Supply Chain Attacks: A Closer Look

We, as Foregenix and as a security community, have seen our fair amount of breaches publicised the last year or so. Many of them are your run-of-the-mill breach where software is out-of-date, which provides an avenue for attackers within your infrastructure; or a phishing email that is sent to a list of potential targets to act upon it. We have also seen an increase in a certain category of attacks called a supply chain attack. But, what is a supply chain attack and why should you care?

A supply chain attack is an attack that targets individuals indirectly, through a vulnerable element in their supply chain. This element would be used by the targeted individual on day-to-day operations and/or be relied upon. An attacker compromising that element may in some cases, by extension, mean compromising the targeted individual operations and data as well. A supply chain attack can be targeted or blind.

• Targeted supply chain attack: A targeted attack means that there is a clearly defined target at the end of it. For example, the attacker’s main target is entity B, however, he/she will compromise entity A to get their end goal of compromising entity B. This also means an amount of reconnaissance has taken place beforehand to prove that reliance.
• Blind supply chain attack: In this type of attack there is no visible end goal. An entity is compromised in order to gain access to as many organisations that rely upon it as possible and then make as much use of those subsequent compromises as possible. They may yield some interesting targets or they may not.

Now let us have a look at some of the “famous” supply chain attacks to start putting the theory into practice:

• RSA/Lockheed Martin breach: On March 2011, RSA announced a breach to their systems. The spoils of that breach included data that could compromise the security of SecureID’ two factor authentication tokens. RSA never actually confirmed the content of what the attackers acquired. It was speculated that the attackers obtained access to the seed keys that are used in the calculation of the one-time password displayed on the screen of that token. Later that year, Lockheed Martin was the victim of a cyber-attack, attributing the success of the attack largely to the theft of the data for the RSA tokens. Lockheed Martin subsequently replaced all RSA SecureID tokens provided to the employees.
• Target breach: In 2014, Target announced a breach of its systems resulting in the theft of around 110 million of its customers’ credit cards. The way inside Target was traced to a HVAC firm that had VPN credentials for the use of electronic billing, contract submission and project management. For an attacker to move from an externally accessible area to sensitive ones, let alone the POS network, there needed to be other controls failing as well. However. the initial entry point was that of the HVAC firm.
• Petya/NotPetya: Petya/NotPetya ransomware started making  the rounds in mid-2017. It was designed as ransomware but ended up being a wiper; as there was no way for someone to recover their files, either paid or via a decryptor. The attackers, in this case, compromised the update server of the vendor of a popular Ukranian accounting software. When the update process kicked in, the malicious code would be downloaded on the victim’s PC and start doing its thing. This is a perfect example of a blind supply chain attack.
• CCleaner: Another 2017 supply chain attack that utilised the update mechanism of a popular software used by millions of people around the world. In this case it appears that the build server was somehow compromised to include malicious code in the actual software updates. This was later pushed to the update servers leading to a significant amount of compromised end-user systems. What makes this attack unique is the fact that it was a staged attack and part blind/part targeted. While the first stage of the malicious code would download and execute on all victims that updated their software; the second stage would only be downloaded and executed on victims that were part of large organisations, based on a filter in the malwares Command-and-Control server.

So! It looks like supply chain attacks are gaining popularity and are going nowhere anytime soon. As such, all organisations need to include and model such an attack vector on their risk management framework and processes. Nevertheless, how does one go about mitigating such an attack? Here are few ideas:

Security Architecture: It all starts with architecture.

• Carefully catalogue all external dependencies and connections to start introducing security controls around them.
• Properly segment systems that are accessible externally from the rest of the network.
• Do not accept installing a third party solution on your own network. There are a few vendors that will only offer support if you install their own remote access gateway on your network. This is a common practice with one big vendor on the telecommunications industry and the industrial systems industry. If there is no other way around this, then integrate this in your monitoring solution so it does not present a black hole in your network. Build additional controls around it, such as isolating it from the rest of your network and only open access inbound subject to a ticketing process.
• Apply the concept of least privilege for whatever you introduce in your network.

Application whitelisting: This may (if a separate update process kicks in) or may not (if a legitimate executable performs the update) stop a malicious update being pushed to the users depending on the software's update process . However, it will at the very least provide you with a baseline of approved installed software and processes running on your systems so you can guard against them.

As is evident from the points above, defending against a supply chain attack is not an easy feat. As such it comes down to each organisation and its risk appetite to decide the controls that can put in place to mitigate against it. We will reiterate at this point that it appears that Supply Chain Attacks are gaining popularity and at the very least should be modelled in each organisation's risk framework. At the end of the day, it is better to know your shortcomings than not knowing you have them at all.