Chapter 36 Β· Flashcards

Supply Chain Vulnerabilities Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Supply Chain Attack
Tap to reveal
An attack that targets an organization's external partners β€” service providers, hardware manufacturers, or software vendors β€” rather than attacking the target directly. Attackers compromise a weaker link in the supply chain and use the trusted relationship to gain access to the ultimate target. Effective because organizations must extend trust to partners with legitimate access. One exploit in the chain can propagate to every connected organization.
Target Breach β€” Who Was the Real Initial Target?
Tap to reveal
Fazio Mechanical Services β€” an HVAC contractor. Not Target Corp itself. The attackers phished Fazio, stole VPN credentials used by HVAC technicians to access Target's network, and used those credentials to pivot into Target. Because Target's network was not properly segmented, the HVAC vendor access path reached production POS systems in 1,800 stores. 40 million credit card numbers were stolen (November 2013). The HVAC company was the weaker link; Target was the prize.
Island Hopping
Tap to reveal
A supply chain attack technique where the attacker compromises a less-defended supplier or partner of the intended target, then uses that trusted relationship to "hop" into the hardened target organization. Named for WWII island-hopping campaigns that used smaller bases to reach larger targets. The attacker's goal from the start is the final target β€” the supplier is just the stepping stone. Target/HVAC is the textbook example: HVAC firm (weak) β†’ Target Corp (strong, the real goal).
SolarWinds SUNBURST β€” What Was Compromised?
Tap to reveal
The SolarWinds Orion build pipeline β€” the automated system that compiled and packaged software updates. Attackers inserted the SUNBURST backdoor into the Orion update source before compilation. The malicious update was then compiled, signed with SolarWinds' legitimate code-signing certificate, and distributed to approximately 18,000 customers through the normal update mechanism (March and June 2020). The attack was undetected for nine months (discovered December 2020).
Why Didn't Code Signing Stop SUNBURST?
Tap to reveal
Because code signing proves who signed the code, not that the code is safe. Attackers compromised the SolarWinds build pipeline before the signing step. SolarWinds' own developers unknowingly compiled and signed already-malicious code using their legitimate certificate. The signature was completely valid β€” it genuinely came from SolarWinds. Signature verification confirmed "SolarWinds signed this" β€” it had nothing to say about whether the code itself was backdoored. Code signing is necessary but not sufficient against build pipeline compromises.
SUNBURST Detection Evasion Techniques
Tap to reveal
SUNBURST used multiple techniques to avoid detection: (1) Dormancy period β€” code waited 12–14 days after installation before activating, avoiding detection by test environments that don't run deployed code for extended periods. (2) Environment detection β€” code checked for security tools, sandbox indicators, and domain names associated with AV companies; it remained dormant if any were found. (3) Traffic blending β€” C2 communication used DNS queries and HTTPS traffic that mimicked normal SolarWinds telemetry. (4) Legitimate infrastructure β€” used domains named to resemble legitimate SolarWinds services.
Counterfeit Hardware Risk
Tap to reveal
Hardware sold as genuine that is actually manufactured without authorization β€” often using inferior or unverified components. Security risks: (1) Unknown vulnerabilities not present in genuine products. (2) Potential hidden backdoors for remote access or monitoring. (3) Different firmware than the genuine product β€” may lack security features or contain malicious code. (4) Physical failure (some caught fire). Network equipment (switches, routers, firewalls) is the highest-risk category β€” counterfeit devices carry all network traffic and could silently monitor or intercept it. Real case: $1B+ counterfeit Cisco scheme (arrested July 2022).
Why Are Service Providers Attractive Attack Vectors?
Tap to reveal
Two reasons: (1) Access β€” service providers often have legitimate, direct access to client internal systems (VPN tunnels, service accounts, read access to directories, remote management tools). An attacker who compromises the provider inherits that access. (2) Security disparity β€” service providers, especially small contractors (HVAC companies, payroll processors), often have significantly weaker security than the organizations they serve. Attacking the weak link is easier than attacking the hardened target directly. One service provider serving 20 clients is a 20-for-1 opportunity for an attacker.
SBOM (Software Bill of Materials)
Tap to reveal
A machine-readable inventory of all components, libraries, and dependencies that make up a software application. When a vulnerability is disclosed in an open-source library, an organization with SBOMs can immediately query: "which of our applications use this library?" and get an answer in minutes. Without SBOMs, answering the same question may require weeks of manual investigation. SBOMs became a requirement for U.S. federal software suppliers after the 2021 Executive Order on Cybersecurity, driven by the supply chain visibility problems exposed by SolarWinds and Log4Shell.
Supply Chain Security Controls
Tap to reveal
Service providers: (1) Security audit requirements in vendor contracts, reviewed periodically. (2) Network segmentation β€” vendor accounts access only required systems. (3) Behavioral monitoring for anomalous vendor credential use. Hardware: (4) Purchase only from authorized distributors. (5) Verify hardware authenticity before deployment. Software: (6) Verify digital signatures on all installs. (7) Stage updates through test environments before production. (8) Maintain SBOM for dependency visibility. All layers: (9) Apply least-privilege to vendor accounts and monitor for anomalies.