What is a supply chain attack?
D2 ยท Threats ยท CompTIA Security+ SY0-701A supply chain attack targets a less-secure element in the supply chain โ software vendors, hardware manufacturers, or third-party service providers โ to compromise their products or services and use them as a vector to attack end customers.
Famous examples: SolarWinds (2020) โ attackers inserted malicious code into SolarWinds Orion software updates, compromising 18,000+ organizations including US government agencies. 3CX (2023) โ compromised a VoIP software installer.
Types: software supply chain (malicious code in updates), hardware implants, compromised open-source libraries (dependency confusion).
Famous examples: SolarWinds (2020) โ attackers inserted malicious code into SolarWinds Orion software updates, compromising 18,000+ organizations including US government agencies. 3CX (2023) โ compromised a VoIP software installer.
Types: software supply chain (malicious code in updates), hardware implants, compromised open-source libraries (dependency confusion).
Supply chain attacks are devastating because victims trust the compromised vendor. Defenses: software bill of materials (SBOM), code signing verification, vendor risk management, integrity monitoring of software updates, and privileged access review for third-party tools.