Cyber Crime
Assessing and protecting the technology supply chain – Pt III
In the previous two parts of this blog series, we highlighted the challenges of mitigating risk in the hardware and software artefacts that populate the tech supply chain. But there’s more. Some of the biggest historic breaches ever seen were the result of threat actors compromising third-party software or services. Supplier relationships are also being frequently subverted by fraudsters to enable costly business email compromise (BEC) scams.
Save to Folio
There’s plenty here to keep security teams busy.
Outsourcing services doesn’t outsource the risk
Few if any organisations can function autonomously. That’s what makes supply chains so important. From accounting and tax administration to facilities management and payroll, a growing number of functions are outsourced to specialist providers. It’s usually more cost effective this way, and means the organisation can focus on its core business.
However, this often means third-party providers need remote access to corporate networks, software and/or data. This introduces additional risk. Take the 2013 data breach at US retailer Target, which impacted an estimated 110 million customers’ personal and financial information. The breach itself was traced back to corporate network credentials that were stolen from Target’s HVAC provider. What resulted was one of the biggest retail breaches ever recorded.
When software is compromised
Perhaps the most obvious example of things companies outsource in the digital age is software. Although some development apps in house using open source components (see Part II), most also use applications bought in from third-party providers. But what happens when that software is compromised? The blind trust many organisations place in their software provider can have devastating repercussions.
The most famous example of this came with the SolarWinds campaign. Here, Russian state actors managed to generate SAML certificates which gave them privileged access to the IT management software provider’s network. They used this to backdoor an update of its flagship Orion monitoring solution, which was distributed to customers without tripping any alarms. As many as nine US federal agencies as well as parts of NATO and the European Parliament were breached as a result.
A not-dissimilar campaign happened earlier this year when VoIP software firm 3CX was breached, this time by actors linked to North Korea. The firm was breached via backdoor malware hidden inside financial software installed by an employee. With access, the threat actors managed to Trojanise the 3CX desktop app, “extending” the software by sideloading a DLL, which loaded malware from the internet. Once again, because the app was trusted by its customers, those singled out by the attackers unwittingly downloaded a modular backdoor.
Supply chain relationships are a prime target
Fraudsters also spy supply chains as fertile ground to monetise campaigns. Once again, they’re taking advantage of trusted relationships, this time impersonating suppliers to trick their partners into wiring money. So-called BEC takes a number of forms, but in this example the threat actor typically sends an email to the target organisation from a regular supplier, requesting payment.
Sometimes the email is spoofed but on occasion the account itself is hijacked. Often, the attackers have compromised an email account on either the supplier or partner side to monitor email flows and understand when invoices are typically due, to add authenticity to their request. Tactics like this helped BEC become the second highest grossing cybercrime type in 2022, making scammers over $2.7bn, according to the FBI.
Trust no one, verify everything
Complexity is the enemy of security, but the friend of our adversaries. And as discussed over the past three blogs, modern supply chains are nothing if not complex. Whether we’re talking about dependencies on devices, digital artefacts, services or software, the important thing to remember is that trust should never be freely given.
Risk should be continually identified and managed. In most cases, that means checking the authenticity and security of suppliers and supply chain elements like software and hardware components. Supply chain threats are here to stay. It’s time we got better at identifying and mitigating them.