Supply Chain Attacks Explained
Instead of attacking you directly, sophisticated attackers compromise trusted software you already use. Here's how supply chain attacks work and how to defend against them.
Notable Supply Chain Attacks
SolarWinds (2020)
Impact: 18,000 organizations including US government agencies
Method: Malicious code injected into Orion software update
Lesson: Even government-trusted software can be compromised
Codecov (2021)
Impact: Thousands of CI/CD pipelines
Method: Bash Uploader script modified to exfiltrate credentials
Lesson: Verify integrity of scripts you pipe to bash
Log4Shell (2021)
Impact: Millions of Java applications worldwide
Method: Zero-day in widely-used logging library
Lesson: Dependencies of dependencies can be attack vectors
3CX (2023)
Impact: 600,000 companies using 3CX phone system
Method: Compromised desktop app update distributed through official channels
Lesson: Legitimate update mechanisms can be weaponized
xz Utils (2024)
Impact: Nearly all Linux distributions
Method: Social engineering of open-source maintainer to inject backdoor
Lesson: Even critical open-source infrastructure is vulnerable to long-term social engineering
How Remote Workers Can Defend
Minimize Your Tool Surface
- + Use fewer browser extensions
- + Audit installed apps quarterly
- + Remove unused software
- + Prefer built-in OS tools when possible
Prefer Audited & Open-Source
- + VPN: Proton VPN, Mullvad (open-source)
- + Password manager: Bitwarden (open-source)
- + Messaging: Signal (open-source)
- + Browser: Firefox (open-source)
Monitor & Detect
- + Enable OS security notifications
- + Watch for unusual app behavior
- + Check for unauthorized network connections
- + Subscribe to security advisories for tools you use
Limit Blast Radius
- + Use separate accounts for work and personal
- + Don't run as admin for daily work
- + Encrypt your disk
- + Keep 3-2-1 backups current