Outshift Logo


30 min read

Blog thumbnail
Published on 01/24/2024
Last updated on 05/02/2024

5 Lessons learned from high-profile software supply chain attacks


A software application is not a monolith. In addition to the code you write for your application, you’re leaning on what may be hundreds of dependency packages and libraries. Each one of those libraries has its own set of dependencies and was built with deployment tools before being pushed to repositories to be made available to you. 

These components—and everything that went into them—collectively represent your software supply chain. They are valuable assets essential to your software development process. The proper functioning of your software application hinges on these dependencies. 

Here’s the scary news: Each one represents a potential security vulnerability. 

Software supply chain attacks exploit vulnerabilities within a chain of dependencies to breach the entire system. Reports show supply chain attacks increased by over 200% from 2022 to 2023. Many exploitable vulnerabilities came from third-party and open-source dependencies.  

This article will examine several high-profile software supply chain attacks from recent years. We’ll cover how they hit their targets, the level of damage that resulted, and what key lessons we can learn from these incursions. 

Case Study #1: The SolarWinds Attack 


In September 2019, SolarWinds, a well-known network monitoring company, suffered one of the most significant cyberattacks in history, later known as the SUNBURST Attack. The wide-ranging victims of the breach included financial services, military contractors known to employ highly competent cybersecurity teams, and numerous U.S. federal agencies and departments. 


How it happened 


SolarWinds had an IT monitoring platform called Orion, and attackers used Remote Access Trojan malware to insert malicious code into Orion. The compromise of Orion—a piece of software used by approximately 18,000 organizations—had a cascading effect. The breach enabled threat actors to move laterally within networks and gain access to sensitive logs and data. 


FireEye, a cybersecurity company, discovered the breach in December 2020. You’ll recall that the cyberattack began in September 2019. The attack went undiscovered for over a year. 


Key lessons learned 


This incident triggered a paradigm shift in cybersecurity, forcing prominent corporations worldwide to move toward a zero trust architecture when allowing network access to third-party vendors.  


The fact that so many victims of this attack failed to detect this breach flagged serious shortcomings in cybersecurity solutions at the time. This example highlights the need for solutions that can bring real-time monitoring and anomaly detection. 


Case Study #2: The Equifax Breach 


Equifax is one of the largest credit reporting agencies in the U.S. In 2017, it suffered a significant data breach, exposing the personal data of nearly 150 million Americans to malicious actors.  


The severity of this incident resulted in calls for increased regulatory scrutiny, data protection laws, and reforms around data privacy. In the aftermath, Equifax suffered a massive stock selloff, serving as a dire warning to industry leaders: Do better to safeguard the data of users. 


How it happened 


The culprit was a vulnerability in the Apache Struts Java framework, allowing attackers to execute code on web servers running this framework by inserting code snippets into an HTTP request header. Inadequate network segmentation let attackers move easily from one server to another, significantly increasing the severity of the breach. 


To make it even worse, Equifax did not encrypt user credentials in their databases. Attackers were able to retrieve them in plaintext. 


This incident acted as a reminder that common vulnerabilities and exposures (CVEs), such as the Apache Struts vulnerability, are abundant. Reports show that as many as 50 new CVEs are discovered each day. It should come as no surprise that attackers regularly scan for newly reported CVEs too, and then they rush to exploit them. 


The patch for the Apache Struts vulnerability was released in March 2017, while the breach occurred between May and July of that same year. That means Equifax went at least two months without patching their systems with the readily available fix. 


Key lessons learned 


All systems require security patching—early and often. Organizations need tools to scan applications for existing and newly discovered CVEs. These scans should happen during the continuous integration and continuous delivery (CI/CD) build process to ensure that vulnerable software dependencies never make it to a production environment. Along with this, enforcing segmentation policies across network infrastructures and encryption of sensitive data—such as user credentials and passwords—are non-negotiable security best practices. 


Case Study #3: The CCleaner Incident 


In September 2017, attackers compromised CCleaner, a popular system optimization tool, by exploiting a vulnerability in the software’s compilation process to insert malware. 


How it happened 


More than two million users worldwide downloaded the tainted version of CCleaner. As a result, the attackers gained access to a large volume of sensitive user data. Researchers at Cisco Talos detected the breach and informed Avast, the owners of CCleaner. Avast promptly halted distribution of the compromised version and released a clean update, urging users to download the clean version as soon as possible. 


