As a result of a supply chain attack, cyber-criminals exploit vulnerabilities in an organization's supply chain, including third-party software, hardware, and services. Even if an organization has robust cyber-security measures, insecure suppliers or third-party providers can be a gateway for hackers to by-pass the security system. These attacks can cause catastrophic damage, with Verizon coining the term "supply chainpocalypse" in its 2022 Data Breach Investigations Report.
“Supply Chainpocalypse”
Although 2022 seemed primarily quiet, with companies mainly feeling the ripple effects of the Log4j vulnerability, 2023 has brought two significant supply chain attacks: 3CX and MOVEit. Before examining the reasons contributing to naming supply chain attacks as one of the biggest cyber-security threats of 2023, let’s see the impact of Log4j, 3CX, and MOVEit.
Log4j
According to the 2023 Verizon DBIR, although initially the industry did not experience the predicted disaster, a closer examination of the effects revealed that “Log4j was used by a variety of actors to achieve an assortment of different objectives, with 73% of our cases involving espionage and 26% involving organized crime.” In addition, in 26% of the cases where the Log4j vulnerability was exploited in the wild, that was done as part of a ransomware attack, demonstrating that criminals leverage all possible scenarios for breaching data.
3CX
In March 2023, 3CX, a well-known provider of VoIP software, revealed that its desktop applications for both Windows and macOS had been compromised with malicious code. This allowed criminals to download and execute code on all devices where the app was installed. 3CX has a vast customer base of over 600,000 and 12 million users spread across multiple industries, including aerospace, healthcare, and hospitality.
To investigate the situation, 3CX sought the expertise of incident response firm Mandiant. Mandiant released a report stating that the compromise originated in 2022 when a 3CX employee installed an infected software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies. “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the Mandiant report.
MOVEit
MOVEit is a managed file transfer (MFT) software for secure data transfer within teams, departments, and companies. It encrypts files and employs secure File Transfer Protocols. It has gained the trust of thousands of enterprises, including 1,700 software companies and 3.5 million developers from various industries such as healthcare, finance, technology, and government.Some notable companies like BBC, Zellis, and Norton were affected by the vulnerabilities discovered between May 31 and June 12, 2023. Attackers could manipulate data stored in databases, disclose sensitive information, gain administrative privileges, exfiltrate files, and even deploy ransomware and other malicious activities using the exploited SQL injection vulnerabilities. The MOVEit exposure is believed to be widely exploited before its official disclosure and the patch that was released.
There are five primary reasons for the rise of supply chain attacks.
1. Vulnerable Open-Source Software
Although open-source software brings various advantages to organizations, such as flexibility, transparency, and cost efficiency, it also presents significant risks to application security due to its vulnerabilities. Its open nature allows anyone to modify the software, making it susceptible to supply chain attacks. This leaves the organization's systems vulnerable to cyber-criminals who could exploit its weaknesses to gain unauthorized access, resulting in the theft of sensitive data or disruption of corporate systems.
2. Vendor Software
Relying on third-party apps can increase the likelihood of network cyber-attacks and security threats at the network level, as evidenced by the Solar Winds attack. Cybercriminals may exploit the authorized use of the infected app to compromise or steal sensitive data. Additionally, the third-party app may lack the same privacy protections as the organization, potentially resulting in user data being shared with third parties without consent or even sold to advertisers.
3. Made in AI Malware
Creating malicious software, such as ransomware, spyware, and control-and-command attack, is becoming increasingly sophisticated. Even ChatGPT is being utilized for the creation of such malware. As these types of software evolve, it becomes more difficult to detect them within a supply chain, as they can effectively disguise themselves as secure applications or legitimate software updates.
4. Insider Threats or Human Error
Insider threats in supply chain attacks extend beyond an organization's employees to include third-party collaborators. The potential fallout from such an attack is severe, given the difficulty of detection. To combat insider threats, it's essential to implement rigorous access control and user activity monitoring. While human error can't be eliminated, it can be mitigated through proper security measures, such as training programs that raise awareness about supply chain risks.
5. Lack of Encryption
It is noble to place trust in business partners, third-party providers, employees, and end-users. However, this trust can also be exploited and become a significant vulnerability. An organization must have end-to-end encryption to ensure the security of sensitive data. By implementing robust encryption, cyber-criminals will encounter difficulties creating a backdoor for data exfiltration during a supply chain attack.
Do You Zero-Trust?
A zero-trust security model assumes that no one is to be trusted and requires strong authentication before allowing access to data and other assets. A zero-trust framework can reduce supply chain attacks by blocking unauthorized activities within a network. Although the need for a zero-trust approach to security is well documented in various bulletins and regulations, many organizations face challenges implementing it. This is especially true for small and medium-sized businesses due to constrained resources and budgets.
Supply chain attacks are extensive, meticulously planned, and well-funded endeavors. They take advantage of the trust between business associates and third-party software providers, making it challenging to detect and prevent these attacks before they cause harm. Nonetheless, we can make headway by adopting a zero-trust approach that involves multi-factor authentication and end-to-end encryption. Furthermore, we should always appreciate the importance of educating employees on security awareness, as it can significantly bolster an organization's security.
Anastasios Arampatzis is a cyber-security content writer for Bora Design.