Is Your Supply Chain Under Attack?
When a threat actor compromises your system through an outside partner with access to your systems and data, this is what we call a supply chain attack. We have observed that attacks on supply chains have increased in numbers (66%) and sophistication, based on 2021 research. Organizations with string security protection alone are no longer sufficiently insulated to mitigate attacks on the Supply Chain. Due to massive security breaches at busines service providers like Solarwinds, Microsoft, BlackBaud and Accellion, many organizations have fallen victim to these cyber-attacks. This highlights third-party vendor and supply chain cybersecurity risk.
Supply Chain Cyber Attacks
Cybercriminals gain access with multiple navigation paths for cyberattacks ranging from business email compromise to credential stuffing. By attacking the weakest links within the organization’s network, hackers can hit multiple targets at once and wreak havoc before an organization detects a security breach. Such an attack can result in business disruption or covertly installed operations, millions of dollar of losses, as well as reputational damage. A booming cybercrime-as-a-service gig economy is also enabling growth of dark web operations from targeted database hacking to outsourced phishing operations.
Past Major Breach on Supply Chain
Singapore Airlines was one of the airlines affected by cyberattacks. Threat actors used the infected system to expose information such as frequent flyer membership numbers, tier status and in some cases, member’s names. The role of infected systems compromised by the threat actors was to distribute frequent flyer member details. Third-party systems such as SolarWinds network management software had malware inserted into its software updates by threat actors. This supply chain attack affected large enterprises and government agencies.
British American Tobacco
British American Tobacco (BAT)’s Romanian web platform was compromised due to a ransomware attack and data breach. It was reported that the data breach was on an unsecured Elasticsearch server with around 352 GB of data. The threat actor claimed that they had breached the data’s location and a ransom demand was made of “Bitcoin payment” in exchange for not deleting their data. The compromised data included the user’s “Personal Identifiable Information” (PII), name, gender, email address, phone number, date of birth, source IP, and cigarette and tobacco product preferences.
A massive attack was launched against around 50 managed services providers. This attack happened due to an unpatched zero-day vulnerability in Kaseya’s VSA software . Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and monitoring for customers. The exploit targets unpatched Kaseya software with a potential authentication bypass by using legitimate Windows software.
Impact of the major Supply Chain Cyberattacks.
Cyberattacks and security breaches are on the rise and the supply chain is at the forefront of these attacks. Threat actors are increasingly taking advantage of poor security practices found in organizations as a means of gaining access to compromise the network. Here are the Top 5 major risk and impacts of the digital supply chain:
1) The Human element
Whether it’s intentional or unintentional, staff who do not follow procedures or don’t adhere to procedures with checks and balances can pose a significant risk to their organization and the entire supply chain. Social Engineering attacks exploit psychological weakness like trust, anxiety and curiosity. Threat actors can penetrate email systems by social engineering and gain an understanding of policies and procedures. They could pretend to be a supply chain vendor and con businesses into transferring large sums of money.
2) Critical Data
Supply chain attacks to steal sensitive data from partners of businesses and governments are common. A recent attack on COVID-19 vaccine supply chains to steal vaccine information illustrates that attackers and organized cybercrime syndicates are increasingly seeking to exploit trade secrets and intellectual property.
3) Third-party and weak links
4) Lack of vendor risk management
The lack of a detailed understanding of the risk that vendors and third parties introduce to their environment poses a cyber risk. Businesses must have a strict vendor oversight and monitoring process to maintain normal operations. Vendors should also be ranked based on risk metrics such as reputation, business dependency, financial, operational, regulatory, privacy, and legal. Their risk profile must be regularly assessed for any changes. As risks evolve, the processes should evolve to cover these changes.
5) Absence of Monitoring tools
Real-time monitoring tools are necessary for an organization to run an operation in a smooth manner. Monitoring is crucial as it tracks back works and incidents, enabling planning for better mitigation and remediation. Organizations should implement risk and compliance platforms known as GRC platforms. The absence of a GRC platform can derail an organization’s security program. Employees need to understand the sensitivity of data and follow security best practices to comply with regulations. It is essential to have an incident response plan relating to third-party vendors and ensure that all the key stakeholders are involved.
