WHAT ARE SUPPLY CHAIN ATTACKS?
Supply chain attacks are cyberattacks targeting third-party vendors within an organisation's supply chain. Historically, these attacks focused on exploiting trust relationships by compromising less secure suppliers to gain access to larger partners. Nowadays, supply chain attacks are becoming much more common, as cybercriminals infiltrate or compromise the most vulnerable parts of a company's expanding digital ecosystem. These attacks are especially challenging to defend against because they exploit the interdependencies between enterprises and their digital service providers. According to recent research BlackBerry launched at Infosecurity Europe 2024, 74% of UK IT decision-makers have received a notification of an attack or vulnerability in their software supply chain in the last 12 months.
SOFTWARE AND HARDWARE SUPPLY CHAIN ATTACKS
Software supply chain attacks are now more than even a significant threat to global businesses. Software supply chains are particularly vulnerable to attacks because development now relies heavily on off-the-shelf components, including third-party APIs, open-source code, and proprietary software from vendors. Each of these elements can be susceptible to security threats and vulnerabilities. In a software supply chain attack, malicious code can be injected into an application, potentially affecting all its users. On the other hand, a hardware supply chain attack targets physical components to infiltrate an organisation's systems. Regardless of the method, supply chain attacks will have a devastating impact on any business, its customers, and its partners.
HOW DO SUPPLY CHAIN ATTACKS WORK?
Supply chain attacks target the weakest link in the chain of trust. Even if an organisation has robust cybersecurity measures, attackers will exploit vulnerabilities in trusted vendors to bypass the primary organisation's defences. By compromising the vendor's network, attackers can leverage this trust to infiltrate a more secure network. Managed service providers (MSPs) are a common target for supply chain attacks. Attackers exploit the weaker security measures of MSPs to infiltrate their clients' systems. By exploiting these vulnerabilities, attackers can achieve a broader impact and gain access to networks that would otherwise be difficult to penetrate directly. Probably the most notable of these was that of Kaseya, a company that develops monitoring software for MSPs. Attackers compromised a software solution used by MSPs, infecting it with REvil ransomware, which was then deployed alongside a software update. The ransomware spread to thousands of customer environments, enabling attackers to extort $70 million from MSPs and their customers.
TYPES OF SUPPLY CHAIN ATTACKS
· Credential theft: Attackers may steal login credentials from the supplier or vendor to gain access to the organisation’s systems. This can be achieved through phishing attacks, social engineering, or by exploiting vulnerabilities in the supplier’s systems.
· Software or firmware tampering: Attackers may inject malicious code into the software or firmware used by the supplier, compromising the organisation’s systems. This can occur during the development process or by compromising the supplier’s software distribution channels.
· Data theft: Attackers may steal sensitive data from the supplier’s systems, including information related to the organisation’s operations or its customers.
· Denial of service: Attackers may launch a distributed denial-of-service (DDoS) attack against the supplier’s systems, disrupting the supplier’s operations and affecting the organisation’s ability to access critical services.
In its Supply Chain Security Guidance, the NCSC details four examples of supply chain attacks that are particularly challenging for UK businesses – those from third-party software providers, attacks via website builders, third-party data stores, and watering hole attacks. A watering hole attack involves identifying a website frequently visited by users within a targeted organisation or sector, such as defence, government, or healthcare. The attackers then compromise that website to distribute malware to its visitors.
HIGH PROFILE SUPPLY CHAIN ATTACKS
Other than the 2021 Kaseya attack, there have been many other high-profile supply chain attacks. The attack on SolarWinds, another software supplier to MSPs, began in September 2019 but was only reported in December 2020. Hackers injected a backdoor into a software update for SolarWinds, a popular networking tool used by numerous high-profile companies and government agencies. This backdoor provided attackers with remote access to thousands of corporate and government servers. The global-scale attack resulted in numerous data breaches and security incidents. Microsoft, Apple, Atlassian and Mimecast are among other IT companies that have been preyed upon by bad actors. The UK hasn’t been spared either. The BBC, British Airways and Boots have all been victims.
