{"id":64990,"date":"2024-01-24T15:45:19","date_gmt":"2024-01-24T14:45:19","guid":{"rendered":"https:\/\/intellias.com\/?post_type=blog&p=64990"},"modified":"2024-07-26T12:25:51","modified_gmt":"2024-07-26T10:25:51","slug":"what-weve-learned-from-recent-2023-supply-chain-attacks-are-you-prepared","status":"publish","type":"blog","link":"https:\/\/intellias.com\/supply-chain-attacks\/","title":{"rendered":"Supply Chain Attacks & How to Defend Against Them"},"content":{"rendered":"
Businesses globally are playing catch-up with the newest trends in cyber threats. While most companies have invested in cybersecurity \u2014 albeit often at the expense of productivity and profits \u2014 cybercriminals still have plenty of avenues to exploit.<\/p>\n
In the last few years, we\u2019ve witnessed how missing key log messages and alerting have harmed businesses and governments around the world. Though the IT world now understands the concept of vulnerability, the cybersecurity industry is still in its infancy, just beginning to explore the full breadth of its potential when it comes to the holistic meaning of the notion.<\/p>\n
Clearly, running a network scanner or an agent-based vulnerability scanner is good, but truth be told, without a proper understanding of vulnerability concept and threat modeling, the workload and priority items coming from automated reports will overshadow controls, which are truly the real priority.<\/p>\n
This article examines the current landscape of supply chain attacks and provides practical advice on how to protect against them. Drawing on 20+ years of experience Intellias has in cybersecurity, we outline only flexible and effective strategies to safeguard your business from advanced cyber threats.<\/p>\n
Cybersecurity Consulting Services<\/p>\n
A supply chain cyberattack targets an organization by compromising the security of its suppliers, vendors, or other third partners within its operational supply chain. Instead of directly attacking the target organization\u2019s systems, networks, or employees, an attacker infiltrates a trusted entity within the supply chain, exploiting that entity\u2019s trust and access vis-\u00e0-vis the target. Simply put, attackers are aware that enterprises and big companies with their mature supply chain cyber security practices are difficult targets. So, rather than breaking through the steel vault, they aim at the ventilation system.<\/p>\n
Supply chain attacks can come in many forms. Generally, we can break them down into two types:<\/p>\n
Let\u2019s start with the most dangerous macro attacks.<\/p>\n
Keeping software up to date is crucial for security. But what if the updates themselves are the problem? Here’s how a software update attack works: hackers gain access to the update’s code repository and compromise it. When you install the update, you allow a cybercriminal to infiltrate your system.<\/p>\n
The most alarming aspect of this type of malware supply chain attack is that the malicious code can steal your confidential data or use your computer to attack other systems.<\/p>\n
Since many of us have software programmed to update itself automatically, these attacks pose a major threat. Hackers can quickly reach numerous computers through automatic updates.<\/p>\n
Many companies use third-party code snippets to save time and effort. However, this approach carries risks. Hackers can target these small bits of code, deploying fake versions or manipulating the original code for malicious purposes. Detecting such malicious code during testing is challenging because attackers often design it to activate only under specific conditions.<\/p>\n
Open-source software attacks are similar to those targeting third-party software. Cybercriminals focus on open-source projects, which are accessible to everyone, including hackers. This makes them vulnerable to security breaches. Even small changes to the code can create vulnerabilities. Attackers can also develop fake open-source tools to trick users into downloading them instead of legitimate software.<\/p>\n
In this type of supply chain attack, cybercriminals target the tools MSPs use to manage their clients’ IT infrastructure. If successful, attackers gain access to the MSP’s systems and potentially the systems of the customers they manage. This intrusion can lead to the theft of sensitive data such as network details and customer passwords. These incidents exploit the trusted relationship between MSPs and their customers and often bypass standard security measures, making them particularly concerning.<\/p>\n
The malicious intent here is to incorporate vulnerabilities into the software as it is being built. Development tool attacks target the software development process by compromising developer workstations, version control systems, or continuous integration pipelines to inject malicious code. These attacks are particularly sophisticated because they target the very tools that ensure the security of the software.<\/p>\n
