Keeping data safe in 2022 – Supply chain attacks, compromised third-party software, and sideloading

Keeping data safe in 2022 – Supply chain attacks, compromised third-party software, and sideloading

Supply chain attacks are quickly becoming the most significant threat to governments, organizations, and private users globally. Learn about how these attacks unfold and what you can do to mitigate them in the newest installment of our series examining the major cyber security threats of 2022.

Threats hidden in third-party software and sideloading are a constant threat to individuals and businesses of all sizes. While these are easier to manage in an enterprise environment, individual users still have a lot of responsibility. Meanwhile, supply chain attacks are a major headache for governments and businesses, and countering them is an immense challenge.

What's the difference?

Similar to our previous posts, we'll continue using the house analogy we introduced back on Privacy (Data Protection) Day to describe these attacks. In these examples, we look at computers as the homes of our digital selves. So, what is compromised third-party software, sideloading, and when does this all turn into a supply chain attack? For the analogy, consider household appliances different software solutions deployed on a device.

Compromised third-party software is a situation in which malicious actors gain access to a software developer's operations and infect a trusted tool itself with malware. Okay… back to the house. You order a new toaster from a reputable brand off the internet. However, the manufacturing process has been compromised, and a malicious actor installs microphones in all equipment on the shop floor. Unfortunately, due to insufficient security measures and quality control, the manufacturer has no idea their equipment has been altered, and the attacker reaps the benefits.

Sideloading in a malicious context means that malware leveraging the e.g. corporate, personal trust (privileges) granted to the application to gain further access to our environment. For example, you buy a coffee machine from an online store with much better prices than the competition. When the package arrives, you realize they've included a free milk foamer as a surprise. The coffee machine is unaltered and works perfectly. However, the milk foamer's power button hides a small pinhole camera that is now being used to observe you.

It's important to note that sideloading can also be used to refer to completely legitimate activities. A user installing an app for their phone from a website rather than their platform's app store is also called sideloading. While this can carry security risks, it's not inherently malicious. Make sure to update all manually installed apps when new versions become available and only install apps downloaded from trusted websites, such as the developer's downloads page

Supply chain attacks are the even more evil big brothers of the above two threats. In these situations, attackers target less secure organizations and software components that are used by more high-value and better-protected targets to gain access to these organizations. Or, in terms of our analogy… Someone wants to get into your house, but you have robust security measures in place. Through research, they learn that your fridge is broken, but the manufacturer has stringent security and quality assessment procedures in place. So they keep searching for an easier target and identify the repair company contracted by the manufacturer in your area. Once hired, they go around and install a listening device on every single fridge they repair and eventually get into your house as well. As a result, hundreds of homes are now compromised, with low and high-value targets among them.

How can you defend against compromised software and sideloading?

While no less threatening, due to their lower degree of complexity, compromised third-party software and sideloading attacks are easier to defend against. Limiting administrative rights and maintaining an approved software list are your best bets in a business setting. Education is again the name of the game. Make sure your team members understand company policies regarding the use of unauthorized software.

As new business needs can arise at any time, ensure they know of and understand the process of requesting authorization for a new tool. These steps ensure that only applications from trusted sources checked and reviewed by dedicated members of your team can be installed on your devices. As always, maintain basic cyber hygiene and have extended endpoint and network monitoring solutions running on all devices.

As an individual user, you have more responsibility. Firstly, limit the apps you install to those you need and uninstall any unused software from your devices. When installing a new app, check application stores available for your platform (e.g., Apple App Store, Google Play Store, Microsoft Store, Steam, etc.). These will usually offer vetted apps. If you don't find your chosen tool in these, go to the developer's website directly and download from their site. Use software created by trusted and reputable developers whenever possible. Finally, always have protection against malware on your devices, corporate environment.

Defending against supply chain attacks

Supply chain attacks are an immense threat. For example, the SolarWinds attack saw 18,000 companies affected and 50 consistently targeted. The effects of the log4j vulnerability discovered in December 2021 will be felt for years. There are two sides to blocking supply chain attacks, and both are equally important. The first branch pertains to the supply chain. It encompasses the steps that developers take to secure their own code and the code integrated into their products from other solutions. The other branch is a list of actions that end-users can take to defend themselves from a potential supply chain attack.

The supply chain side of the puzzle is extraordinarily complex and involves various teams often working at different companies. Large software development enterprises can work with their suppliers to help improve security practices further down the supply chain. Larger organizations may simply have more resources to research threats and mitigation strategies and more know-how in these issues than smaller suppliers. Knowledge sharing and collaboration will be vital in overcoming the supply chain threat in the coming years.

As Microsoft notes, you should also take steps to secure infrastructure. All security patches for OS and software tools should be installed. Multi-factor authentication should be default on all company accounts. They also highlight the importance of creating secure software updaters and signing every single element of a software solution.

As attackers often use phishing and spearphishing tactics to infiltrate suppliers, ensure recommended protections against these threats are in place, including education for members of your team.

An approved software list and privileged (admin) rights management are again vital on the end-user side, as all other fundamental cyber security measures, such as running malware protection tools on every company device. In addition, penetration testing can draw attention to threats found in tools your organization uses. Finally, transitioning to zero-trust network security protocols can also vastly improve security. User, device, and app privileges are constantly cross-checked in these setups, and access levels can change based on circumstances and context.

But these are only the basics. The topic is complex, but luckily, there are several resources from trusted sources filled to the brim with more information. For example, ENISA, the EU Agency for Cybersecurity, published a report on recent attacks, including a taxonomy of different supply chain attack variants. In the US, the National Institute of Standards and Technology issued guidance on how companies can defend against supply chain attacks.

Can Tresorit help mitigate supply chain attacks?

Tresorit can help you mitigate the fallout should any of your systems be breached. End-to-end encryption and robust access rights management, for example, ensure that the attackers' access to data will be limited. Access rights can be revoked at any time, after which the entire folder is re-encrypted to ensure file security. Furthermore, the file versions and backup options built into Tresorit can help you recover if someone tries to delete your files after gaining access to your systems through a supply chain attack or infecting your devices with ransomware. Take a look at our Secure Cloud to learn how we can help secure your business.

To help companies and individuals alike protect their data and the data they are entrusted with, we launched a series of blogs on Data Protection Day (or Privacy Day for our friends in the US) to discuss the major cybersecurity, and by extension, data security, threats of 2022. Read through our previous article to learn more, and check back over the coming weeks for more info about:

We're exploring the tech behind each threat, what companies and individuals alike can do to counter them, and where end-to-end encryption can help. Watch this space.