Security News > 2021 > April > CISA, NIST Provide New Resource on Software Supply Chain Attacks
The software supply chain is part of the information and communications technology supply chain framework, which represents "The network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services," CISA and NIST explain.
Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.
A software supply chain attack occurs when threat actors manage to compromise a vendor's environment and poison their software before it reaches customers, with the purpose of infiltrating the customers' systems.
"These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers," CISA and NIST note in a document titled Defending Against Software Supply Chain Attacks.
"Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute. [] In general, advanced persistent threat actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security," CISA and NIST say.
Defending Against Software Supply Chain Attacks also includes recommendations for software vendors, such as to implement and follow a software development life cycle and integrate a secure software development framework to ensure they won't supply malicious or vulnerable software.
News URL
Related news
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- CISA warns of more Palo Alto Networks bugs exploited in attacks (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- CISA tags Progress Kemp LoadMaster flaw as exploited in attacks (source)