Can one supply chain cyber-attack stop the world?2022 04 26
Imagine waking up one morning.
You pick up your phone and instantly notice that your internet connection is slow, apps and other online services are unavailable. At first, it might not seem like a big problem – a detox in the era of digital devices and services might benefit your well-being.
At the same time, your phone is running out of charge. Although it has been plugged in to charge all night. You soon realise that there is no electricity or water. As time passes, you still cannot access anything online that may ruin your plans. You do not have to be an Instagram influencer to get anxious without access to the internet or other necessary resources. Imagine remote working, online shopping, and food ordering suddenly becoming impossible.
For us, the possibility of sending and receiving information at any time has become so natural that we get anxious when this chance is taken from us. You might be in such a situation after a successful mass-scale supply chain attack.
This blog post will present what a supply chain attack is and how to prevent and manage the risk of experiencing a supply chain attack.
What is a supply chain attack?
A supply chain attack happens when a malicious hacker compromises specific software security.
Let us say a specific remote management system called “Remote Amadeus” is installed on every employee’s machine. When an attacker manages to hack the company whose product it is, the hacker or a group of hackers in a mass-scale attack installs malicious code and distributes it to the product’s end-users.
The distribution process might be triggered manually. Also, the attacker might wait for it to come naturally – when the user updates the software to the latest version, which is apparently vulnerable.
As a result, the end-user is compromised. What might a hacker do with the affected user’s machine? It might vary from exfiltrating sensitive data to entirely encrypting user files and demanding ransom. The potential consequences the user might experience will depend on the machine’s security defence layers. Up-to-date machines with antivirus software, correct user permissions, and set firewall rules will be affected less.
The potential harm to the infected machine and the other devices residing in the network might be minimal if the network is well-architected. However, the risk is significantly higher when various vulnerable systems across the network or some business devices use default passwords.
Therefore, it is crucial to keep the devices on the corporate network updated and perform periodical security assessments on the infrastructure devices and security mechanisms.
What is worth mentioning is that not only the software can be affected by the supply chain attack. Hardware and firmware supply chain attacks are also possible. Although, these are less common than software supply chain attacks.
Recent mass scale supply chain attacks
The compromise of a third-party vendor might result in a supply chain attack. Unfortunately, many events of this kind are not released to the press. Although some supply chain attacks are so big that they cannot be ignored. When it comes to the supply chain attacks recently, there were some noticeable ones:
- Log4j vulnerabilities. The Log4j component, widely used in many open and closed source projects, was vulnerable at the end of 2021. Soon after, the relatively simple exploit became known to the public, and the vulnerability exploitation gained lots of attraction. Anyone who wanted (and had malicious intents) could scan the internet using the proof-of-concept (PoC) scripts. As a result, this caused a severe risk for organisations using software with this vulnerable component;
- Microsoft Exchange Server vulnerabilities. In 2021 several Microsoft Exchange server vulnerabilities emerged. The vulnerabilities could be used to exploit on-premise mail servers. As many organisations are using this software, about 30 000 servers were affected by the risk of stolen data;
- Vulnerable Kaseya VSA software. The attack affected hundreds of managed service providers. It caused over 800 Swedish Coop grocery stores to be shut down for several days. However, this is just one of the affected organisations. Like with the Colonial Pipeline attack, REvil was again held responsible. Soon after the attack, the call between the US president Joe Biden and Russian president Vladimir Putin happened. It was clear that Russia should take responsibility for the attacks and that Joe Biden expects cooperation. Otherwise, the US would take down REvil servers if Russia will not. In January 2022, according to the statement of the Russian Federal Security Service, REvil was dismantled. Some of the group members were charged with actions based on the information provided by the US.
Who is behind these attacks?
The complexity of compromising the target with a supply chain attack is often financially not worth it for individual criminals. Though when it comes to well-financed advanced persistent threats (APTs), they have enormous resources and tend to achieve their goals by any means.
Supply chain attacks are significant if the APT goals are to cause disastrous losses for a government or corporate. The more widely the software is used, the more hosts can be compromised during the supply chain attack.
Some of the supply chain attacks are associated with the governments of different nations. For example, Russia is believed to be standing behind the SolarWinds attack. The US applied sanctions against Russia for the attack. It is hard to imagine how many resources were put into this attack that resulted in 18 000 organisations being compromised. According to Microsoft, at least 1000 engineers were working to create this supply chain attack.
Another example of a nation-sponsored attack is a Shadow Hammer. ASUS Live Update Utility software was infected with malware. Moreover, the digital signature was also compromised, so the software looked official as it was signed by ASUS. China is considered behind this attack, which affected more than a million users worldwide.
How to manage the risk of experiencing a supply chain attack?
A solid IT infrastructure starts with essential security hygiene. Here are some of the ways to maximise the security level against supply chain attacks:
- Ensure OS and used software have the latest security patches and security mechanisms, such as firewalls, configured adequately;
- Users should use strong passwords with multi-factor authentication;
- Perform periodic penetration testing on your devices and infrastructure. Malicious activity can be detected during the penetration testing exercise;
- Perform integrity checks of the software you are installing. The vendor often provides hash values of the original file. By generating the hash value on your side and comparing it to one of the vendors, you can be sure that you downloaded the same file;
- Follow the news about the latest emerging vulnerabilities and be aware of your organisation’s software. In case of a new zero-day vulnerability, ensure you employ sufficient countermeasures. Apply the security patch in time, isolate the machine with the affected software, or replace the affected product until the vendor releases an official fix.
Supply chain attacks might have devastating consequences for anyone connected to the internet. Not only might you become a victim, but your device might spread the malicious code to other machines. What is the scary thing about such attacks? The bigger ones affected by the attack, the higher the number of victims it creates. Supply chain attacks may disrupt various critical government or business activities.
Are you looking for effective ways to prevent a supply chain attack? Then ensure your IT infrastructure security hygiene. If you need any strategic consultations regarding that, feel free to contact our Baltic Amadeus team.
Top 6 tips on setting a robust password2023 07 20
Get six helpful tips and tricks for establishing a robust password.More
What is sustainable IT?2023 06 16
Discover what sustainable IT is and how you can embrace greener IT practices.More
Backup vs. Disaster Recovery: can you use the public cloud for it?2023 06 01
Explore the differences between disaster and backup recovery and the best practices.More