Relying solely on proprietary software isn’t always feasible for businesses. Using multiple software environments increases the attack surface, making it harder to defend against vulnerabilities. This highlights the ongoing challenge of maintaining strong cybersecurity.<\/p>\n
The SolarWinds<\/a> software supply chain attack in 2020 was one of the largest in history. In 2021, Kaseya\u2019s<\/a> 60 customers and another 1,500 businesses were impacted by the cyberattack. Apple supplier Quanta<\/a> has been the target of a $50 million ransomware supply chain attack. Japanese carmaker Toyota Motors<\/a> was forced to halt production due to a cyberattack suffered by one of its suppliers, Kojima Industries.<\/p>\n Indeed, supply chain breaches can have devastating consequences on businesses through the loss of their most priceless commodity \u2014 data \u2014 and can potentially lead a business to financial ruin. According to Cybercrime Magazine<\/a>, about 60% of small and midsize businesses that fall victim to a cyberattack are forced to shut down completely within six months.<\/p>\n Speaking of 2023, we can\u2019t but mention a software supply chain attack on popular desktop software 3CX<\/a>. Also, in 2023, the MOVEit vulnerability led to a gigantic chain of record-breaking breaches. TechCrunch has reported<\/a> that this single vulnerability cost businesses over $9.9 billion, with more than 1000 businesses and over 60 million individuals affected.<\/p>\n Another 2023 cyberattack on Bank of America’s service provider, Infosys McCamish Systems<\/a>, has exposed the personal data of thousands of customers.<\/p>\n These seven supply chain incidents underline the enormity of the damage in the wake of a cyberattack, not to mention the regulatory fines and damages awarded by courts following legal action.<\/p>\n In 2023, more than 245,000<\/a> open-source software attacks were detected. These attacks targeted weak spots in JavaScript, Java, Python, .NET and the like. The number of attacks was almost three times higher than in 2022 and more than twice the total number of supply chain hacks from 2019 to 2022.<\/p>\n In April 2024, unsettling news emerged about a major business analytics software provider, Sisense<\/a>, being hacked, potentially exposing the data of thousands of its high-profile clients. Additionally, a popular JavaScript tool Polyfill.io<\/a> was compromised in a supply chain attack affecting more than 100,000 websites. Recent supply chain attacks on WordPress<\/a> compromised its add-ons, used by up to 36,000 websites.<\/p>\n These cases demonstrate why hackers target intermediate stages (businesses, companies, or individuals) of the supply chain instead of major players. Hackers would unlikely be able to attack Bank of America as easily as they attacked its service provider. This trend is steadily increasing, leading to potential software supply chain attacks in the upcoming years.<\/p>\n According to Gartner<\/a>, nearly half of all companies worldwide will face attacks on their software supply chains by 2025, three times more than in 2021.<\/p>\n Another prediction is that by 2025, the cost of supply chain attacks is expected to rise to $60 billion. Looking further ahead, we can anticipate this cost to grow to $138 billion by 2031<\/a>, increasing by about 15% each year.<\/p>\n <\/p>\n Exploiting software vulnerabilities is a frequent cause of data breaches, ransomware, and various supply chain incidents. These attacks are particularly successful because most organizations have multiple unaddressed vulnerabilities in their systems. Log4Shell, ProxyLogon, Spring4Shell, Confluence RCE, and ICMAD SAP are just a few instances of commonly targeted vulnerabilities that are well-known to security-focused developers, IT managers, and technically oriented IT engineers. Service- and software-based vulnerabilities are generally not categorized as supply chain exploitation. However, advanced persistent threat (APT) groups and state-sponsored hacking units may hold a different perspective.<\/p>\n If you\u2019ve worked in a development environment, you\u2019re likely familiar with the Agile methodology, which calls for creating something once, testing it thoroughly, and then establishing a process to replicate it, ideally through automation. Advanced persistent threats and state-sponsored hacking groups have adopted a similar mindset when it comes to exploiting vulnerabilities. Instead of targeting individual components like a single virtual machine or an isolated employee, they look for weaknesses in enterprise services software that can grant them access to multiple entities or systems.<\/p>\n Much like the broader IT community, hackers stay current with the latest technological and cultural trends. They adapt and evolve their tactics to maximize their chances of success and exploit vulnerabilities in a way that can yield greater results. For instance, they might choose to attack the enterprise server itself, which could have a vulnerability that allows them to bypass login measures. This makes their efforts more efficient and potentially more impactful.