AAttack on the supply chainis an attack strategy that targets a company through vulnerabilities in its supply chain. These vulnerable areas are usually associated with providers with poor security practices.
Adata leakvia a third party is possible because providers need access to itsensitive datato integrate with internal systems. If a provider is compromised, this common pool of data is breached.
Because every provider stores sensitive data for several customer groups, a single oneAttack on the supply chainoften results in multiple companies being affected by an intellectual property infringement.
Joe Bidens Cybersecurity Executive Orderincludes a section specifically dedicated to improving supply chain security, this is a cyber threat that the entire nation needs to take seriously.
Types of Supply Chain Attacks
Attacks on the software supply chaintarget either the source code, update mechanism, or build processes of vendor software. A victim could be compromised by any of the following vectors:
- Third Party Software Updates
- Malwareinstalled on connected devices, e.g. B. external hard drives, cameras, phones, etc.
- Application installers
How does a supply chain attack work?
The supply chain piggybacks on legitimate processes to gain unhindered access to an organization's ecosystem.
This attack begins by infiltrating a vendor's security defenses. This process is usually much simpler than attacking a victim directly, due to the unfortunate myopic cybersecurity practices of many vendors.
The penetration could take place over severalattack vectors. Once malicious code has entered a vendor's ecosystem, it must embed itself in a digitally signed process of its host.
This is the key to accessing a provider's customer network. A digital signature verifies the authenticity of software to the manufacturer, which allows the software to be transmitted to all networked parties.
By hiding behind this digital signature, malicious code can take advantage of the steady stream of software update traffic between a compromised vendor and its customer network.
The malicious payload that compromised the US government was injected into a SolarWinds Dynamic Link Library (.dll) file. This file was a digitally signed asset of SolarWinds' Orion software, the cover needed by nation-state hackers to gain access to SolarWinds' customer base.
Compromised vendors unknowingly distribute malware throughout their customer network. The software patches that lighten the enemy payload include a backdoor that communicates with all third-party servers, this is the distribution point for the malware.
A popular service provider could infect thousands of organizations with a single update, helping threat actors make a greater impact with much less effort.
This was announced by SolarWindsthat up to 18,000 of its customers have been infected by its compromised software update across a wide range of industries including government, consulting, telecom and technology.
When a victim installs a compromised software update from a service provider, the malicious code is also installed with the same permissions as the digitally signed software, and thatCyber attacksIs initiated.
Once installed, a Remote Access Trojan (RAT) is typically activated to give cyber criminals access to any infected host for exfiltration of sensitive data.
Die SolarWindsAttack on the supply chainwas unique in that the hackers did not initiate remote control immediately. Rather, the malware lay dormant for two weeks before making contact with a command and control server (a remote session manager for compromised systems, also known as C2) via a backdoor.
Each initiated remote connection was a subdomain of avsvmcloud[.]com containing a string unique to each victim. This string of characters, which at first glance appeared to be a random arrangement of letters, was an encrypted identifier of each victim's local network domain.
The graphic below summarizes the attack on the Solarwinds supply chain. The overall process of third-party injection, delivery of malware, and initiation of data communication through a backdoor is the backbone of all supply chain attacks.
AAttack on the supply chaincould be used as a prelude to aMass ransomware attack. Or, as was the case with the SolarWinds breach,it could be a recon missionfor a future, more sinister attack.
The destructive efficiency of nation-state supply chain attacks is a testament to how vulnerable many companies are to third-party security breaches.
Examples of supply chain attacks
Attacks on the supply chainallow cybercriminals to infect large numbers of victims without having to conduct phishing attacks on each individual target. This increased efficiency has recently increased the prevalence of this attack method.
Here are some popular examples of supply chain attacks.
Attack on US government supply chain
Datum:March 2020
This event will likely be the ubiquitous example of a supply chain attack well into the future. In March 2020, nation-state hackers penetrated the US government's internal communications through a compromised update from third-party vendor Solarwinds.
The attack infected up to 18,000 customers worldwide, including six US government agencies:
- The Department of Energy
- The National Nuclear Safety Agency
- The US Department of State
- The US Department of Commerce
- The US Treasury Department
- The Department of Homeland Security
The investigations are still ongoing. It can take months or even years to discover the ultimate effects of what experts have dubbed one of the most sophisticated supply chain attacks ever deployed.
Attack on the supply chain
Datum:February 2014
Destination USAsuffered a major data breach after cybercriminals accessed the retailer's sensitive data through a third-party HVAC provider. Cyber attackers have accessedPersonally Identifiable Information(PII) and financial information affecting 70 million customers and 40 million debit and credit cards.
Attackers breached the third-party HVAC vendor via an emailPhishingangriff.
