2022年12月23日

軟件供應鏈的吸引力很難被攻擊者忽視，他們知道他們可以快速、輕鬆地獲取廣泛的敏感信息，以換取更豐厚的獎勵。從2000年到2021年，軟件供應鏈攻擊增加了近300%，年增長率為300%。在這些企業中，62%的企業表示他們受到了網絡攻擊的影響。專家警告說，襲擊不會減弱。事實上，根據Gartner的研究，到2025年，全球45%的企業的數字供應鏈將遭受勒索軟件攻擊。InterVision公司安全產品經理Zack Moore表示:“沒有人是安全的。”在過去兩年裏，供應鏈攻擊已經影響了各級行業和政府。從曆史上看，對軟件供應鏈的攻擊在SolarWinds事件和Log4j漏洞等案例中最為明顯。在這兩起事件中，對軟件供應鏈的攻擊都是公開的，其後果的全部程度還不得而知。Sysdig網絡安全戰略主管邁克爾·伊斯比斯基(Michael Isbitski)表示:“太陽風成為數字供應鏈風險的典型代表。” His final example was Microsoft Exchange, which he argued was equally influential but “soon forgotten.” He mentioned that the FBI and Microsoft are still monitoring ransomware attempts that aim to exploit weak Exchange installations. Midway through 2021, ransomware agents broke into Kaseya, another company that serves as an example. Therefore, over 2,000 users of the IT management software supplier got a hacked version of the application, and between 1,000 and 1,500 users had their systems encrypted in the end. Moore remarked, “The direct costs of such an attack are enormous.” The long-term effects, however, are far more concerning. The time and money required to get back on your feet might be staggering. But why do attacks on the software supply chain persist? Moore claims that the growing use of third-party code is to blame for the relentless attacks (including Log4j). Because of this, both distributors and suppliers are increasingly exposed, and he added that exposure is typically correlated with a greater compensation. “ransomware perpetrators are increasingly comprehensive and employ non-conventional techniques to approach their targets,” Moore added. Using suitable segmentation procedures, ransomware agents may, for instance, go after IT management software systems and their parent firms as their intended victims. Then, after they’ve broken in, they’ll use that connection to spread malware throughout the parent company’s affiliates and reliable vendors. Moore argued that the increased stakes contribute to the current prevalence of supply chain assaults. As a result of supply chain interruptions, the sector is at a critical juncture. Inexpensive with a substantial payoff Crystal Morin, a threat research engineer at Sysdig, has noted that supply chain assaults may be carried out for little money, need little time, and provide a large potential payoff. In addition, several firms in the security industry openly reveal their methods and tools online, and they routinely publicise their results in great detail. Morin said that “less-skilled attackers can imitate established threat actors or quickly master advanced approaches” due to the availability of tools and knowledge. Zack Newman, senior software engineer and researcher at Chainguard, added that ransomware assaults on the supply chain allow bad actors to spread their net. A breach in one link of the supply chain can have far-reaching effects on hundreds or thousands of businesses farther down the chain. However, the attack surface shifts as an attacker zeroes in on a single business or government agency. Instead of waiting for a security flaw at a single company, Newman argues that an attacker only has to locate a single flaw in any of the organisations upon which the target relies for software.