Supply chains in the digital landscape are becoming more complex and intertwined as they continue to grow in size and reach. Unknown weak links in that processing chain are a lucrative target for cyber criminals to exploit, writes Suzie, SBRC Ethical Hacker.
Larger companies in the supply chain could become vulnerable to attacks steaming from exploitation of smaller less secure businesses, indicating that small businesses who would not see themselves as potential targets, become one.
Supply chain attacks have the “potential to greatly magnify the damage of a single security breach” and can ultimately temporarily shut down large companies and possibly segments of public infrastructure, which is why they are a growing cause of concern.
The Colonial Pipeline was the victim of a ransomware attack in May 2021. This pipeline delivers nearly half of the U.S East Coast supply. JBS, one of the largest meat producers, was forced to shut down facilities due to a cyber attack. JSB provides close to a quarter of American supplies. Both of these examples highlight the impact of a cyber attack on the supply chain and the ramification to the general public, not just to the organisations that have been targeted.
Malicious threat actors are now targeting software vendors and IT providers, where one vulnerability could crack open access across many companies and industries simultaneously, one shot many targets. This also creates a much larger success rate of multiple ransoms being paid, if one company will not pay, many others might.
Cyber criminals are targeting trusted companies which supply IT services or software, like Kaseya which is a Managed Service Provider (MSP), where malware can infiltrate the supply chain via exploitation of zero-day vulnerabilities or hiding in software updates, and due to the legitimate access, the MSP’s have to customers computer systems a “virus can be installed undetected on thousands of computers at once”.
Types of supply chain attacks
The National Cyber Security Centre (NCSC) identifies four types of supply chain attacks: third party software providers, third party data stores, website builders and watering hole attacks. For more information on types of attacks, visit the NCSC website.
Third party software
“Compromised software is very difficult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate. This places great reliance on the supplier, as it’s not feasible to inspect every piece of hardware or software in the depth required to discover this type of attack.”National Cyber Security Centre
The SolarWinds attack is an example of third-party software supply chain attack. This involved undetected altered software, tampering with SolarWinds’ back-end systems which pushed the compromised software to unsuspecting customers that contained a backdoor, allowing the malicious hackers continuous access. From this attack, it was further propagated to target U.S government agencies and attempts to target tech firms.
Third party data stores
It is now commonplace for businesses to outsource their data to third party companies. This means that it is not just customers data that is being outsourced but includes sensitive data that could be core to a business such as strategy, exposure to risk, financial health and can include high profile mergers and acquisitions.
Kaseya is an example of how the supply chain could be compromised through the third-party vendors. Attackers were able to exploit an unknown vulnerability (zero-day) in Kaseya’s VSA product, which ultimately deployed ransomware to endpoints, which allowed the threat actor group REvil to access”customers-customers…and around 1,500 downstream businesses (are) now affected”. This vulnerability compromised all computers managed by their server.
This attack also revealed a new strategy from threat actors, as they demanded a $70 million ransom, by disrupting hundreds of medium to small businesses instead of targeting larger companies. You can read more about the Kaseya attack in a recent blog I posted.
The best defense is a good offence
Being proactive and understanding that being secure online is an ever-evolving effort, it is not a static one-off option. Keeping up to date on cyber threats is key to being prepared to try and avoid being affected by one. Knowledge is power, the more you know and are aware of, the better chance of mitigating potential threats. Knowing what resources are available to keep on top of current threats is a beneficial tool to successfully navigate business online.
Take a moment to think about how a supply chain attack could affect your business…
- What software do you use to manage your network?
- How are you confirming the integrity of this software after updates?
- Which trusted suppliers have access to your network?
To help reduce the risk to businesses of becoming a victim to a supply chain attack, involves taking stock of IT vendors and external software. If there are many vendors used, the higher the chance that one of them will get hacked.
Businesses need to make informed choices that the vendors they use are taking adequate steps to defend themselves against hackers, implying to do due diligence when selecting MSP. Because of the problems highlighted from supply chain attacks.
“Treat software updates with more scrutiny…by subjecting them to robust antivirus scans or testing them out on isolated servers before installing them on the rest of the network.”Axio chief product officer Dale Gonzalez.
The silver lining
As cyber attacks continue to evolve, so do the efforts from the cyber security community. Every malicious hack provides more knowledge of how to prevent or mitigate from that threat happening again in the future. Supply chain attacks highlight the need for businesses to focus on business resilience, being able to adapt to disruptions, protect assets and brand equity. Greater scrutiny of third parties needs to be addressed, who has access to your data, how are they storing/managing your data, what are they doing with that data and understanding the risks involved in using third parties.
Ransomware in essence can be reduced to a few root causes, looking at infiltration to networks through poor passwords, which could have been negated through using Multi-Factor Authentication (MFA), as was the case for the Pipeline attacks. The antidote is using elevated credential protection, good security hygiene and monitoring.
There is now a growing trend focusing on Zero Trust. This is assuming a compromise will happen, moving away from a perimeter-centric approach to security, to acknowledging that malicious threats are potentially already inside your environment.
“A Zero Trust (ZT) architecture abolishes the idea of a trusted network inside a defined corporate perimeter. ZT mandates that enterprises create micro perimeters of control around their sensitive data assets to gain visibility into how they use data across their ecosystem to win, serve, and retain customers.”
NCSC has outlined ten principles to the concepts of Zero Trust here.
More information on supply chain security
The NCSC has produced guidance to give organisations an improved awareness of supply chain security, as well as helping to raise the baseline level of competence in this regard, through the continued adoption of good practice. Find out more here.
SBRC’s latest Exercise in a Box deals with supply chain scenarios to help identify areas that would be beneficial to invest in, whether through staff training and/or through technology. Check out our recent blog on the new Exercises.