The Trickle Down of Supply Chain Attacks


Supply chain attacks are malicious campaigns designed to damage an organization by targeting less-secure elements of their supply network. Advanced persistent threat (APT) groups have been successfully delivering exploitation and post exploitation payloads behind this attack vector for a number of years.  This is evident in the very successful CCleaner Petya (MeDoc) campaigns of 2017, which affected millions of victims’ machines.

The recent compromise of docker containers, operating systems (e.g., Gentoo and Arch), , and a JavaScript package manager highlights an evolving trend for ‘how’ malicious actors are exploiting the trust relationship between online software distributions and users.  Supply chain attacks offer a diverse range of methods to target the relational complexity of victim organizations, require very little operational infrastructure, and are an increasingly favored attack vector for malicious actors.

Below are some of the observed methods abused in order to implant malicious code in online software distributions that will end up in end user enterprises or home networks.

Privileged user password reuse and failure to segregate duties
Compromise via third party applications
Orphaned and unsigned packages
Update infrastructure hijacking
Illicit use of stolen certificates
Violation of ‘honor system’ in repositories
Single point of storage/failure in repository architecture
Weak package signatures
Attack on software dependencies

Figure 1. Supply chain attack vectors seen in online distributions


Supply chain attacks abuse the implicit trust between an organization, its privileged users, and the vendor vetting and update process. Compromising online software distribution in whatever form (i.e., package manager, updates, containers, code repositories, applications, etc.) often mitigates and sometimes effectively bypasses security controls of even well-hardened environments.

Under the cover of reputable and trusted software vendors, many enterprises have unknowingly given away access and privileges to malicious actors. The aforementioned CCleaner and Petya campaigns demonstrated this effective targeting, and this is reinforced by China’s long time use of supply chain attacks (e.g., the Schoolbell botnet delivering Kingslayer).

Open source environments and small companies seem particularly vulnerable to supply chain attacks due to reliance on peer trust and often immature security policies, procedures, or practices. This is part of the reason why the 2018 Verizon DBIR found that 58% of last year’s known victims were small businesses. Considering the prevalence of open source code (and dependencies), a large number of mainstream technologies and business applications are at an increased risk.


JASK Autonomous Security Operations Center Platform (ASOC)

While supply chain attacks can be exceedingly hard to detect, one potential discovery method is to evaluate the network and log environment for the presence of compromised or invalid code signing and SSL certificates. Current JASK ASOC visibility enrichment capabilities leverage existing customer VirusTotal api keys to identify malicious files with revoked certificates (‘tag:revoked-cert’).

Although perhaps less relevant to most supply chain attacks, ASOC also currently flags invalid and expired SSL certificates via established Signal logic.  (ASOC’s threat intelligence integration can also be used to apply custom logic from open source projects such as the SSL Blacklist form

The ASOC platform also currently parsers a number of different endpoint detection and response (EDR) capabilities (e.g. Carbon Black, Cylance, and Forticlient) and generates Signals and Insights based on the context of these logs. The context from the EDR logs and alerts is of critical importance to detection and mitigation of supply chain attacks (and generically most malware campaigns).



There are a number of approaches that organizations can apply in order to better secure their utilization of online software distributions and mitigate the potential of a successful supply chain attack. The following are some of them.

  • Do not trust external repositories
  • Do not install untrusted packages
  • Implement change management policies to verify, inspect and test software updates
  • Enforce MFA on all repositories, and contributor and administrator accounts
  • Use red team efforts and vulnerability scanners to identify and track third party vulnerabilities
  • Enforce segregation of duties in repository administrators and contributors
  • Enforce strong application/package signatures
  • Create expedited procedures to revoke certificates in case of compromise
  • Implement software update frameworks such as TUF or Uptane
  • Contribute to leading and securing open source projects and repositories



Supply chain attacks fundamentally abuse the trusted channels we (everyone one of us) have with the software providers (and the applications) that empower our daily business and personal activities. Given their low probability of detection, victims of these attacks are often unaware of compromise until secondary indicators are detected (i.e., C2, exfiltration, etc.).

And while supply chain attacks were once top tier APT tradecraft, these techniques have become increasingly common place in lower tier APT and even crimeware operations.



JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.

Share on