will be used offensively, so too will it be used defensively. “I expect to see more companies and teams using AI to assess the risk of open source packages,” suggests Josh Lemos, CISO at GitLab. This will be necessary simply through the extent and complexity of the threat. It is estimated that something like 90% of the world’s software is built with open source code.

“Expect attacks focused on ungoverned open source ecosystems to accelerate in 2024,” he says. “We’ve already seen how attackers have learned to seed open-source repositories with malicious Python packages that have names that closely resemble popular legitimate packages. Given the reliance of software developers on these packages, this kind of attack is likely to persist — and to result in serious vulnerabilities — for the foreseeable future.”

It is not necessarily all doom and gloom, however. Sandhu sees some OSS characteristics that can be used to defend against abuse alongside those characteristics that can be exploited. “The role of OSS in supply chain attacks has a duality associated with it,” he says. “OSS is a large component of the supply chain of enterprises. The ubiquity and open nature of OSS make it a potential target, but the transparent and collaborative nature of OSS can lead to quicker identification and patching of vulnerabilities.”

Yoav Landman, co-founder and CTO at Jfrog, is positively optimistic. “The software supply chain has a brighter future in 2024 than we could have anticipated even just a couple of months ago, and it receives equally important backup by recent advances in federal policy. For example, CISA’s open source security roadmap has pushed the market in a strong position to address software security threats in the coming year.”

CISA’s roadmap, published in September 2023, describes how the agency will support OSS cybersecurity from 2024 to 2026. “This roadmap,” it says, “lays out how CISA will help enable the secure usage and development of OSS, both within and outside the federal government… The roadmap centers on four key goals: 1) establishing CISA’s role in supporting the security of OSS, 2) understanding the prevalence of key open source dependencies, 3) reducing risks to the federal government, and 4) hardening the broader OSS ecosystem.”

A key component of goal #4 is the SBOM. While acknowledging the broader scope of the SBOM, the roadmap notes that for SSO, “CISA will also focus on the requirements, challenges, and opportunities of automatically generating dependency data within the open source ecosystem.”

SBOM

The software bill of materials (SBOM) is a key component of the National Cybersecurity Strategy, having a role in shifting liability onto producers, encouraging security by design, and reducing the software supply chain risk. While it is relevant to all software, it is equally valuable and difficult in the OSS part of the software supply chain. So far, it has not proven very successful in its aims (see SBOMs – Software Supply Chain Security’s Future or Fantasy? for more details).

Concerns can be summarized by the comment from Brad Liggett, director of global sales engineering at Cybersixgill: “Unfortunately, the dream of SBOM seems to continue to be something that is not improving, similar to the previous push for CMDBs and other asset management platforms. Companies are notorious for not prioritizing these and I don’t expect this to change anytime soon without real regulations, or requirements, that enforce them.”

Sandhu provides the ‘Yes, but…’ response. Yes, “SBOMs provide transparency on all the components that everyone across a software supply chain is using. SBOMs offer advantages to producers, such as ensuring that components are up to date, help in identifying and tracking software components and vulnerabilities, and allowing a quick response to new vulnerabilities.” But, “Their effectiveness depends on widespread adoption and the ability of organizations to act on the information provided by SBOMs. Without proper implementation and use, SBOMs alone won’t be a silver bullet.”

Hopes for the future, however, are rising. “Luckily, SBOMs are becoming more widely recognized, and the more they are deployed, the better an enterprise can react to supply chain attacks,” says Landman. “It allows for faster reaction time when a vulnerability is detected, and can enable enterprises to selectively reinforce cybersecurity measures around vulnerable areas.”

Ellis is also more optimistic for the future of SBOMs and their potential to reduce the software supply chain risk. “SBOMs will be much more effective, as more organizations actually exchange SBOMs throughout the software supply chain and discontinue the practice of generating an SBOM that is merely archived as a release artifact.”

We can expect greater use of, insistence on, and potential benefit from SBOMs beginning in 2024, and hopefully increasing thereafter.

Summary

In the meantime, “Third party supply attacks will get worse before they get better,” comments Victor Acin, head of threat Intel at Outpost24. 

From the attackers’ point of view, the drivers are still increasing. Market complexity and use of third parties – especially for software – is expanding. Criminal professionalism is growing while geopolitical tensions make global law enforcement cooperation more difficult. Those same tensions increase the likelihood of nation state involvement, hopefully more for espionage and national economic advantage than for CNI destruction. The supply chain is a single point of failure for multiple simultaneous victims regardless of the attackers’ motivation.

For the defender there is some hope through government initiatives to inject both order and transparency into the supply chain. CISA’s SBOM is an excellent example. The problem is that such initiatives take time, and although there will be considerable SBOM activity in 2024, there will be little benefit this year.

SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond.

Related: US Gov Issues Software Supply Chain Security Guidance for Customers

Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: Ukraine Says Russian Cyberspies Targeted Gov Agencies in Supply Chain Attack