<\/p>\n The sophistication of malware, the failure of some businesses to push toward cloud computing infrastructure, the growing popularity of remote work, and the surge of 5G, artificial intelligence, and the Internet of Things (IoT) on top of a deficit in cybersecurity knowledge collectively suggest that the ongoing sharp increase in the number of supply chain hacks is poised to persist or potentially escalate.<\/p>\n In 2023, we continue observing a significant increase in the volume of cross-compatible polymorphic malware and ransomware. Use of the Rust and Go programming languages in the payloads of this malware (exploiting features like memory safety, performance, and ease of use) enhances the chances of successfully reaching the final profit-generating step. Historically, this last step has been the most challenging, as it generates the most alerts and noise. Therefore, meticulous preparation is essential, and typically businesses are well-prepared for this critical phase.<\/p>\n Microsoft reports that threat actors have notably increased their sophistication in the past year, employing techniques that enhance their stealth. This endangers even the most experienced targets and enables malicious actors to advance from initial system access to full network control in under 45 minute<\/a>s.<\/p>\n Only 15 years ago, we were researching Visual Basic to experiment by creating our own keyloggers. It was a grueling task, as even the learning resources were sparse. Now it would take us half the time to create the same piece of software, and it would be able to run across multiple operating systems, devices, and hardware configurations.<\/p>\n Presenting cross-platform supply chain cyber threats is much easier today than 15 years ago when even basic malware took time and effort to develop. Hacking tools and information are readily available, allowing bad actors to carry out more advanced and far-reaching attacks.<\/p>\n Let’s examine some notable examples of supply chain attacks in 2024 and recent years.<\/p>\n Kaseya’s VSA product, which helps IT teams manage computers and networks, was attacked by hackers in July 2021. About 60 customers who used this software on their own computers (not through the Internet) were directly affected.<\/p>\n Since many of these customers provided IT services to other businesses, the supply chain cyberattack spread further. In total, about 1,500 businesses were impacted. The hackers used ransomware to lock up computer files and demanded $70 million to provide a key to unlock all the affected computers.<\/p>\n Apple faced a cybersecurity scare when one of its suppliers, Quanta, was hit by a ransomware attack. A Russian hacker group, REvil, broke into Quanta\u2019s servers and stole sensitive information about Apple\u2019s product designs.<\/p>\n The hackers demanded $50 million to keep the stolen data private. When Quanta refused, REvil started leaking details about Apple\u2019s new iMac and other unreleased products. They did it during Apple\u2019s big product launch event to grab maximum attention.<\/p>\n In 2022, Kojima Industries, a supplier of plastic parts and electronic components for Toyota, discovered malware on its system along with a threatening note in English. This cyberattack prevented Kojima from sending parts to Toyota, forcing Japan\u2019s largest car manufacturer to shut down 14 factories and halt production of about 13,000 cars.<\/p>\n This incident shows that supply chains, especially those involving smaller suppliers, can be extremely vulnerable to cyberattacks.<\/p>\n In November 2023, Bank of America fell victim to a cyberattack due to a breach at its service provider, Infosys McCamish Systems (IMS). Shockingly, Bank of America was unaware of the incident for 21 days, when IMS finally notified them.<\/p>\n During this time, cybercriminals gained unauthorized access to highly sensitive data of Bank of America customers, including names, addresses, email addresses, dates of birth, social security numbers, and other account details.<\/p>\n Around 57,000 Bank of America customers had their information exposed. While significant, it\u2019s only a small part of the bank\u2019s total customers.<\/p>\n In early 2024, Sisense, a provider of business analytics software, experienced a cybersecurity breach. This incident raised alarm because Sisense serves many high-profile clients across industries.<\/p>\n The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging Sisense customers to reset their credentials and watch for any suspicious activity in their systems.<\/p>\n This breach could have a big impact, as Sisense serves over 2,000 clients worldwide, including major corporations including Verizon and Air Canada.<\/p>\n In February 2024, cyber attackers targeted websites using Polyfill.io, a tool for improving website performance on older browsers. The attack involved injecting malicious code into these websites, redirecting visitors to inappropriate sites.