ProcureCon Indirect Europe 2020

02 - 04 September, 2020

10am - 4pm (London) / 11am - 5pm (Berlin)

Here’s How Sony Can Protect Against Further Attacks of Its Software Supply Chain

Software supply chain attacks are becoming ever more commonplace as significant vulnerabilities in company infrastructure are exposed and exploited. However, once these attacks have occurred, it’s crucial the companies involved wake up to the threats posed and take steps to ensure the risks of further attacks in the future are drastically reduced.

Popular drive cleaning software CCleaner is loved by businesses and consumers alike for its ability to speed up and optimise computers by bulk-deleting junk files and other artefacts left behind by uninstall programs and antivirus scans. However, in the latter part of 2017, after the brand was acquired by internet security experts Avast, it was discovered that CCleaner was harbouring a dark secret.

The software had been hacked and was delivering malware called ShadowPad to an estimated 2.27 million users in its first stage, and then around 40 specific computers in its second. The second, more keenly targeted stage was focussed on several household name brands, including Akamai, D-Link, Google, HTC, Linksys, Microsoft, Samsung, Cisco, VMware, and Sony. The net result of the attack was that reams of confidential data was breached, and each affected company lost in the region of $300 million.

"By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer,” said Avast in a blog post. “Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools with the capacity to install further software and plugins on the targeted computer remotely."

What, then, can companies such as Sony do in the future to shore up their defences against attacks on these particularly vulnerable elements of their supply chains?

How Is Software Made?

This is the important part of understanding how these kinds of breaches can happen. Think about what happens when a company such as Sony wants to bring a new television to market. Does Sony make every component of their new device in-house, from the transistors on the circuit board, to the LEDs on its remotes?

The answer is, of course, no. Manufacturing a new product involves a complex supply chain, where components are shipped in from all over the world to be assembled into the new product. There will be proprietary technology developed by the company in question involved, but most of the components which make up the product will be generic.

The same applies to software development.

Each piece of software or mobile app will contain many software libraries, which will themselves contain millions of lines of code. If a software developer had to write all the code needed for a piece of software from scratch, they would never bring a product to market at all. Instead, libraries of code are purchased from third party vendors and then assembled, along with the original code which makes the software unique, into the finished product – exactly as with physical products.

Think Like a Hacker

Knowing what we know about how software is manufactured, if we try and think in the way a hacker would, what is the best way to smuggle your malware into a piece of software and have it disseminated in the same way ShadowPad was?

By poisoning the software library supply chain.

If you can sneak your malicious code into a software library and then offer it up for sale to software developers, you can then quickly find you malware penetrating some of the world’s biggest companies. Targeting a big player such as Sony directly would be difficult – but poison the well from which it draws its resources and it will do all the hard work for you.

As such, it’s not enough for a company to take care that you only procure new software and from reputable developers – CCleaner’s Piriform was one. You must also be aware of where that company is sourcing its component code from. Remember, the security of your company is riding on the reliability of not just your own software supply chain, but those of all organisations you do business with as well.

“In an age of digital transformation initiatives, where organisations are aggressively moving to the cloud and automating their businesses, it’s not a hyperbole to say that transformed companies can defeat their competitors and dominate entire markets,” said CTO and Co-Founder of Contrast Security, Jeff Williams. “Your software supply chain is the key to creating and deploying applications quickly, but make sure you don’t inadvertently undermine your entire business in the rush to reinvent it.”

Supply chain security is set to be a hot topic at ProcureCon Indirect 2019, taking place in April at the Radisson Blu Scandinavia Hotel, Copenhagen. Download the agenda today for more information and insights.

Our Sponsors: