Can one supply chain cyber-attack stop the world?2022 04 26
Author: Giedrius Saulėnas
Imagine waking up one morning.
You pick up your phone and instantly notice that your internet connection is slow, apps and other online services are unavailable. At first, it might not seem like a big problem – a detox in the era of digital devices and services might benefit your wellbeing.
At the same time, you see your phone is running out of charge, even though it has been plugged in to charge all night. You soon realise that there is no electricity or water. As time passes, you still cannot access anything online that may ruin your plans. You do not have to be an Instagram influencer to get anxious without access to the internet or other necessary resources. Imagine remote working, online shopping, and food ordering suddenly becoming impossible.
For us, the possibility of sending and receiving information at any time has become so natural that we get anxious when this chance is taken from us. You might find yourself in such a situation after a successful mass-scale supply chain attack.
This blog post will present what is supply chain attack, how to prevent and manage the risk of experiencing a supply chain attack.
What is a supply chain attack?
A supply chain attack happens when a malicious hacker compromises specific software security.
Let’s say a specific remote management system called “Remote Amadeus” is installed on every employee’s machine. When an attacker manages to hack the company whose product it is, the hacker or a group of hackers in a mass scale attack installs malicious code and distributes it to the product’s end-users.
The distribution process might be triggered manually. Also, the attacker might wait for it to come naturally – when the user updates the software to the latest version, which is apparently vulnerable.
As a result, the end-user is compromised. What a hacker might do with the affected user’s machine? It might vary from exfiltrating sensitive data to entirely encrypting user files and demanding ransom. The potential consequences that the user might experience will depend on the security defence layers the machine has. Up-to-date machines with antivirus software, correct user permissions, and set firewall rules will be affected less.
The potential harm to the infected machine and the other devices residing in the network might be minimal if the network is well architected. However, the risk is significantly higher when various vulnerable systems across the network or some business devices use default passwords.
Therefore, it is crucial to keep the devices on the corporate network updated and perform periodical security assessments on the infrastructure devices and security mechanisms.
What is worth mentioning is that not only the software can be affected by the supply chain attack. Hardware and firmware supply chain attacks are also possible. Although, these are not as common as software supply chain attacks.
Recent mass scale supply chain attacks
The compromise of a third-party vendor might result in a supply chain attack. Many events of this kind do not get released to the press. Although some supply chain attacks are so big that they cannot be ignored. When it comes to the supply chain attacks recently, there were some noticeable ones:
- Log4j vulnerabilities. The Log4j component, widely used in many open and closed source projects, was vulnerable at the end of 2021. Soon after, the relatively simple exploit became known to the public, and exploitation of the vulnerability had gained lots of attraction. Anyone who wanted (and had malicious intents) could scan the internet using the proof-of-concept (PoC) scripts. As a result, this caused a severe risk for organisations using software with this vulnerable component.
- Microsoft Exchange Server vulnerabilities. In 2021 several Microsoft Exchange server vulnerabilities had emerged. The vulnerabilities could be used to exploit on-premise mail servers. As many organisations are using this software, about 30 000 servers were affected by the risk of stolen data.
- Vulnerable Kaseya VSA software. The attack affected hundreds of managed service providers. It caused over 800 Swedish Coop grocery stores to be shut down for several days. However, this is just one of the affected organisations. Like with the Colonial Pipeline attack, REvil was again held responsible. Soon after the attack, the call between the US president Joe Biden and Russian president Vladimir Putin happened. It was made clear that Russia should take responsibility for the attacks and that Joe Biden expects cooperation. Otherwise, the US would take down REvil servers if Russia will not. In January 2022, according to the statement of the Russian Federal Security Service, REvil was dismantled. Some of the group members were charged with actions based on the information provided by the US.
Who is behind these attacks?
The complexity of compromising the target with a supply chain attack is often financially not worth it for individual criminals. Though when it comes to the well-financed advanced persistent threats (APTs), they have enormous resources and tend to achieve their goals by any means.
If the APT goals are to cause disastrous losses for a government or corporate, supply chain attacks are significant. The more widely the software is used, the more hosts can be compromised during the supply chain attack.
Some of the supply-chain attacks are associated with the governments of different nations. For example, it is believed that Russia is standing behind the SolarWinds attack. The US applied sanctions against Russia for the attack. It is hard to imagine how many resources were put into this attack that resulted in 18 000 organisations being compromised. According to Microsoft, at least 1000 engineers were working to create this attack.
Another example of a nation-sponsored attack is a ShadowHammer. ASUS Live Update Utility software was infected with malware. Moreover, the digital signature was also compromised, so the software looked official as it was signed by ASUS. China is considered behind this attack, which affected more than a million users worldwide.
How to manage the risk of experiencing a supply chain attack?
A solid IT infrastructure starts with essential security hygiene. Here are some of the ways to maximise the security level against supply chain attacks:
- Ensure OS and used software have the latest security patches and security mechanisms, such as firewalls, configured adequately.
- Users should use strong passwords with multi-factor authentication.
- Perform periodic penetration testing on your devices and infrastructure. Malicious activity can be detected during the penetration testing exercise.
- Perform integrity checks of the software you are installing. The vendor often provides hash values of the original file. By generating the hash value on your side and comparing it to one of the vendors, you can be sure that you downloaded the same file.
- Follow the news about the latest emerging vulnerabilities and be aware of your organisation’s software. In case of a new zero-day vulnerability, ensure you employ sufficient countermeasures. Apply the security patch in time, isolate the machine with the affected software, or replace the affected product until the vendor releases an official fix.
Supply chain attacks might have devastating consequences for anyone connected to the internet. Not only might you become a victim, but your device might spread the malicious code to other machines. What is the scary thing about such attacks? The bigger ones affected by the attack, the higher the number of victims it creates. Supply chain attacks may disrupt various critical government or business activities.
Are you looking for effective ways to prevent a supply chain attack? Then ensure your IT infrastructure security hygiene. If you need any strategic consultations regarding that, feel free to contact our Baltic Amadeus team.
[Webinar] Legacy applications: ensure cloud migration success2022 05 10
On May 19th at 1 PM (CEST) / 2 PM (EEST), we are organising a free webinar to share the successful practices of migrating legacy applications to the cloud.More
What is automotive (car) hacking?2022 05 03
In this blog, we discuss what is automotive (car) hacking, what methods can be used to perform such attacks and how to protect from them.More
Cycling for Ukraine: Robertas takes a 1200 km ride from Vilnius to Berlin2022 04 30
More and more people unite to support Ukraine in various ways. One of them is our colleague Robertas who is now cycling from Vilnius to Berlin, raising money funds for Ukraine from April 29th to May 4th.More