Supply chain security has become an important topic in our industry based on the impact of high-profile breaches like Kaseya and SolarWinds. When SolarWinds was hacked in 2020, it drove home the issue of third-party risk given its impact on major governmental departments and countless companies in the private sector such as Microsoft and Cisco. Kaseya added fuel to that fire, with the FBI describing the Kaseya attack as a supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.
Even before these incidents, the InfoSec community was placing scrutiny and focus on the risks introduced by third-party software. Is it safe to work with the partners in the supply chain? How can organizations protect their business processes, trade secrets, and the client data they manage from potential supply chain security threats?
Client-side attacks: third-party digital supply chain risk
Already this year there have been numerous headlines detailing major client-side attacks – thousands of websites were recently impacted, and millions of consumers were exposed. Segway stands as one example: its e-commerce store was infiltrated by a Magecart attacker that stole credit card data and customer information. So, how does this keep happening to major corporations that would surely have top-tier security measures in place?
The answer: most organizations don’t understand the scope and materiality of the risk they face.
Understanding client-side attacks
In these cases, the logic gets loaded and runs on the client-side (in the browser), beyond the protection of server-side security. Third-party scripts have the identical level of control as the website owner’s own internal script. Every script on the page, no matter its origin, has access and authorship capability, meaning they can change the webpage, access all information on it, and can even record keystrokes and save them.
All it takes is for a threat actor to hack a third-party and change the source code. That code is dynamically downloaded from a remote server, which means that it bypasses the traditional server-side security infrastructure, including the website owner’s firewalls and WAFs.
- Digital skimming;
- Credential harvesting.
These client-side attacks have damaged some of the biggest brands in the world. In 2020, British Airways was required by the ICO to pay $26 million for a data breach that affected more than 400,000 customers. The data stolen included: login information; payment card details; travel booking details; and name and address information.
Software supply chain security has become a top concern for organizations of all sizes and industries. And this needs to extend beyond what companies might currently focus on to include prioritizing the digital supply chain on their website. Organizations can’t afford to ignore client-side cybersecurity concerns if they want to avoid compliance issues and major security breaches that could negatively impact their reputation.
Hadar Blutrich, CTO, Source Defense