Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mitigating Risk of Supply Chain Attacks

As I’ve written before, sophisticated adversaries are finding vulnerabilities wherever they can, and often that means looking to an organization’s supply chain for weaknesses in defenses. They’ll use an organization’s partner or supplier as a ‘stepping stone’ to gain access to their ultimate target.

As I’ve written before, sophisticated adversaries are finding vulnerabilities wherever they can, and often that means looking to an organization’s supply chain for weaknesses in defenses. They’ll use an organization’s partner or supplier as a ‘stepping stone’ to gain access to their ultimate target.

Several supply chain attacks have made headlines in recent months, including:

• The CCleaner malware campaign that began with a compromise of a build server to infiltrate more than two million machines

• The NotPetya campaign launched through a compromised software update delivered via MeDoc (Ukrainian accounting software)

Operation Cloud Hopper that used IT managed service providers (MSPs) as a point of access to target organizations across a wide range of industries around the world.

By analyzing these attacks and others that were reported in 2016 and 2017, we can identify three notable trends.

1. The most common motives are data and intellectual property (IP) theft. Cases such as the theft of IP from technology companies in the CCleaner malware campaign, the theft of medication procurement information in the ePrica pharmaceutical software breach and the targeting of Israeli companies in the OilRig campaign (believed to have been conducted by Iranian threat actors, though unconfirmed), indicate that threat actors are likely using supply chain attacks for competitive, political and geostrategic intelligence reasons. The fact that such attacks often involved the delivery of backdoor trojan malware that allowed for data harvesting, exfiltration or privilege escalation on victim systems reinforces this finding. Actors were able to maintain a presence on target networks, gather valuable user credentials and exfiltrate data to attacker-controlled servers.

Advertisement. Scroll to continue reading.

2. Supply chain attacks are typically targeted. In contrast to mass, indiscriminate campaigns, supply chain attacks tend to be highly focused operations with predetermined targets of interest. This trend likely reflects the motives of these campaigns, which were largely conducted for intelligence gathering or cyber espionage purposes. However, the NotPetya campaign shows that in a handful of cases, where the motives were financial gain or disruption rather than espionage, the attacks were wider reaching.

3. Technology suppliers are the most popular targets for initial compromise. As demonstrated by the use of CCleaner, MeDoc and MSPs, most of the supply chain attacks over the last two years involved the compromise of a technology or software supplier. Adversaries realize that such suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers that mean compromised software versions (containing malware) will be whitelisted or overlooked by customer security teams and systems.

With these trends in mind, there are several mitigation measures and best practices that you can adopt to improve your organization’s security posture and reduce the risk of supply chain infections.

1. Understand, manage and monitor the digital risk your suppliers present. Many suppliers don’t have adequate security maturity levels so you need to be proactive. The SANS Institute recommends a range of measures that include: due diligence and external auditing of potential suppliers; defining a supplier management policy that classifies vendors and identifies appropriate controls based on access granted to sensitive data; and integrating suppliers with your assessment and audit practices to outline both internal best practices and those required from vendors and partners. Each of these measures should be reviewed regularly throughout the year.

2. Use technology to limit suppliers’ unnecessary access to company systems. Suppliers are often given much broader access to company networks than internal users are offered. Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs. In addition, network isolation and segmentation can keep supply chain traffic separate from other internal traffic and prevent attacks, like NotPetya and Cloud Hopper, from moving laterally across the network to reach their intended target.

3. Prepare for unintended targeting. The NotPetya attack showed that not all supply chain attacks are targeted. Implementing foundational security principals can mitigate risk from bad actors that prey on the weakness that result from interconnectivity of systems and ubiquity of applications. Best practices include backing-up critical data and systems on a regular basis and implementing a ‘defense in depth’ strategy that includes: host-based firewalls and IP-whitelisting; network segmentation and restricting workstation-to-workstation communication; patching, monitoring for known security vulnerabilities, and disabling unneeded legacy features; and access control.

Activity over the last two years shows that no industry is safe from what has become a steady stream of supply chain attacks. But by analyzing the motives of these bad actors and the tactics, techniques and procedures they use, there’s a lot we can learn to mitigate our digital risk.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.