Supply chain and dependency attacks continue to plague organizations. This threat has been growing for years, making it an excellent business for ambitious cybercriminals.
A successful attack against a third-party vendor or supplier provides many opportunities in the third-party’s downstream connections for the attacker. Vendors and suppliers are typically not as well secured as larger connected entities.
New government initiatives to help businesses become more secure could help. CISA, along with Secure by Design initiatives, the CISA OSS security road map, and SBOMs, are all meant to assist in the effort.
In 2024, 3 years since the SolarWinds headlines, has any progress been made in supply chain and dependency attacks? Let’s take a look.
Pain in the Supply Chain
In 2021, “supply chain attack” was a relatively new term for industry professionals. Cyberattacks on software supply chains made the risks clear. Then we marked the attacks on SolarWinds, Kaseya, Colonial Pipelines, Fazio, Target, and Maersk to list the more notable events. Quickly, supply chains attacks became a lucrative vector for threat actors.
The interconnections within supply chains add a layer of complexity, but this also raises the likelihood of hidden vulnerabilities and unmonitored/unscrutinized entry points for code and compromised binaries. It’s a clever way to skirt the normal protections.
Most ransomware gangs understand how fragile they are and are continually develop new methods to attain the highest payload during an attack.
Currently, there’s no way to completely eliminate supply chain or third-party risks but we must do better. Every organization needs to assess where potential risks exist in their network that can be mitigated to reduce the likelihood of an attack or being an attack vector for upstream or downstream partners.
Vendor Consolidation—Does It Fix Anything?
With escalating IT costs, small businesses are looking to reduce the number of vendors they need to manage. One way is to consolidate them under one vendor group. Organizations hope that by doing this they are reducing their risk, and on paper, perhaps this appears to limit risk to a single vendor, but the reality is that the risks are still there, hidden in the vendor’s supply chain. It is similar to a hidden tax, according to some experts.
Supply Chain Threats
Most say supply chain threats typically come from two sources that are generally said to be nation-states and cybercriminal groups.
The first is from nation-states, which want to gather intelligence for espionage on a broad scale. A second source comes from supply chain threats. They target supply chains because they can leverage ransomware against multiple victims at once.
Of course, there is a loose connection between cybercriminals and nation-state threat actors that often leads to a combined goal of disruption and extortion.
Has Anything Changed
We asked our Director of Advisory Services, Elise Manna-Browne, how she views the current supply chain attack landscape and if anything has changed. She says the success of the SolarWinds breach spawned a significant amount of attention to supply chain attacks.
In addition, when Microsoft and security vendors are getting breached themselves, it opens up the proverbial can of worms on third-party risks. More recently, there have been a few recent supply chain and dependency-related attacks that underscore the need to do better. These include:
CDK
CDK provides a suite of cloud-related software and services to the automotive retail industry. From a historical perspective, originally there was a company called ADP Dealer Services. ADP was a DMS provider that merged with Cobalt, a digital marketing services provider and then merged with CDK Global. As part of this last merger, there were private equity investments.
Just as with other breaches, the lack of cyber hygiene throughout CDK’s history is likely the cause of the incident. The glaring questions by some ask:
- Where were the security audits?
- Was there a lack of monitoring or was there a lack of clear protocols?
Of course, there was a lot that should have been in place but wasn’t.
Microsoft
On January 12th, Microsoft detected malicious activity on its network by a threat actor they identified as “Midnight Blizzard,” a Russian state-sponsored threat group also known as NOBELIUM. This group specializes in intelligence gathering and cyber espionage operations and is known to target governments, non-governmental organizations, diplomatic entities, and IT service providers, mostly in Europe and the United States.
The techniques used by Midnight Blizzard included
- Password Spraying
- Malicious use of OAuth Apps
- Exchange Web Services for Data Collection
- Residential Proxies to hide their connections
While more about this attack is still being revealed, Microsoft offers some actions for its customers to reduce the risk of them being the next victim of an attack like this one.
These include identifying malicious OAuth applications, eliminating the use of insecure passwords, implementing MFA, and education employs on monitoring sign-in activity on their accounts to note suspicious attempts, and reset account passwords for any accounts that would be targeted during a password spray attack.
Businesses should also enable protection and alerts in their Microsoft Entra and identify and look into suspicious OAuth activity.
Disney Slack
In mid-July, a group known as NullBulge successfully infiltrated the Disney network and then stole approximately 1.1 TB of data from roughly 10,000 internal slack channels.
According to the hacktivist group, their developer leveraged a compromised video game mod to access the Disney network. This highlights the problems associated with malicious and risky applications. End-users with admin privileges frequently download and install these.
Experts recommend that businesses should be blocking risky apps and have strict controls in place, along with running routine assessments of SaaS applications used in their networks.
Areas for Immediate Action
Bearing in mind that today’s software packages include many third-party components, Software Bill of Materials (SBOMs) are critical. Historically, vendors have used bills of materials to identify all the pieces included in their products in supply chain management.
SBOMs and asset management, including documenting all those network connections to outside parties, should be a top and immediate priority.
We also suggest that organizations be more responsible to each other as something to be considered. The world is getting more connected. If these upstream/downstream threats remain unaddressed, as an industry, it will be much harder down the road.