Equifax supply chain attack
Datum:September 2017
Equifax, one of the largest credit card reporting agencies, suffered a data breach involving avulnerability of the applicationon your website. The breach affected more than 147 million Equifax customers. The sensitive data stolen included social security numbers, driver's license numbers, dates of birth and addresses.
Attack on Paradise Papers supply chain
Datum:November 2017
Confidential offshore investment documents known as Paradise Papers. were violated through a third party law firmAppleby. The sensitive data revealed 13.4 million investment documents from the wealthy 1%, including Donald Trump, Justin Trudeau, Vladimir Putin's son-in-law and even Queen Elizabeth.
Attack on the Panama Papers supply chain
Datum:April 2016
Panamanian law firm Mossack Fonseca leaked over 2.6 terabytes of sensitive client data in a breach. The breach exposed the underhanded tax evasion tactics of over 214,000 companies and high-ranking politicians.
Law firms usually arethe most desirable cyber attack targetsbecause of the wealth of highly sensitive and therefore very valuable customer data that they store on their servers.
Supply chain attack statistics
The acceptance of this cyber attack method is increasing at an alarming rate. According to a study by Symantec, supply chains are attackingincreased by 78%in 2019. This prevalence is expected to continue to increase as threat actors, motivated by the success of the US government breach, change their preference for this attack method.
The cost of supply chain attacks
The financial impact of a supply chain attack can be huge, regardless of the size of an organization. Several factors contribute to the resulting costs, such as: B. Efforts to investigate security breaches, loss of business due to reputational damage, and government fines.
According to a report byIBM and the Ponemon Institute, the averageData Breach Costsin 2020 was $3.86 million and the average time to identify and contain a reach was 280 days – that's over 9 months.
The average cost of a data breach in the United States is the highest at $8.19 million per breach.
In the United States, the healthcare and financial industries face the highest data beach costs due to their stricter regulatory requirements to protect sensitive data.
The average cost per data breach in the healthcare and financial industries is $7.13 million and $5.56 million, respectively.
In addition to regulatory burdens, the high cost of data breaches is due to the increased resolution time of each incident. 280 days is roughly 75% of the year, which is a significant amount of time to pay for additional corrective action while profit margins dwindle or even shrink.
The key to reducing costs in the event of a supply chain attack is a fine-grained remediation process that can be activated quickly.
Rapid detection and remediation could also minimize the time cyber attackers spend in your ecosystem, which in turn minimizes the amount of sensitive data compromised.
How to prevent supply chain attacks
The key to your defensedigital supply chainis to ensure each of yourThird party providersComply with the strictest cybersecurity standards, whether or not regulatory requirements are enforced.
Complacency is the main reason for vulnerability to supply chain attacks. This is partly because organizations don't realize how vulnerable even the most trusted vendors are to data breaches.
To keep your third parties compliant, regular security questionnaires should be sent to each of them to continuously review theirssecurity situation.
Each questionnaire should be tailored to a specific industry and customized to each company's unique needs. You couldCreate the questionnaires yourselfor ideally fill out immediately and send aSophisticated third-party risk management solution.
To give your organization the best chance of containing supply chain attacks, these questionnaires should be sent out as soon as they become knowna drop in safety ratingfor a specific provider.
Two-Factor Authenticationcould also prevent supply chain attacks. When vendors enable this security protocol, threat actors are presented with an additional gap to bridge between themselves and a vendor's internal systems.
Learn how to prevent supply chain attacks by securing privileged access management.
Learn how to prevent supply chain attacks with an Assume Breach mentality.
Learn how to prevent supply chain attacks with a Zero Trust architecture.
UpGuard helps companies contain supply chain attacks
UpGuard Vendor Risk is the most advanced solution for complete end-to-end management ofthird partyAndfourthSupply Chain Risks. The best-in-class cybersecurity platform mitigates supply chain vulnerabilities in three phases:
1. Monitor
All providers are meticulously scanned for vulnerabilities and given a security score based on over 70 cyber risk factors. With visibility into the most up-to-date security posture from all vendors, organizations can instantly identify all parties at risk of a supply chain attack.
2. Evaluate and fix
If a vendor's security rating drops, they can be immediately screened using questionnaires from an ever-growing library based on the most secure best practices and regulatory requirements.
3. Manage
Take immediate corrective action by assigning tasks to responders and tracking their progress. Measure the effectiveness of all remediation efforts based on the resulting safety assessment variances.
Protect your business from data breaches
At UpGuard we canProtect your business from data breaches, identify all yoursdata leaks, and help you to monitor the continuouslySecurity posture of all your providers.
UpGuard also supports compliance with a variety of security frameworks, including the new supply chain requirements established byBidens Cybersecurity Executive Order.
CLICK HEREto get your FREE safety assessment now!