A supply chain attack, also called value-chain or third-party attack, happens when somebody accesses your system through a trusted partner, supplier or third party that has some level of access to your systems and data.
It targets parts of your supply chain that might not have the levels of security that you employ in your organisation. It makes it easy for cyber-criminals to harbour malicious intent and disrupt your business at its weakest point.
In this blog post, we’ll explore examples of supply chain attacks as well as offer advice on what you can do to prevent it from happening in the first place.
Breaching the most vulnerable point
Supply chain attacks can happen to any organisation operating in any industry. And it almost always happens when security in one of your subsidiaries/partners isn’t as rigorous as yours.
The Paradise Papers, 13.4 million records detailing the tax arrangements of super-rich politicians, celebrities and more, was hacked and placed online via an International Consortium of Investigative Journalists (ICIJ) report in 2017. The weak link? A law firm without adequate security measures to stop the attack in the first instance.
It was a similar story with the Panama papers. The details of a multitude of wealthy individuals was hacked and then distributed online.
Attacking the digital supply chain
It’s even worse when you think about the digital supply chain, especially when you consider hardware and software manufacturers. ASUS, the multi-billion-dollar Taiwanese tech giant, fell victim to one of the biggest supply chain hacks in history earlier this year. Kaspersky Lab, a leading cybersecurity firm, went public with details about the breach in January 2019.
Attackers managed to hijack ASUS’s trusted automatic software update tool, to push iterations of the malicious malware to potentially hundreds of thousands of machines. The updates appeared to be authentic as each one was signed with ASUS digital certificates, verifying that the patches were directly from ASUS themselves.
It’s the same story for NotPetya, the ransomware (which technically, wasn’t really ransomware) spread across the world in 2017. It was found to have originated at a Ukrainian organisation known as M.E. Doc, manufacturers of accounting software. The UK, US and Ukraine allege that M.E. Doc, was infiltrated by Russian operatives in a ‘state-sponsored’ cyberattack; designed to cause disruption globally.
Going for the money
Supply chain attacks can also target financial institutions. One example is the Shylock banking trojan. Mainly focused in the UK, US and Italy it is designed to compromise websites through website builders used by creative and digital agencies. A great deal of web development work conducted by enterprise organisations is outsourced to creative agencies, as some larger organisations lack the agility or expertise to produce a website quickly.
According to the National Cyber Security Centre, the UK agency tasked with keeping the UK safe from cyberattacks, Shylock compromised systems by:
“They employed a redirect script, which sent victims to a malicious domain owned by the Shylock authors. From there, the Shylock malware was downloaded and installed onto the systems of those browsing legitimate websites.”
Shylock is a relatively low-effort tactic employed by cybercriminals and as such, it’s very effective.
By integrating a multitude of different features adopted from other malware, Shylock could perform customisable ‘man-in-the-browser’ attacks, avoiding discovery and preventing analysis by experts.
Is gaming a blindspot?
Imagine planting malicious software somewhere that’s directly in the unsuspecting targets home? That’s exactly what happens when hackers targeted the tools used by video game developers to produce games.
Elements of Microsoft Visual Studio, the de-facto development tool used across the video game industry and in programming circles, has been compromised according to this exposé by leading tech publication Wired.
Leveraging tactics used in the ASUS example, malicious code is injected directly into the libraries used to code video games such as zombie survival game Infestation as well as first-person shooter PointBlank. As a result, tens of thousands of machines were infected, mainly in Asian countries such as Thailand and the Philippines.
According to Pete Kinder, Chief Technology Officer (CTO) at Wax Digital, gaming could be a blind spot in the fight against supply chain attacks: “Many software developers, particularly those in the video games industry, should take care and ask, where does their development software come from? Is it an official licence? And has the source code been messed about with? You should encourage teams to verify the authenticity of the tools they’re using – as well encourage employees to only use tools from authorised sources.”
He adds: “Unfortunately, I don’t think this is being done in the wider business world. Here at Wax Digital, we frequently audit our development tools to ensure that we aren’t propagating malicious code in our solutions.”
What can I do prevent supply chain attacks?
There are numerous things you can do to prevent supply chain attacks in your organisation. We’ve listed out some of the most common below:
#1 – Restrict the use of external software – carefully identify what external software is essential to your business functioning and eliminate other tools you don’t need.
#2 – Limit your use of freeware – many of the supply chain attacks we’ve mentioned originate from freeware, software that is widely used by people all over the world. You should identify whether you actually need the freeware tool or not and consider spending on an authorised solution that fulfils the same purpose from a reputable seller.
#3 – Limit web browser extensions and plugins – speak to your IT team and encourage them to develop a policy to limit browser extensions and plugins and to limit installing those that could do harm.
#4 – Scrutinise and secure your supply chain – talk to your suppliers and find out what security measures they intend to implement to prevent supply chain hacks. Pay attention to those suppliers that might have access to your data or files.
Share your security tips
At Wax Digital, as a leading SaaS eProcurement provider, we take data security very seriously, and as such, our IT team employs the latest techniques and technologies to secure our systems.
But, we’re always on the hunt for new knowledge, and to that end, do you have any tips you’d like to share with us?