SUPPLY CHAIN ATTACK – A GROWING CYBER THREAT
What could be better than killing several birds with a single stone? That’s exactly what is happening in the cyber underworld at the moment. Cybercriminals are cunningly exploiting a form of attack that can breach multiple targets instead of laboriously breaching one at a time. The so-called supply chain attack is now a popular type of cyberattack in which a business is breached through vulnerabilities in its supply chain, usually caused by having vendors with dysfunctional IT security. Statistics from the Crowdstrike 2021 Global Security Attitude Survey show that 84% of respondents believe that supply chain attacks were likely to become the biggest cyber threat within the next 3 years.
Supply chain attacks, aka value-chain attacks or backdoor breaches, are often overlooked as they are difficult to detect or trace. Nevertheless, they can result in catastrophe, not only bringing your business to a halt but exposing your client’s sensitive data. Business owners need to remember that when you outsource to a third party, you only outsource the work and not the risk. In the event of a breach, you are liable and nobody else. The European Union Cybersecurity Agency (ENISA) predicts a 4-fold increase in supply chain attacks. These threats, becoming more sophisticated and damaging by the minute, have the potential to put an organization, its clients and its vendors out of business for good. Eran Orzel, a Senior Director at Argon, says:
“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing. Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks.”
WHAT HAPPENS IN A SUPPLY CHAIN ATTACK?
As we said, lazy hackers see supply chain attacks as a massive leap forward in their quest to paralyze IT systems, steal data, and make money. The most prolific of these is the software supply chain attack. In Eran Orzel’s words, most companies don’t have the finances or resources to develop their own software applications. Instead, they buy component apps off-the-shelf such as third-party APIs, open-source code and proprietary code from software vendors. Sometimes the software or code contains tainted scripts or unpatched vulnerabilities which hackers love. They then infect the legitimate code with malware and the malicious software is allowed to operate with the same trust and permissions as the original applications. An even greater threat is if a software vendor is hacked. This means that the malware is passed on to the vendor’s clients and possibly even further down the supply chain. This phenomenon has a mushroom effect. Look at this simple example:
- A vendor supplies 1000 businesses with infected software or code.
- Each of these businesses has 1000 clients.
- A single supply chain attack has the potential to disrupt 1000 x 1000 operations. That’s 1 million, not including the software vendor.
Today, the average software project has 203 dependencies. If a popular app includes one compromised dependency, every business that downloads from the vendor is compromised as well, so the number of victims can grow exponentially. Via a supply chain attack, cybercriminals can then gain access to sensitive company information, customer records, payment information and much more. These attacks can also cause large-scale manufacturing and services disruption, and irreparable reputational damage. And don’t forget that the number of global supply chain attacks increased by 300% in 2021.
KASEYA AS A CASE IN POINT
The supply chain attack on Miami-based software vendor Kaseya in July 2021 is one of the most damaging ransomware attacks in history, involving a ransom of $70 million. Kaseya provides IT Managed Service Providers (MSPs) with Remote Monitoring and Management (RMM) software. The MSPs install the RMM tools on client workstations and servers to monitor the email, phone systems, firewalls, switches and other network devices of their clients. Last year, the Russian Ransomware-as-a-Service (RaaS) operation, REvil injected zero-day exploits into Kaseya’s software platform to gain access and distribute malicious software to its MSP clients which were then downstreamed to the respective MSP clients. Each company infected by the supply chain attack was held to ransom, causing massive disruption to U.S. businesses, transport systems, schools, chain stores, with 100s being forced to temporarily close. Victims were also identified in other countries including the UK, South Africa, New Zealand, Canada and Indonesia.
The supply chain attack on Kaseya could have been much more severe. The software vendor has over 37000 MSP clients, of which 50 were impacted, a mere 0.13%. However, those 50 MSPs served between 800 and 1500 clients in total. In late July, Kaseya provided a malware decryption key to all affected parties that signed a non-disclosure agreement. The ransom, which REvil had lowered to $50 million, was never paid.
WHAT THE LAW REQUIRES?
In November 2021, the UK government announced that intervention would be required to address the problem that MSPs were having with cybersecurity and supply chains. In part, this decision was based on research done by the Department for Digital, Culture, Media and Sport (DCMS) that showed:
- only 12% of organisations review the cybersecurity risks coming from their immediate suppliers
- only one in 20 firms (5%) address the vulnerabilities in their wider supply chain
Julia Lopez, the Minister of State for Media, Data, and Digital Infrastructure, emphasized the importance of protecting essential services and the wider economy from cyber threats and said:
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Earlier, in 2018, the UK government extended its Network and Information Systems (NIS) regulations to include MSPs. The aim was to improve the cybersecurity of companies providing essential services such as water, energy, transport, health care and digital infrastructure. Organisations that fail to put in place effective cybersecurity measures can face fines as high as £17 million. Some say that this was too little too late.
WHAT CAN I DO?
By design, supply chain attacks are often difficult to identify or trace due to their complexity. But there are steps you can take to make life much more difficult for bad actors. Here are 5 such strategies:
- Implement Honeytokens. Honeytokens are fake resources posing as sensitive data. A hacker is often fooled into believing that these are valuable assets and when they interact with them, a signal is activated. This will give you an advance warning of any potential and real breach. If an attacker isn’t operating behind a firewall, honeytokens could even reveal the location and identity of the attacker.
- Implement Zero Trust. Zero Trust is underpinned by the principle of ‘never trust, always verify’ and is a giant leap forward over old cybersecurity models for businesses. Unlike traditional cybersecurity models in which all users were considered trustworthy once past the network perimeter, Zero Trust embodies a much more cynical and dynamic approach. It uses the principle of least privilege (POLP) which limits access to data and applications only to those who need it. The knock-on effect is that the potential lateral movement of hackers through a network is almost eradicated. Furthermore, Zero Trust enforces strict device authentication and authorization throughout an IT network.
- Employee Education. Your staff are often the gateway to malicious intrusion and can be tricked into allowing a hacker access to the cyber ecosystem. Scam emails and phishing attacks are the most common form of trickery, asking for login details or other credentials. Make sure that you provide your employees with ongoing cybersecurity education and training that covers phishing attacks, social engineering attacks, DDoS attacks, ransomware and malware, and clickjacking attacks.
- Minimize Access. Minimizing access to sensitive data should be inherent to your Zhero Trust policy. Firstly, identify all sensitive data access points. In this way, you will know all the employees and third-party vendors accessing your sensitive data. You then need to keep accounts to a minimum – the more people have access, the greater the risk. Considering that vendors are the first targets in a supply chain attack, scrutinize and cull their access where possible.
- Identify Vendor Leaks. According to the latest research, companies have a 27.7% chance of suffering a data breach, and almost 60% of these breaches are linked to third parties. When you focus on the mitigation of third-party data breaches, overall data breaches stemming from supply chain attacks will be significantly reduced.
I will ensure that your business avoids any disasters caused by a digital supply chain attack before it happens. I will scan your systems and identify all third-party vulnerabilities so that you can cull without needing to kill. With over 20+ years of experience in IT, I can advise on implementing Zero Trust, how to minimize employee and vendor access and provide comprehensive cybersecurity education and training. By using extensive cybersecurity and risk mitigation solutions, I will help you decide on IT that works for you and your business. Contact me know.