THE NHS
Probably the worst hit of all UK entities has been the NHS, the health service being plagued by attacks for several years. Most recently, in June this year, NHS England confirmed that patient data managed by the third-party blood test management organisation Synnovis was stolen in a ransomware attack. This breach was carried out by Qilin, a Russian cybercrime group, who subsequently shared nearly 400GB of private data on their darknet site, aiming to extort money from Synnovis. Qilin demanded $50 million, but the company did not pay the ransom. It’s worth noting that many large-scale attacks have been launched against organisational supply chains, and only a handful have been reported to the public. In other words, known attacks are only the tip of the iceberg.
THE CONSEQUENCES OF SUPPLY CHAIN ATTACKS
Nearly two in five organisations (38%) grapple with month-long recovery times after falling victim to an attack targeting their software supply chain. A targeted organisation could suffer significant monetary loss if an employee is tricked into sending money to a fraudulent bank account or paying fake invoices. Supply chain attacks can also severely disrupt operations, causing costly downtime, delays, and reduced productivity. Attacks can damage the organisation’s reputation by affecting the quality and reliability of its products or services, leading to a loss of customer and vendor trust and loyalty.
MITIGATING SUPPLY CHAIN ATTACKS
Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. Supply chain attacks are also more complicated than many other types of cyberattacks and recovery may depend much more heavily on third-party suppliers. To mitigate these attacks, the ICO recommends the following:
· Implement a robust supply chain risk management programme and establish a process for monitoring, managing, and reviewing systems, processes, and access throughout your supply chain.
· Document, evaluate, mitigate, and regularly review risks in your supply chain, including how information is shared, processed, and with whom (recital 87).
· Conduct thorough due diligence with potential suppliers before commissioning their services.
· Verify connections and ensure the principles of least privilege and segregation of duties are enforced throughout.
· Perform tests on systems developed by third parties, where possible.
· Obtain assurances from processors before sharing any information and establish documented service level and security agreements.
· Review your contractual relationships with suppliers and understand each party's responsibilities, especially concerning incidents originating from the supplier’s network.
· Be aware that when procuring software as a service (SaaS), you rely on the vendor to provide relevant logs if the system is compromised, as logging may be limited.
Incident response for supply chain attacks also involves understanding all third-party connections. The ICO recommends using appropriate tools to detect unexpected actions, discover malicious code, and deny access to potential threats. Finally, ensure that systems and all their components are developed with security in mind from the outset.
WHAT CYBER LONDON SAYS
Supply chain attacks – or how to mitigate them – is a soapbox subject for Mark Child, a co-founder and Director of Cyber London. Here are some vital takeaways from Mark:
Third-party supply chain attacks pose a significant challenge in today’s interconnected digital landscape.
Hyper-Connectivity and Collaboration:
o Supply chains are no longer linear; they’re intricate networks of interconnected entities. Organisations must collaborate and align their third-party risk governance practices.
o Innovative solutions involve fostering stronger partnerships, sharing threat intelligence, and collectively enhancing security measures across the entire supply chain.
Holistic Approach to Risk Management:
o Instead of focusing solely on individual organisations, consider the entire ecosystem. A holistic approach involves:
§ Forensic Evidence Gathering: Establish protocols to collect detailed forensic evidence during incidents.
§ Streamlined Incident Analysis: Rapidly analyse incidents to identify vulnerabilities.
§ Prompt Remediation: Take immediate action to mitigate the impact.
Trust Re-evaluation:
o Supply chain attacks exploit trust. Organisations must reevaluate their trust assumptions regarding third-party relationships.
o Innovative strategies involve verifying and validating third-party security practices continuously. Trust but verify!
Behavioural Analytics and AI:
o Leverage behavioural analytics and AI to detect anomalous patterns across interconnected systems.
o Innovative tools can predict potential supply chain breaches by analysing deviations from normal behaviour.
Zero Trust Architecture:
o Move away from the traditional perimeter-based security model.
o Implement zero trust principles, treating every connection as potentially untrusted, regardless of its origin.
Immutable Supply Chain Records:
o Blockchain technology can create tamper-proof records of supply chain transactions.
o Innovative applications include verifying software updates, ensuring authenticity, and tracking components.
Remember, innovation lies in adapting to the evolving threat landscape, collaborating, and thinking beyond traditional boundaries. You can reach out to Cyber London for more information. Better still, you can become a member and become part of the cyber movement in London.
Comentários