Top Malware Affected Supply Chain Sectors
REvil Ransomware as a Service (RaaS)
REvil Ransomware spreads via a malicious update which is released into Kaseya VSA servers. Once the execution is performed by the PowerShell Command, it will install the encoded Agent.exe into the endpoint. Task schedules will run the malicious exe file and create DLL sideloads into the memory for execution. After the execution of DLL, the endpoint will be compromised and start encrypting the disk by REvil Ransomware.
A Russian intelligence hacker allegedly compromised SolarWinds software systems built for Orion and planted a backdoor that was distributed as software to several US cybersecurity firms and multiple federal agencies.
Lemon Duck spreads in numerous ways. It is unpredictable and considered dangerous. The Malware can act as fake phishing emails, USB Devices drive as Flash Drivers, and can be triggered by various exploits and brute-force attacks. The malware has the capability to exploit newly patched Exchange Server vulnerabilities to gain access to an outdated system. According to Microsoft, there are two distinct operating structures using the Lemon Duck malware. Each are potentially operated by two different process and entities for separate goals of attack.
Advantech Ransomware Attack (Conti Ransomware)
A chip manufacturer fell victim to a Conti ransomware attack. This is a relatively new ransomware and it is know as the successor to the Ryuk ransomware. The treat actor breached the data and demanded a ransom of 750BTC from the manufacturers.
Cognizant Ransomware Attack (Maze Ransomware)
The IT giant revealed that its network had been infected with Maze ransomware, a group known for releasing stolen data to the public if the victim does not pay to decrypt it. It is rumored that the revenue and corresponding margin impact was between $50 million to $70 million.
Remediation and mitigation plan to be taken during an attack.
Collect information from all stakeholders.
Asset information details are important to enable the review and identification of infected endpoints. This information includes servers, endpoints and user accounts which have been compromised in an organization.
Businesses are advised to remove the affected devices or servers from the network by network or firewall rules.
Limit the number of suppliers you use
It is a lot easier to manage a few external vendors rather than many.
Secure the backup storage
Store the backup server on a separate network until the incident response initiates the remediation process. The security team should then perform 1st level investigations on the affected endpoints to identify the root cause.
“Do Not Pay” Ransom
Stakeholders are advised not to pay the ransom requested by the threat actor. There is no guarantee you will get the entire data returned and there are possible scenarios whereby the threat actor may continue lurking in your environment.
Engage an Incident Response Team
Provide access to the IR Team to perform an assessment on the affected environment including the operational environment. They will then be able to track down the lateral movement of the attack and gather information such as files that have been used for the attack. The team should be able to restore the environment depending on the severity of the attack in an organization.
Share information on how to improve
Let the suppliers know what you are doing to improve your data security so that they can adopt similar measures.
Cyberattack Prevention Plan
Ensure all the endpoints and devices connected to environment are patched regularly. This best practice can prevent most of the recent exploits which could be a gateway for threat actors.
Fully understand the threat to the supply chain business
This practice allows the team to completely review, learn, and keep track of all supply chain breaches, data leaks, and malware attacks that could affect the company.
Assess your cybersecurity measures.
Cybersecurity applies a risk-based strategy to prevent and adjust to invasion of systems. The team needs to know what measures are already in place and which are missing. This Framework includes hardware used to prevent(mitigation incursion), software used on network computers, and many more. This approach will include visibility of where the company is going in the future relating to cybersecurity.
Improve current measures
Once the business has the full picture of current security measures, it’s time to improve the measures on tools and processes. This may include purchasing a more advanced security appliance. The strategy team may need to install or update the software on all computers or push AI to a centralized location to learn how data movements affect the enterprise system.
Treat cybersecurity as an ongoing process.
You will need to document, review, and sift through feedback once the security measures have increased. This enables knowledge of current vulnerabilities and mitigation plans for certain cyber situations. Maximizing cybersecurity is an evolving and ongoing process. Once an attack is over, new developments may require upgrades to prevent future infiltrations.
Ways to prevent a cyberattack:
- Monitor malicious users who are intent on infecting the system
- Do not respond or click on irrelevant emails – it could be a phishing attempt.
- Alert your Cybersecurity team for immediate action if a suspicious action or threat is identified.
- Use legitimate tools and ensure all employees are given permission to prevent unauthorized access, breaches, or data leaks.
- Provide Security awareness training on best practices to avoid cyberattacks.
- Invest in protective tools that will defend against attacks.
- Work with cybersecurity experts to identify additional points of protection.
- Use strong passwords and multi-factor authentication methods.