A supply chain attack aims to damage an organization by targeting less secure elements in its supply network. Exploiting a service provider's supply chain, data supply chain or traditional manufacturer supply chain has been seen in a litany of major data breaches in the past few years. In all of these attacks, the victim is not the ultimate target of the attack, but rather a stepping stone to other networks.
Examples of Supply Chain Attacks
The 2013 attack against Target is the classic example of a supply chain attack. In that incident, attackers used stolen credentials from the vendor that serviced the HVAC systems in Target stores to access the retailer’s network and move laterally to the systems that stored customer payment information.
In our predictions report, Cybereason Intel Team predicted that supply chain attacks will increase and remain undetected. There are a few good reasons for that, including:
Supply chain attacks are increasing because of their economies of scale. The past few years have been filled with massive data breaches that have flooded the underground markets with personal identifiable information, credit card numbers and bank account details. The supply of data now exceeds the demand, bringing down the value of this information.
Attack campaigns are operated like a business and like any business that hopes to stay afloat, each campaign has to yield a profit, have low operational costs and a high ROI. Supply chain attacks, such as M.E.Doc, enable hacking at scale: the attackers build a hacking operation that targets one organization, and through it are able to gain an initial foothold and further compromise hundreds and sometimes thousands of organizations. When combined with other automated mechanisms, these operations can be scaled up, which allows many organizations to be compromised at the same time.
This powerful shift helps drive the economics in favor of the attacker. Plus, supply chain attacks are the gift that continues to give: as long as they are not revealed, they provide ongoing access to new targets without investing in a new toolset. Compared to other common infection mechanisms like spear phishing and compromising passwords, the impact of a supply chain attack is widespread and continuous.
In some ways, improving enterprise security has helped foster supply chain attacks. With defenders cutting off easy routes to infections, attackers have become even more creative in how they attack enterprises. They see supply chain attacks as an easy way to infiltrate soft targets (especially if the company has limited security awareness and few security practices), commandeer their customers and surreptitiously install malware on their machines. Additionally, attacking trusted applications, contractors and suppliers provides adversaries with a stealthy way to compromise hard-to-reach targets, like defense contractors.
When combined with other automated mechanisms, supply chain attacks can be scaled up, which allows many organizations to be compromised at the same time.
While the number of supply chain attacks will continue to grow, we expect detection to lag, especially in cases when the target provides products or services to a specific country or industry. Since most supply chain attacks include adding a backdoor to legitimate, certified software, they are rarely detected by an organization’s security tools. And don’t expect the software vendor that’s being targeted to detect the attack. The security teams at these companies usually don’t anticipate that their software would be targeted during the development stage, a point not lost on attackers.
Even if a compromised vendor discovered an attack, they could be reluctant to disclose it, fearing that their reputation would be damaged. They’re likely to quietly fix the problem and leave the compromised customers unknowingly exposed. A better option (and one that we prefer and hope companies follow) is to immediately report the compromise despite the potentially painful consequences.
» Follow best security practices, monitor vendor access to internal data and networks, establish boundaries and adhere to these boundaries strictly
» Log and monitor any external vendor access, be knowledgeable of third-party providers’ incident response and disaster recovery plans
» Decrease your attack surface by limiting users’ ability to install third party software on machines, primarily freeware.