The growing threat of supply chain attacks

Cyber attacks pose a growing threat to local governments, but one risk that is often overlooked is the supply chain attack.

Criminal hackers are increasingly targeting software supply chains because these attacks allow them to compromise hundreds or even tens of thousands of victims through a single breach, while also affording them extensive internal access through the trusted systems.

The July 2021 breach of Kaseya is a prime example. Up to 1,500 businesses were affected after hackers found a flaw in the Kaseya remote management software that allowed them to spread ransomware through the company’s software update process and ultimately to the end users of this product. Similar attacks have occurred through other widely used software products, such as SolarWinds, Microsoft Exchange and Avast’s CCleaner.

Supply chain attacks are extremely difficult to detect, which means the attacker has more time to infiltrate the network, steal data and install malicious tools like ransomware.

Here is what local governments need to know about this growing threat:

What is a supply chain attack?

A supply chain attack occurs when a criminal hacker deliberately targets organizations through a third-party service they rely on.

These service providers can be small business vendors, like the insecure HVAC vendor which allegedly led to Target’s 2013 data breach, or through widely used software services like network monitoring tools (ex: SolarWinds), ecommerce platforms (ex: Magento), file-sharing (ex: Accellion) and other services such as accounting software (ex. M.E. Doc). Even security tools can be breached in order to target their users, as in the case of Avast’s CCleaner tool and the operation by “Fxmsp” group, which targeted top antivirus companies.

This method of attack is increasingly popular among sophisticated hackers because it allows them to target many victims through a single breach, rather than having to attack each of these organizations individually. It also allows them to blindside the victim by bypassing their network security tools and essentially slipping in through the backdoor directly onto their network, and often with elevated privileges.

How the attack unfolds

In a software supply chain attack, there are two ways the criminal can breach an organization.

The first occurs when the attacker compromises an organization that has access into their intended targets. This access may be through software managed by the organization or through credentials the organization has to log in to the target’s network. The attacker then uses this access to move through the victim organizations and wreak havoc. This often happens with managed service providers (MSPs) who are IT administrators for many organizations. There have been many recent examples where attackers use an MSP’s access to deploy ransomware to all the MSP’s clients. This allows the ransomware attackers to encrypt dozens to hundreds of organizations at the same time.

The second method is even more devious. In this case, the attacker will infiltrate the software company’s own infrastructure and compromise customers through the legitimate software program. The software, or its updates, are modified to include backdoors that allow the attacker to access organizations when the compromised software is installed. The attacker then only has to wait for the software to be deployed.

Why these attacks are worse than traditional breaches

While any breach can be damaging, a supply chain hack can be exponentially worse because the attacker often has a higher level of access to the network and is harder to detect.

This combination of factors greatly increases the risk for a government agency. The longer an attacker has inside a victim’s network, the more damage they can cause—either through data theft, ransomware, other types of malware or network disruptions. According to a recent report by IBM Security, software supply chain attackers have on average286 days inside the victim’s network before being detected. Additionally, because the attacker is exploiting a trusted IT service, they are essentially walking in through the front door—this means they will be able to gain access to a larger slice of the network and will often have admin-level privileges when they do.

The software attack surface is growing

Most government agencies today rely on a myriad of software and IT services to manage their daily operations.

These range from email and cloud services to web applications, remote desktop protocols (RDP), virtual private networks (VPN), antivirus, ecommerce platforms, point-of-sale systems, HR management, network admin tools, collaboration apps like Microsoft Teams and Slack and much more, not to mention a growing roster of IoT devices.

Every one of these services depends on a complex codebase to operate, and yet within that codebase there often exists numerous vulnerabilities. The level of software security varies by vendor, but even the largest IT companies in the world struggle to ensure security throughout their products. We have only to look at recent vulnerability disclosures inWindows, Oracle, McAfee, Apple, Cisco and other major vendors to see how widespread these security problems really are.

As the software attack surface grows, so do the risks. Supply chain attacks won’t diminish anytime soon. In fact, the problem is likely to get much worse in the next few years as software services continue to grow.

How do you protect against it?

There is no way to prevent a supply chain attack from ever occurring, so local governments need to make post-breach damage control a key part of their overall security strategy.

Preventive measures are important—such as carefully vetting software vendors and keeping all software up to date—but a greater emphasis should be placed on creating a layered defense within the network that will limit the overall damage of a successful breach.

Standard defensive measures include: segmenting the network, so that a breach through one system won’t necessarily expose the entire network; establishing rigorous data encryption practices; and using monitoring tools like SIEM and IDS/IPS, which will detect suspicious behavior such as a remote login from a foreign IP or transferring large files outside of the network.

Organizations should also protect and limit the total number of “privileged accounts” in the network, through a Privileged Access Management (PAM) framework, as these accounts will give the attacker the greatest level of access to sensitive data and systems if they are compromised.

Additionally, third-party partners or suppliers should be required to notify organizations when they are breached so the organizations can take appropriate action. This is often done by adding clauses into third-party contracts that add mandatory notification within 48-72 hours of any breach of the third-party’s network or that includes the organization’s data.

Lastly, organizations should engage outside security firms to regularly test their network security and post-breach defenses, in what is known as a “penetration test” or “red team” test. Third-party incident response retainer services should also be engaged to provide guaranteed response to any breach that may occur. While there is no silver bullet to fully prevent supply chain attacks, proactively performing these steps will decrease the impact of an attack and ensure any successful attack is quickly recovered from.

Carlos Perez, research practice lead for TrustedSec, has more than 20 years of IT security experience. He specializes in developing tools for offensive simulation and incident response.

Tyler Hudak, incident response practice lead for TrustedSec, specializes in cyber attack/breach response and remediation. He is the former Security Operations Center (SOC) team lead for a major medical destination center and held senior security positions at multiple fortune 500 organizations.

Contacts for both: [email protected], (877) 550-4728