[BreachExchange] Supply Chain Attacks Are On The Rise

Destry Winant destry at riskbasedsecurity.com
Fri Dec 14 08:37:00 EST 2018


https://www.cybersecurityintelligence.com/blog/supply-chain-attacks-are-on-the-rise-3979.html

Modern companies work with subcontractors and third-party providers in
so many ways: from employing third-party experts for solving
particular problems to using third-party providers’ teams to monitor
corporate security and infrastructure health 24/7. While this
partnership proves to be quite beneficial to all parties, there are
certain cybersecurity risks to consider.

In particular, more and more hackers are looking for a way to
compromise supply chain networks and cause severe damage to large
companies and organizations without attacking them directly. These
indirect yet devastating attacks are called supply chain attacks.

What’s the danger of supply chain attacks?
So what is a supply chain attack? Basically, it’s a type of attack
where hackers don’t target their initial goal directly. Instead, they
focus on finding and compromising the most vulnerable elements in
their victim’s supply chain network: subcontractors and third-party
providers an intended victim works with. There are several ways of
compromising a supply chain: from sending phishing emails in order to
steal a supplier’s identity to injecting malicious code into a
third-party software.

Software supply chain attacks pose the most danger since they are much
harder to detect. These attacks target not third-party provider
accounts or corporate networks, but third-party software used by a
victim. Such an attack can be performed by exploiting existent
vulnerabilities in this software or by modifying this software with
malicious code insertion.

The main focus of the attackers goes to these three categories of targets:

Website builders
Third-party software providers
Third-party data storages

For instance, hackers may target a software vendor and try to modify
one of its products and inject their malicious code into it. As the
compromised software spreads among the clients of this provider, so
does the malware. As a result, hackers get a chance to cause damage to
numerous companies and organizations by compromising just one
supplier.

However, cyber supply chain attacks aren’t limited to compromising
third-party software solutions. Attackers may also try to hack a
supplier’s system and steal their credentials to get access to the
main target’s network.

The supply chain silent threat hides in the difficulty of making sure
that all of your third parties take their cybersecurity seriously and
responsibly enough. Especially, considering the fact that supply chain
attacks are currently on the rise.

The rising threat of supply chain attacks

The practice of using suppliers and subcontractors to indirectly hit a
larger target becomes more and more common. According to a recent
report by Vanson Bourne and CrowdStrike, two-thirds of surveyed
companies suffered from a software supply chain attack in the past
year. And the average cost of such attacks is estimated to be as high
as $1.1 million.

However, what’s even more concerning is that 71 percent of respondents
admitted not holding their subcontractors to the same security
standards they use. At the same time, the vast majority of the
surveyed experts and decision makers — nearly 80 percent — believes
software supply chain attacks to be dangerous enough to make it to the
top of the biggest cyber threats in the near future.

Here are some of the most recent software supply chain attacks examples:

CCleaner — Hackers managed to compromise a legitimate application and
use it to perform a backdoor attack, infecting over 2 million CCleaner
customers worldwide. It’s noteworthy that hackers specifically
targeted 18 large companies, including Sony, Intel, Asus, and VMWare.
They modified one of the application functions to make it decode and
load the malware.
M.E.Doc — Hackers compromised the update server used by the
tax-accounting application M.E.Doc. Being used for spreading NotPetya
ransomware, the supply chain attack affected operations of banks and
companies worldwide, literally paralyzing entire networks. Such
companies as FedEx and Maersk report losing around $300 million each
as a result of the attack.
PyPi — Hackers targeted the popular programming language — Python — by
compromising PyPi servers and replacing original libraries with
altered packages that included a check-in beacon.
Kingslayer — Hackers created a backdoor by targeting administrator
accounts and replacing the legitimate application with its
malware-containing version. As the result of this attack, at least one
US defense contractor was compromised. Although, the exact number of
infected companies remains unknown.
Transmission — Hackers compromised legitimate servers used for
distributing the popular BitTorrent client. They injected a client’s
installer with macOS ransomware.

In each of these cases, attackers picked a trusted, legitimate product
or service and exploited it to harm a larger target.

In addition to that, there are numerous examples of large companies
suffering from not taking third-party access management seriously
enough:

Amazon — In 2017, hackers attacked several third-party vendors working
with Amazon and used their credentials for posting fake deals on the
platform.
Target — One of Target’s third-party vendors was hacked via phishing.
Using the stolen credentials of that vendor, hackers get access to the
Target’s billing network.

All these examples lead us to the main question: is it possible to
mitigate the risks of supply chain attacks?
How to protect your company against supply chain attacks

The lack of control over third parties is one of the main reasons
supply chain attacks are even possible. Therefore, you can
significantly improve the level of your company’s cybersecurity by
adapting your standard security procedures to include all of your
vendors, suppliers, and third-party providers.

Here are some of the best practices for managing supply chain risks:

Vet your subcontractors — Don’t grant third parties access to your
network until vetting their current security practices. Request and
examine their cybersecurity policy and make sure they follow the same
security and compliance standards that you do. When deploying a new
product from a third-party software provider, check if the developers
used the security development lifecycle process when building this
solution.
Set protocols and SLA — Set specific rules for every aspect of
cooperating with vendors: from accessing data to sending emails. Keep
your cybersecurity standards consistent along the entire supply chain
to make it much harder for the attackers to find a weak spot in it.
Deploy access management solutions — Use advanced identity and access
management solutions for making sure that only legitimate users have
access to your company’s critical assets and sensitive information,
and only for those they really need for their work. Also, consider
using a one-time password scheme or integrating your access management
solution with a ticketing platform.
Monitor your network — Having full visibility of vendor actions within
your company’s network is crucial for ensuring a high level of
cybersecurity. You can look for a specific third-party vendor
monitoring solution or use a universal toolset for monitoring user
activity and managing access.
Perform regular audits — Auditing third-party vendors’ activity on a
regular basis is just as important as auditing your network. This way
you can not only detect suspicious actions, but also see if everyone
follows appropriate security practices and whether there are any new
weak spots and vulnerabilities in your supply chain.

Conclusion

Understanding the difficulty of attacking large companies directly,
hackers take advantage of indirect attacks by targeting their victim’s
supply chain. They use various tactics: steal identities, compromise
admin accounts, infect legitimate software and applications with
malicious code, and so on.

In order to mitigate the risks of supply chain attacks, companies
should reconsider their current security policies. Third-party vendors
and suppliers are insiders as well and need to be included in the
corporate Insider threat Program and follow the same security
practices and standards.


More information about the BreachExchange mailing list