<\/p>\n The malware was cleverly designed to be compatible with specific mobile devices. What\u2019s more, admins had no way to detect it. Experts warned it could cause further damage, like unauthorized data access. Companies like Cloudflare now offer secure alternatives to help website owners transition away from Polyfill.io.<\/p>\n In June 2024, WordPress fell victim to a supply chain attack. Hackers inserted malicious code into five WordPress add-ons, potentially affecting 36,000 websites. When website owners installed these add-ons, cybercriminals created accounts that gave them full control over the websites.<\/p>\n The attack has been active since June 21. Website owners using WordPress add-ons should check if they need to remove them immediately and inspect their sites for suspicious changes.<\/p>\n Software supply chain attacks can have serious consequences, often leading to multiple issues at once, including regulatory issues and a potential drop in customer confidence. Here\u2019s a summary of how supply chain attacks impact companies.<\/p>\n Supply chain security breaches<\/strong>. A supply chain attack often results in data breaches, in which sensitive and confidential information is exposed. According to Arcserve<\/a>, in 2022, only 52% of organizations were able to restore their critical systems within 12 hours after a severe data loss event.<\/p>\n Financial losses<\/strong>. On top of direct financial losses, the consequences of supply chain cyberattacks include ransom payments, legal costs due to consumer litigation, and an overall reduction in production. Companies lost on average $1.5 million<\/a> from cyberattacks in 2022. Furthermore, Cybersecurity Ventures<\/a> warns that cybercrime could potentially create a global economic strain of $10.5 trillion each year by 2025.<\/p>\n Operational disruption<\/strong>. Compromising the supply chain through software can disrupt production, logistics, and other critical functions, leading to lost revenue and harming customer relationships. The latest cybersecurity statistics claim that 65%<\/a> of organizations that experienced a ransomware attack in 2023 faced more than six days of downtime afterward.<\/p>\n Reputational damage<\/strong>. As a result of a supply chain attack, customer trust and loyalty can hang in the balance, as customers demand robust data and asset protection; otherwise, they might seek alternatives.<\/p>\n Depending on industry nuances, the type of data at stake, and the specific circumstances, supply chain hacking can trigger legal responsibilities, regulatory repercussions, intellectual property theft, and cybersecurity challenges. This results in additional supply chain risk assessment and complex investigations, all impacting the longtail costs for business operations.<\/p>\n Achieve outstanding reliability for corporate platforms through regular security consulting and audits<\/p>\n How can you avoid these consequences? Even when major corporations get hacked, there\u2019s hope. You can protect your company from data leaks, fines, blackmail, and damage to your reputation with these best practices:<\/p>\n Your supply chain management architecture<\/a> includes a wide range of services, from software systems to the tools your IT team uses. Make a list of all the companies you work with. Then, go through the list one by one, research their security practices and history of security issues.<\/p>\n Don\u2019t rely on just one security measure. Use firewalls, antivirus programs, and systems that alert you to suspicious activity. If one layer fails, others can still protect you.<\/p>\n Grant employees access only to what they need. This minimizes damage if the account gets hacked. Introduce cybersecurity policies and educate employees on potential threats.<\/p>\n Keep backups separate from your main systems. It will be easier to recover your data in case of an attack. Plan who needs to be informed and how to escalate the response.<\/p>\n Run penetration tests to uncover vulnerabilities before hackers exploit them.<\/p>\n Implement AI and ML to secure supply chains. These technologies can predict risks<\/a>, detect anomalies in supplier behavior, and more.<\/p>\n These practices will set you up for a great start. For added security, consider hiring professionals like penetration testing consultants<\/a>. Cybersecurity experts can offer advanced insights to spot risks you might miss. Just be sure to choose reliable providers, as with any supplier.<\/p>\nWhile we\u2019ve been focusing on the macro level, what about the micro level?<\/h2>\n
Examples of recent supply chain attacks<\/h2>\n
Kaseya<\/h3>\n
Apple and Quanta<\/h3>\n
Toyota and Kojima Industries<\/h3>\n
Bank of America and Infosys McCamish Systems<\/h3>\n
Sisense<\/h3>\n
Polyfill.io<\/h3>\n
WordPress<\/h3>\n
How supply chain attacks are impacting business<\/h2>\n
Defense strategies for supply chain attacks<\/h2>\n
Know your suppliers<\/h4>\n
Use multiple layers of security<\/h4>\n
Limit access and educate employees<\/h4>\n
Have a backup plan<\/h4>\n
Regularly test your systems<\/h4>\n
Use advanced tech to monitor and secure your supply chain network<\/h4>\n
How Intellias can help<\/h2>\n