Key lessons learned 


This breach shows why users should exercise caution when downloading or updating software—even software from reputable vendors. When downloading any software or updates, users should use software with anomaly detection functionality to alert them to the suspicious behavior of any software components. 

Case Study #4: The Codecov Breach 


Codecov is a popular tool among software developers that tracks how much of a codebase is covered by tests. In January 2021, Codecov suffered a breach that impacted over 23,000 organizations using the software, including prominent tech companies such as Twilio and Hashicorp. Many industry experts compared it to the SUNBURST attack. 


How it happened 


Attackers exploited an error in a Codecov process for creating Docker images for its users as part of their CI/CD pipeline. By modifying a Bash script used in this Codecov process, attackers were able to acquire sensitive information—such as credentials and access tokens—from numerous organizations relying on Codecov as their coverage tool.  


The incident highlighted the potential vulnerabilities in every tool integrated into a software project's supply chain. Even seemingly non-critical tools like test coverage analysis utilities can serve as potential entry points for attackers. The Codecov breach also demonstrated how authentication credentials can easily fall into the wrong hands. 


Key lessons learned 


Given the large number of dependencies found in every software project, the early detection of a supply chain attack is critical. Organizations need mechanisms for early detection of unauthorized access attempts, allowing system administrators to respond to the threat rapidly.  

Tools that enforce zero trust and the principle of least privilege are essential. This way, even when authentication credentials are leaked, attackers are limited in the scope of their actions.  


Case Study #5: The Kaseya VSA Cyberattack 


In July 2021, Kaseya, a software company specializing in network and system monitoring tools, detected a potential security incident on its remote computer management tool, Kaseya VSA.  


Kaseya released a statement advising customers to halt both on-premises and SaaS servers running VSA until they could release a patch. Unfortunately, attackers had breached several of Kaseya’s customers and initiated ransomware demands. The severity of the incident led to the highest involvement of the U.S. government, even requiring the president’s attention.  


How it happened 


The Kaseya VSA Cyberattack exploited a zero-day vulnerability in the authentication process of the VSA server, allowing the attackers to execute arbitrary commands and deploy ransomware. By manipulating the server's functionality, attackers gained unauthorized access and executed a supply chain attack through a compromised software update mechanism. This breach resulted in widespread compromise of connected client systems. 


Key lessons learned 


In the aftermath of the attack, former employees publicly stated that Kaseya was warned of this potential vulnerability. Organizations must address how often they audit their systems for vulnerabilities, even seemingly trivial security issues.  


Organizations should use security tools that include vulnerability scanning and real-time monitoring to address these issues promptly. Enterprises must perform due diligence when integrating products from third-party vendors into their supply chain.   


Turn these lessons into action 


Supply chain attacks can spread swiftly across systems, exponentially multiplying their impact and causing extensive damage. The security of every software project depends on that of every node in its supply chain and environment. Addressing software supply chain security is critical for any organization with a digital presence.  


Cloud-native application protection platform (CNAPP) solutions have proven to be a reliable source of resilience in this domain. Along with cloud security posture management (CSPM), cloud infrastructure entitlements management (CIEM), and cloud workload protection (CPP), a CNAPP provides all of the necessary features for protecting your software supply chain from attack: 


  • Automated vulnerability scanning during the build process and cross-referencing against CVE databases are critical for preventing breaches like Equifax suffered. 

  • Anomaly detection and real-time monitoring features are crucial in early detection for cases such as the SUNBURST and Codecov attacks. 

  • Generating and integrating a Software Bill of Materials (SBOM) is paramount for comprehensive visibility into software supply chains, enabling proactive vulnerability management and swift response.    


Organizations that do not use CNAPP solutions open the door for cybercriminals to exploit their software supply chain. The companies mentioned in this article all suffered serious reputational damage and loss of business revenue and market capitalization.  


In the end, the cost and effort of putting proactive cybersecurity measures in place is a drop in the bucket when compared to the substantial costs and damages incurred by a breach. 


For more information about Outshift's CNAPP solution, Panoptica, and how it can protect your software supply chain, schedule a one-on-one live demo or contact Outshift today. 

Subscribe card background
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

the Shift
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background