It doesn’t matter whether you are a consumer or a large corporation, you can’t hope to produce everything you need on a daily basis. You can’t produce enough food to feed yourself, and a company can’t build all the operating systems and applications to run its business. We all depend on suppliers of some form, whether they be bricks and mortar shops, online suppliers or bulk suppliers.
Solar Winds Attack
In December 2020 a news story broke about the Solar Winds hack. This is a far reaching cyber attack that affected hundreds, if not thousands, of companies. Solar Winds produces a software package called Orion, which is a network management package. This software is largely used by government organisations and enterprises to manage their corporate networks and monitor for failures so that they can be addressed before they become a major outage.
From what we hear, an employee account got hacked and a malicious software package was inserted into the build process for an update to Orion. The update went out to the end users and was installed as a trusted package. Because of the nature of the software, it has to run on the host operating systems with some of the highest privileges providing access to system level software.
Once the update was installed on a host system the malware activated and started to open up back-doors and move laterally through the network. It also downloaded additional modules to the malware that increased the capabilities of the malware.
The objective of the initial hack appears to be espionage as a lot of US government servers were compromised and further data breaches occurred. The attack also appears to be the work of a nation state actor (thought to be Russia), although they have clearly denied this.
This hack was very public and will be an example used for some time of a supply line attack.
Texas Government Ransomware Coordinated Hack
We first saw this kind of supply line attack back in August 2019 when the Texas state government were attacked through a software services company.
Many companies, and government agencies, use contractors to manage their software systems and networks. These contractors, by default, have to have high privilege access to the clients network otherwise they can’t do their job. In this case a software services company was managing multiple government networks and other entitles. The companies network was compromised that allowed for the installation of malware at both the supplier and the client. As a result compromised updates were installed on the clients network. Then, on a Friday, a coordinated ransomware attack was launched taking down 22 government agencies in Texas.
At the time this was considered a game changer in ransomware attacks. Up to then ransomware had been deployed in an opportunistic manner, often as part of a wider phishing campaign. This attack was a planned and coordinated ransomware attack that came through the supply line.
Microsoft Exchange Attack
Microsoft discovered a number of zero-day vulnerabilities in its Exchange Email management software (the basis of Outlook) around the beginning of March 2021. They delivered patches to everyone that they hoped would close the vulnerabilities, but they were already under attack by what seemed like a nation state attack coming from China. The initial patches didn’t completely mitigate the issue and a subsequent set of patches were delivered.
This affected on-premises installation of Exchange Server in clients own data centres. The Online versions of Exchange delivered through Microsoft 365 were patched by Microsoft immediately. However, there are still installations of Exchange Server that have not been patched a month later and these installations are under attack from multiple actors.
This is another example of a supply line attack where a software package is purchased and installed on an in-house network. In this case Microsoft discovered vulnerabilities in their software, created patches and responsibly disclosed the vulnerabilities. The problem here is that not all installations were patched in a timely manner.
Other Supply Line Attacks
Here are links to stories of other supply line attacks that have happened over the last couple of years:
- Supply-chain Attack Targeting Certification Authority in Southeast Asia
- HP Device Manager backdoor lets attackers take over Windows systems
- Complex new attack targets managed service providers, hiding in Google traffic
- US Secret Service warns about increased cyberattacks against MSPs (Managed Service Providers)/
You should be getting the idea now that the Supply Line Attack vector is being widely exploited by cyber criminals, and in particular Managed Service Providers.
The supply line is extended to non-software services. For example, as a consumer you may buy something online. You may pay for this using a credit card, which means someone knows the credit card details. Most online stores use a payment service (e.g. Visa, WorldPay) which is a trusted supplier of this service. Some implement their own payment services (e.g. Google, Amazon). However, as a consumer of this service you trust the supplier to treat your credit card details with respect and if they store them they are secured against data breaches.
How can I defend against Supply Line Attacks?
Managed Service Providers
If your company uses a Manged Service Provider (MSP), you need to fully vet them before you hand them the keys to your network. This means a full investigation into the company including:
- Tax Returns and Official Company documents
- References for the company management
- References from other users of the service
- Determining the level of training their staff have is appropriate for the job you are asking them to do
- Have they been hacked in the past and what they did about it
- Customer base
- How often they delver patches.
If they are providing an online service, you need to ensure the access to that service is through a secure means with your users being fully authenticated.
This may seem excessive for a small business, but it is essential you know who you are giving access to your network.
If it comes to light that the company cannot be trusted, then simply don’t use them even if they are the cheapest around.
We have blogged about keeping safe online. This includes:
- keeping your devices updated with the latest security patches
- using Free WiFi securely, preferably not at all
- Securing your accounts with complex passwords, 2-Factir authentication and biometrics
- Using anti-malware software.
We have blogged in the past about using online services securely. This can range from a streaming service, a social media network to online shopping.
Due to the pandemic the use of credit cards and contactless payments has massively increased. We have blogged about using electronic payments in the past and I urge you to review that blog.
We recently found out that a number of Android apps have tracking software built in to them that leak information back to vendors servers, and in some cases cyber attackers command and control servers. The linked article talks about an app you can download from the PlayStore called Exodus that analyses each installed app and tells you which trackers are evident. I recommend you do this as a demo can be more effective than me listing a list of apps and their respective trackers.
This is not just limited to mobile apps as tracking software can be added to desktop and server apps.
The big ticket supply line attacks target big businesses and often attack through the software update process. This is why you need to make sure your suppliers are fully vetted before you give them the keys to the kingdom. This also means testing any software for data leakage back to the supplier or to other trackers. However, I think I have demonstrated that the supply line extends into your home.
The guidance sections on this site will provide you will a wealth of knowledge about how to keep safe online. However, you also need to make sure the services you use online are trusted and if necessary not using that site that provides an absolute bargain because it looks suspicious.