Third-party cyber-breaches

Kamil Fedorko at Intellias describes how supplier security might be affecting your business

 

Supply chain attacks have sharply risen in 2023 and are currently on track to break records set in previous years. In fact, between 2019 and 2022, the number of incidents grew by an astounding 742%, bringing supply chain security right up the priority list for CISOs everywhere, and indicating the success threat actors are having by targeting vulnerable points in the modern digital supply chain.

 

The problem is that successfully safeguarding today’s increasingly complex supply chains is a daunting task, particularly because vulnerabilities can exist or be introduced at any point.

 

In general terms, a supply chain attack occurs when threat actors infiltrate technology infrastructure, not by breaching its cyber-security directly, but by gaining access via its suppliers, vendors, or partners. These attacks work by targeting less secure entities to exploit their access to larger organisations in a way akin to cracking a steel vault, not by breaching its walls but by going through its far more vulnerable ventilation system.

 

Supply chain attacks first hit the mainstream media headlines in a big way with the 2020 SolarWinds breach, while 2021 brought Kaseya and Quanta incidents and 2022 saw the likes of Okta and Kojima Industries Corp successfully targeted. The estimated cumulative cost of just these hacks approaches $60 billion, without accounting for resulting government fines and legal actions.

 

More recently, examining major 2023 breaches shows how just one vulnerability can have an enormous impact. The MOVEit flaw, which emerged earlier this year, triggered a wave of record-setting breaches, costing businesses nearly $10 billion, with over 1,000 organisations falling victim. This illustrates why attackers now target the supply chain versus individual organisations, with many now shifting their strategy from sniper-like precision to shotgun-style tactics.

 

Understanding supply chain threats

Generally speaking, supply chain attacks can be classified into macro and micro categories:

 

Macro attacks focus on intrinsic solutions used company-wide, like a file transfer system, and have formed the majority of the high-profile and damaging incidents seen in recent years. In contrast, micro attacks concentrate on a specific technology component, such as an open-source repository. While not a formal classification, this breakdown provides a logical view of supply chain threats.

 

While macro breaches dominate headlines, micro attacks should be raising similar concerns. Service and software-based vulnerabilities such as Log4Shell, ProxyLogon, Spring4Shell, Confluence RCE, ICMAD SAP are typically not considered a supply chain exploitation, but Advanced Persistent Threat (APT) groups and state-sponsored hacking regiments might disagree.

 

What tends to happen is that these threat actors now utilise a singular vulnerability in the enterprise services software to target many entities. Why target a Virtual Machine when its virtualiser has access to more VMs? Why target an employee when the enterprise server is susceptible to a login bypass?

 

State-sponsored hackers, with their vast resources, zero in on these micro vulnerabilities, targeting the very software infrastructure businesses operate on. The logic is simple yet very effective: why compromise a single component when you can topple the very platform it stands on?

 

Protecting supply chains

One of the significant outcomes of these attacks in 2023 has been the rise of advanced malware and ransomware. The use of sophisticated languages in malware payloads, such as RUST and GO, means hackers have a higher success rate in their attacks. Microsoft’s data which suggests that 97% of ransomware infiltrations take less than four hours to execute underscores the urgency of the situation.

 

Timing is also crucial, as many attacks are strategically launched during vulnerable times, such as early mornings or holidays.

 

The consequence is that businesses suffer. Only about 50% of affected businesses manage to recover, often after significant data loss. The rapid pace of these attacks, combined with their increasing frequency, makes them a serious concern for all organisations.

 

So how can organisations secure their supply chain endpoints against these risks? Firstly, it’s crucial to aggressively patch and update any internet-facing systems, prioritising high-risk flaws like Log4j and Spring4Shell. Next, systems should be monitored for indicators of compromise from supply chain attacks to detect potential breaches. Organisations should also enforce least privilege and zero trust principles, limiting lateral movement from compromised endpoints.

 

In addition, heightened authentication should be implemented for remote access, VPNs, and cloud admin consoles, while strict backup and recovery policies will help ensure organisations recover after an incident. Security can also be improved by building protection into the software development life cycle; using DevSecOps helps find vulnerabilities early and limiting access permissions across the supply chain can also play a useful role.

 

All of these measures should be underpinned by a robust and fully tested incident response plan so security teams can rapidly contain supply chain breaches. Taking these steps will help secure supply chain endpoints, protecting each organisation as attacks continue to escalate in the months and years ahead.

 

---

 

Kamil Fedorko is Global Cybersecurity Practice Leader at Intellias

 

Main image courtesy of iStockPhoto.com