No organization exists in vacuum. There is no such thing as a completely self-sustaining company that does not in some way depend on suppliers, partners, and service providers. Businesses use products and services from other companies to manage and grow their own business—and that exposes them to risk. Attackers understand the broader ecosystem and can target companies or products you trust to turn your supply chain into a stealthy Trojan Horse attack.
The supply chain can mean different things and take different forms depending on the company and industry. In a nutshell, though, the products and services a business needs in order to function optimally and deliver the products or services that generate revenue are all part of the supply chain. Whether it’s flour for a bakery, or the parts and materials for a manufacturing facility, businesses rely on products and services from other businesses to get the job done.
The Supply Chain May Be the Weak Link
With the rise of mobile devices and the explosion of cloud-based services, containerized applications, and internet-of-things (IoT) devices, the tools and services that companies depend on are increasingly exposed to potential supply chain attacks. Cybercriminals figured out that it is often easier to infiltrate and compromise an organization by hacking a trusted third-party or embedding a rootkit or malware in hardware or software used by the company.
There are plenty of real-world examples of successful supply chain attacks. The most infamous is the Target breach that exposed personal information and credit card data of 110 million customers in 2013. Attackers were able to discover a list of contractors providing services for Target, and compromise a refrigeration contractor with a phishing email that installed the Zeus banking Trojan. That eventually allowed them to capture the login credentials the contractor used to access the Target network, and voila! The attackers had compromised Target.
In 2015, attackers were able to infiltrate Apple’s iOS App Store by offering a version of the Xcode development platform that planted Trojan backdoors into the apps created with it. Developers in China were frustrated with the speed of downloading Xcode from servers in the United States, and the attackers took advantage of that by offering a version of Xcode hosted from a local cloud service in China. At face value, the software worked as expected. Once the compromise was detected, 39 applications were discovered in the App Store that contained the Trojan code.
The most recent supply chain attack just occurred with Wipro. Wipro issued a statement explaining that a few employee accounts were compromised by a phishing attack. The compromised Wipro accounts gave attackers access to nearly a dozen of the MSP clients that trust Wipro to connect to their networks and provide services.
Cesar Cerrudo, CTO of IOActive, stated, “Wipro’s huge global presence as a supplier makes it an attractive target for such attacks. Unwittingly, they have put their customers at risk, due to their own internal security compromise. The knock-on effect could create a significant risk for companies downstream in the supply chain. Hopefully, we don’t see cascading attacks that cause significant disruption of operations or data compromise for organizations. But the fact that the risk is present will be of concern to their customers, as ultimately, they have been exposed to this risk through a trusted partner; the result on Wipro as an IT service provider from a reputation perspective could be significant.”
Cerrudo also stressed, however, that Wipro is not alone. System compromise is a fact of business life. This is just another example the of opportunity and risk, intended and unintended consequences we face in an increasingly connected world. By leveraging trusted and known accounts in this way the hacker increases the likelihood that their attack will bypass security and land on the target system.
“These types of attacks are incredibly difficult to defend against, as trust is essential part of any partnership,” explained Cerrudo. “However, companies should be careful to ensure that they have the right controls in place to ensure that even if a hacker does gain access to an employee’s credentials, this doesn’t mean they have the keys to the kingdom. If an organization isn’t looking for security risks, then a threat actor doesn’t need to launch a costly, complex or high-risk supply chain attack to compromise the organization.”
Defending Against Supply Chain Attacks
The best defense against supply chain attacks is due diligence. Many organizations struggle just to secure and protect their own networks and data, but that is not an excuse to grant access to a third-party without a thorough assessment of their security posture and policies as well. Your responsibility, ultimately, is to the customers and employees whose rely on you.
You have an obligation to ensure the suppliers you trust are also focused on supply chain integrity (don’t forget—they also have their own supply chains to worry about). Simply put, if you can’t trust or verify something, you have no business allowing it in your supply chain.
From a supply chain cyber attack perspective, there are a variety of verification actions you can implement to verify supply chain integrity. Things like reviewing and comparing source code, using code signing and update integrity checks, updating devices with the latest firmware—and ensuring the firmware itself is legitimate, and more.
Attackers know that it’s often easier to slip in undetected by compromising the supply chain. It’s up to you to be vigilant and work to raise the cost threat actors face—both in attempting to execute a supply chain attack, and in the consequences they face after it is discovered.
Check out this video presentation by John Sheehy, VP of Sales and Strategy for IOActive to learn more about the risk of supply chain attacks and how to prevent them: Thoughts on Supply Chain Integrity.