In recent years, cybercriminals have increasingly exploited vulnerabilities in widely-used IT and security tools, leading to major security incidents. For instance, a zero-day vulnerability in Ivanti enterprise VPNs was recently exploited, allowing attackers to deploy a backdoor named ‘DSLog’. Similarly, a remote code execution vulnerability in TeamCity enabled attackers, suspected to be from the APT29 group, to infiltrate systems by installing malicious SSH certificates, using PowerShell to download and execute malicious DLLs, and maintaining persistence through scheduled tasks. Another example is the Fortra GoAnywhere MFT vulnerability, which ransomware groups like LockBit and Cl0p exploited to execute remote code, resulting in significant attacks, particularly in the healthcare sector.
These incidents highlight how quickly vulnerabilities in widely-used management tools can become targets for both state-sponsored groups and ransomware operators, underscoring the importance of safeguarding against supply chain cyberattacks.
Despite the recent media attention, supply chain attacks exploiting backdoors are not a new phenomenon. Cyber adversaries have long focused on exploiting third-party control failures. Previous attacks on software like SolarWinds Orion or VMware Workspace ONE are just a few examples where hackers successfully targeted an organization’s supply chain.
One of the most notorious supply chain attacks to date remains the RSA SecureID token breach. Using stolen data related to RSA’s SecurID authentication system, attackers compromised major RSA customers, including Lockheed Martin, who relied on these tokens to secure their most sensitive data and networks.
Tackling Supply Chain Hazards
Failures in systems and processes by third parties can lead to catastrophic reputational and operational damage. It is no longer sufficient to merely implement basic vendor management procedures. Organizations must also take proactive measures to safeguard against third-party control failures. So how can this be achieved?
- Advanced Supplier Risk Management: Ensure all suppliers and third-party vendors adhere to strict cybersecurity protocols. Assess their compliance with relevant standards (e.g., ISO 27001, NIST, GDPR). Evaluate vendors based on the sensitivity of the data they handle and the criticality of the services they provide. Consider requiring suppliers to use independent verification services to test software applications before procurement and deployment.
- Secure the Software Development Pipeline: Protect administrative access to the tools and applications used by DevOps teams. Enable secure application configuration via secrets and authenticate applications and services with high confidence. Mandate that software suppliers certify and extend security controls to cover microservices, cloud, and DevOps environments.
- Regular Software and System Updates: Ensure that your systems and those of your suppliers are regularly updated and patched for known vulnerabilities. Prevent the use of unsupported or outdated software that could introduce new vulnerabilities.
- Harden Your Environment: Configure cloud environments to reject authorization requests involving tokens that deviate from accepted norms. For on-premises systems, follow the National Security Agency’s guidelines by deploying a Federal Information Processing Standards (FIPS)-validated Hardware Security Module (HSM) to store token-signing certificate private keys. HSMs significantly reduce the risk of key theft by threat actors.
- Implement Strong Access Controls: Limit third-party vendor access to only the data and systems necessary for their operations. Ensure they cannot access other areas of your network. Require multi-factor authentication for vendors accessing your systems. Adopting a Zero Trust approach ensures continuous verification of all users—both internal and external—before granting access.
- Utilize Security Tools and Technologies: Segment your network to prevent attackers from moving laterally if they manage to breach one section. Use Endpoint Detection and Response (EDR) solutions to detect malicious activities on devices connected via third parties. Encrypt sensitive data shared with suppliers, both at rest and in transit. A robust cybersecurity posture requires readiness for data security breaches, especially as data moves through various channels like email, cloud, and AI tools. Thus, business continuity and disaster recovery (BCDR) solutions have become essential components of the modern technology stack.
- Adopt Frameworks and Best Practices: Implement the NIST cybersecurity framework to help identify, protect, detect, govern, respond to, and recover from cyber threats. Also consider adopting supply chain-specific frameworks like the Shared Assessments Standardized Information Gathering (SIG) or ISO 28001 for supply chain security management.
- Contractual and Legal Safeguards: Incorporate cybersecurity requirements into vendor contracts, including mandatory security controls, data protection measures, and breach notification obligations. For high-risk vendors, require third-party audits or independent security assessments.
As organizations have fortified their defenses against direct network attacks, hackers have shifted their focus to exploiting vulnerabilities in the supply chain to gain backdoor access to IT systems. It is crucial for businesses to actively monitor and manage IT security risks within their supply chain. By implementing the strategies outlined in this article, organizations can significantly reduce their exposure to supply chain cyberattacks and bolster their overall cybersecurity resilience.