Threat Research

How to Mitigate Supply Chain Attacks

RecordedFuture
How to Mitigate Supply Chain Attacks

Supply chain attacks exploit trusted vendors, contractors, and third-party services to bypass internal defenses and can cascade into widespread disruption, as seen in incidents like SolarWinds, MOVEit, and the CrowdStrike Linux outage. Continuous, intelligence-led monitoring and integration of external threat intelligence are essential to replace static audits and enable proactive, risk-driven vendor protection. #SolarWinds #MOVEit #CrowdStrike

Keypoints

  • Supply chain attacks leverage trusted relationships to reach ultimate targets, turning vendors, contractors, and shared platforms into high-impact entry points.
  • Traditional third-party risk management—questionnaires, periodic audits, and self-reported data—provides only outdated snapshots and leaves dangerous blind spots between assessments.
  • High-profile incidents such as SolarWinds, MOVEit (CVE-2023-34362 exploited by Clop), and the CrowdStrike Falcon Sensor outage demonstrate how a single compromised vendor or update can produce massive, cross-industry disruption.
  • Intelligence-led monitoring (continuous monitoring, early warning signals, contextual prioritization) enables proactive defense by revealing vulnerabilities and active exploitation before breaches escalate.
  • Enterprises should map and prioritize vendors, integrate external threat intelligence, continuously monitor risks, and coordinate across security, procurement, IT, and legal to improve resilience.
  • Addressing fourth-party risks, open-source component tampering, MSP and contractor targeting, and remote workforce exposure is critical because these vectors multiply impact across ecosystems.
  • Recorded Future offers continuous monitoring, transparent risk scoring, AI-driven insights, contextual intelligence, and seamless integration to help organizations detect and act on vendor threats in real time.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Attackers inserted malicious code into vendor software updates or third-party components, as described: “Attackers infiltrated the build environment of SolarWinds’ Orion IT management software and inserted malicious code into routine updates.”
  • [T1078] Valid Accounts (Trusted Access Abuse) – Adversaries use stolen vendor credentials or exploit privileged vendor relationships to bypass controls: “Adversaries use stolen vendor credentials or exploit privileged relationships to bypass security controls.”
  • [T1210] Exploitation of Remote Services (Infrastructure/Domain Compromise) – Threat actors hijack vendor domains, email systems, or network infrastructure to impersonate vendors and distribute malware: “Malicious actors hijack vendor-owned domains, email systems, or network infrastructure.”
  • [T1566] Phishing (via Vendor Impersonation) – Compromised vendor infrastructure is used to send phishing emails under the guise of legitimate communications: “This allows them to impersonate the vendor, send phishing emails, or distribute malware under the guise of legitimate communications.”
  • [T1499] Endpoint Denial of Service (Faulty/Malicious Updates) – Malicious or faulty updates caused widespread endpoint failures, as with the CrowdStrike Falcon Sensor update that caused kernel panics and boot failures: “a faulty update to CrowdStrike’s Falcon Sensor software caused widespread instability across multiple operating systems.”
  • [T1203] Exploitation for Client Execution (Open-source Component Tampering) – Attackers inject malicious code into open-source libraries or packages that execute on downstream systems: “Attackers inject malicious code into widely used open-source libraries, APIs, or software packages.”
  • [T1486] Data Encrypted for Impact (Ransomware Extortion) – Threat actors compromise suppliers, encrypt data, and threaten to publish sensitive files to extort victims: “Threat actors compromise a supplier, encrypt data, and threaten to publish sensitive files on dark web leak sites.”
  • [T1090] Proxy (Fourth-Party Service Attacks) – Compromise of shared platforms or cloud providers creates a multiplier effect across dependent organizations: “attackers compromise shared platforms or cloud providers that many vendors rely on.”

Indicators of Compromise

  • [Vulnerability/CVE] MOVEit exploit – CVE-2023-34362 (SQL injection) used by Clop to exfiltrate data.
  • [Software/Update] Malicious or faulty update – SolarWinds Orion update with injected backdoor; CrowdStrike Falcon Sensor update that caused kernel panics.
  • [Threat Actor] Ransomware group – Clop associated with MOVEit exploitation and data theft.
  • [Impacted Entities] Affected organizations – “roughly 18,000 customers” for SolarWinds, “more than 62 million people and over 2,000 organizations” impacted by MOVEit (examples of scale rather than discrete IOCs).

Read more: https://www.recordedfuture.com/blog/supply-chain-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint