In today’s globalized world where efficiency and speed are paramount, no organization is an island. Inevitably, we all must place trust into vendors, third-party services, and software providers to keep the business going.
As a direct consequence of the global move towards distributed enterprise, hackers are increasingly utilizing blind spots in supply chains to target organizations for financial gains and other malicious purposes. The result is a continuous growth in supply chain attacks affecting organizations of all sizes in all industries including banking, healthcare, critical infrastructure, and government, to name a few.
What are supply chain attacks, and why are they so difficult to prevent?
Instead of targeting an organization directly, hackers comprise third party software providers, website builders, or third party data stores that the organization is using. By taking this indirect route, hackers can infiltrate hardware and software manufacturers and inject malware or detect vulnerabilities in digital assets prior to installation by a target. All in order to set the stage for an attack on a company using these products.
Another common tactic is watering hole attacks where threat actors compromise a website or a resource that is known to be frequented by users within a targeted organization or even an entire sector in order to enable the distribution of malware.
The main attribute of supply chain attacks is that it targets assets outside of the organization’s immediate control. Such attacks compromise an app or a service owned by a trusted third-party with the ultimate goal of compromising organizations downstream or upstream of their immediate targets.
Corporate hacks resulting from the supply chain attacks are challenging to prevent and even harder to detect. Their very nature as integrated parts of the domain or as legitimate resources for company users makes these attacks difficult to pinpoint and mitigate effectively.
Supply chain attacks are on the rise, and no sector is safe
Supply chain attacks come in many forms and target various vulnerabilities among the involved parties. A widely publicized successful supply chain attack of recent years is the compromise of hundreds of Ukrainian businesses. The attack started with a notorious malware named NotPetya, propagated by a seemingly benign tax preparation software popular in Ukraine.
The famous attack on Target back in 2013, which cost the company more than $200 million, was another example of the risk in trusting business partners with core access, as the company was hit through its HVAC provider.
More recently, supply-chain attacks against open source repositories have gained popularity as an extremely effective way to execute malicious code on sensitive machines. There isn’t an easy way for software developers to make sure that open-source packages they use are free of vulnerabilities known to attackers, or even injected with hidden malware. This is a huge gap in the market at the moment which is being exploited by malicious actors, with a very partial response from security vendors.
In the recent installment of a chain of attacks spanning several years, RubyGems repository was hit with 725 malicious packages. It’s by no means the first time people have used typosquatting to sneak malicious packages into widely used open-source repositories, and it won’t be the last.
Websites are often compromised through third-party services they use. One recent supply chain attack includes a compromise of a popular open-source Magento platform for eCommerce. Attackers have used brute-force password attacks to access administration panels of eCommerce websites in order to scrape credit card numbers and install cryptocurrency miners on compromised machines. Two more attacks, on an analytics service known as Picreel and an open-source project called Alpaca Forms, compromised over 4,600 websites using similar techniques. In another case, British Airways customer payment data was stolen through a compromised component in a popular e-commerce service used by the company.
Since at least 2016, the FBI reported on a global network exploitation campaign utilizing the Kwampirs remote access Trojan. “The Kwampirs RAT (Remote Access Tool) is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies to enable follow-on computer network exploitation activities,” the FBI writes.
The attack is currently still ongoing, with healthcare organizations as its primary targets. From the attackers’ perspective, targeting the healthcare industry is an attractive option because these organizations are more likely to pay large sums to avoid disruptions in order to save human lives.
The examples above demonstrate just how vulnerable are the organizations across various sectors, industries, and geographical locations to sophisticated attacks originating in their physical or virtual supply chain.
In supply-chain attacks, the end-game is not always obvious
The end-game of threat actors is not always obvious until it is too late. For example, one of the biggest attack campaigns against critical infrastructure since Stuxnet might not actually have been aimed at critical infrastructure at all.
New research on the Dragonfly, a.k.a. Energetic Bear malware poses the theory that the true target of these attacks was the pharmaceutical and biotechnology industry, not the energy sector. The opaqueness of supply chains is another clear benefit for attackers and adds to the difficulty of preventing such attacks.
Attacks also target identity and authentication infrastructure
Active Directory, the de facto standard in identity management for enterprises and governments, and the backbone of most authentication services in enterprise environments is another frightening example of how a trusted module is being exploited by attackers.
Hackers are increasingly targeting Active Directory to gain access to information on hundreds of individuals, as well as other databases and network resources. In January, an espionage attack targeting three United Nations offices in Europe was disclosed. Attackers exploited a vulnerability in Microsoft SharePoint to gain access to Active Directory at the three UN locations, compromising dozens of servers.
The case for passwordless authentication for limiting the impact of supply chain attacks
There are many ways companies can protect themselves against supply chain attacks. Architecturally, by adding appropriate security layers and inspection tools; behaviorally, by educating IT teams and end-users about potential dangers; and perhaps most importantly by carefully vetting partners and suppliers, even the most trusted ones.
But ultimately, the one critical vulnerability that keeps hurting organizations is the reliance on passwords. In most cases, supply chain attacks specifically target passwords and credentials, either for selling or in the hope of later accessing corporate data and assets, as the examples above show.
Passwords have become the favored entry point for attackers. At the same time, traditional two-factor authentication solutions are expensive to maintain and cumbersome for users. By removing passwords from user authentication, enterprises can ensure that their assets are protected from compromise, even in the event of a successful supply chain attack on a vendor, partner, or third-party service.