If there’s any good to come out of the recent FireEye/SolarWinds breach, it may just be a long-overdue focus of attention on the risk to enterprises from the supply chain. Just as in the past WannaCry and NotPetya forced enterprises to review policies regarding offline backup and recovery as a means of combatting the devastating effects of the ransomware threat (and forced ransomware operators to change their tactics), so we might hope for a similar positive reaction in light of this recent cybersecurity crisis.
The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to sit up and take the supply chain attack vector seriously.
In this post, we discuss what supply chain attacks are, what types of threat actors conduct them, and how enterprises can more effectively mitigate against them.
What Are Supply Chain Attacks?
The MITRE ATT&CK framework defines supply chain attacks as a method in which “Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise”. MITRE provides a structured analysis of causes, effects, mechanisms and defensive strategies for supply chain compromise.
Supply chain attacks can take place at any stage in the supply chain including:
- Manipulation of development tools
- Manipulation of a development environment
- Manipulation of source code repositories (public or private)
- Manipulation of source code in open-source dependencies
- Manipulation of software update/distribution mechanisms
- Compromised/infected system images (multiple cases of removable media infected at the factory)
- Replacement of legitimate software with modified versions
- Sales of modified/counterfeit products to legitimate distributors
- Shipment interdiction
- An APT’s Preferred MO
Supply chain attacks have become a preferred method of operation for nation state campaigns. China has long been abusing U.S. supply chains to infiltrate and steal sensitive information, and Chinese-based APT Hafnium is thought to be responsible for the recent exploitation of Microsoft Exchange server zero days, a flaw in a third-party product that countless organisations rely on.
Recent news of Russian involvement in campaigns in Lithuania and the Ukraine illustrate that state-backed actors there have also mastered the art of supply chain abuse.
DPRK hackers have also utilised such techniques in a campaign against French targets between 2017 to 2020 manifested by hacking French company Centreon and using its IT monitoring software to infiltrate a host of targets.
Financial Motivation for Supply Chain Attacks
Given the complexity of pulling off a successful supply chain attack, it is tempting to assume that they are solely the province of nation-state APT campaigns. However, such attacks are sometimes committed by sophisticated cybercriminals for purely financial gain.
Cybercriminals looking to breach lucrative targets will seek the path of least resistance, and sometimes this means gaining entrance into heavily defended organisations by working their way up the supply chain. There, they could identify less well-defended entities with weaker security mechanisms and utilise these to gain entry to their chosen target.
Arguably, one of the most infamous third-party data thefts through a supply chain attack — and one which raised the profile of this kind of vector — was the 2013 breach of retailer Target Stores. Credit card information of some 41 million customers and personal information of some 70 million customers was stolen. The attackers breached Target’s systems by stealing the login credentials of a heating and ventilation contractor that had access to the retailers’ network.
And Target is far from alone, of course. Numerous other companies have been breached through their supply chain or breached in order to serve as an entry point to one or more of their clients. In 2019, IT outsourcing and consulting giant Wipro was breached and used as jumping-off point to target at least a dozen of its customers’ systems.
A survey conducted in June 2020 by Opinion Matters for BlueVoyant states that 80% of organisations have had a breach that was caused by one of their vendors. The supply chain risk is not limited to the technology or digital provider sectors either: a recent survey conducted by PWC in the UK manufacturing sector shows that supply chain risk is of great concern to the majority (63%) of participants.
SolarWinds, Microsoft Hacks – Far Reaching Effects For Us All
Comparing “traditional” supply chain attacks and commercially motivated ones with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.
“Traditional” supply chain attacks crept into the enterprise via a weaker link, but that was mostly done in a rather direct manner: typically, by obtaining credentials and using them to connect to the enterprise, or even by physically inserting infected devices from the vendor to the end-target (as in the case of the Stuxnet cyber attack, which utilised infected USB thumb drives).
These newer attacks go much deeper. They identify a vendor with a huge footprint, invest heavily (Microsoft estimates that 1000 software engineers worked on creating the malware used in the SolarWinds breach) and gain access to thousands of victims in one fell swoop. That may or may not be mere collateral damage, depending on the threat actor’s objectives. Compromising such highly trusted vendors, if done well and with sufficient stealth, can allow a threat actor to operate freely for months or even years.
How to Mitigate Supply Chain Attacks?
There are several frameworks for handling supply chain risk, such as the recently published NIST initiative “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry“, but when even trusted vendors like Microsoft, FireEye and SolarWinds can’t get this right, what chances are there for organisations with far fewer resources?
As recent incidents have shown, the complexity of the supply chain and the lack of visibility into all an organisation’s dependencies are key risk factors. Take, for example, the case of software vendor Accellion, whose FTA application – a legacy product once popular for storing and sharing large files – had been replaced by the vendor but not by many of its clients. FTA was used to hack entities such as Singtel, the Australian medical research institute QIMR Berghofer, the Washington state auditor, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, the University of Colorado, and Qualys.
Likewise, Chinese hackers were able to exploit vulnerabilities in Microsoft Exchange server products that first shipped – and perhaps have been quietly forgotten in some organisations – as long ago as 2013. Windows Defender – itself tasked with protecting Windows devices – was recently found to contain a privilege escalation vulnerability that lay undiscovered for twelve years. And there are likely many other such vulnerabilities and perhaps ITW exploitations occurring even now that will only be exposed at some point in the future.
So what can be done? We can’t expect organisations to review vendor source code and identify such vulnerabilities themselves. However, we can adopt another NIST guidance related to Cyber Supply Chain Best Practices, and that is “Develop your defences based on the principle that your systems will be breached”.
The basic principle to help avoid becoming a victim of a software supply chain attack is to have security software that doesn’t rely on reputation for detection, as it is that very trust in reputation that is being abused by the attackers.
For that reason, be sure to avoid or replace security solutions that rely heavily on whitelisting with a modern, behavioural AI solution that can recognise novel threats at machine-speed, no matter whether the source is ‘trusted’ or not. SentinelOne Singularity does not rely on traditional anti-virus signatures to spot malicious attacks, but rather uses a combination of static machine learning analysis and dynamic behavioural analysis to protect systems from attacks – even ones emanating from “trusted” sources that may actually have been compromised somewhere in their own supply chain.
Conclusion
Recent supply chain attacks have hit an exposed nerve in the security community – the sheer scope and potential damage they can cause is simply too big to ignore. President Biden’s executive order on the security of the supply chain is perhaps the most telling evidence of the deep impact the SolarWinds attack has had on public and private organisations, but whether this order and the ensuing actions will trickle down and improve the state of supply chain security is a ‘wait-and-see’ game few organisations can afford to play.
Each enterprise needs to get its own house in order, and there is no better place to start than by reviewing cybersecurity requirements, gaining visibility into supply chain dependencies, and deploying a modern XDR platform that can identify the next breach and contain it even if it originates deep down from within the company’s own supply chain.