Supply chain attacks have been in the news time and time again with ConnectWise, SolarWinds, and Kaseya (which was eventually claimed as a zero-day), but they aren’t just a potential breach of source. They’re far more nuanced and abstract (depending on the interpretation). To confound matters, there really isn’t a single, agreed upon definition. A supply chain attack isn’t just an exploit of source, it’s an exploit of the whole pipeline by exploiting a piece of the process which can have staggering ramifications for security down the entire chain.
Technology has infiltrated every facet of a business, from your vendors to their vendors and beyond. Business has gotten more complex and no one exists in a vacuum or is even close to able to control their entire supply chain. Any commercial process relies on trust at some level for everyone involved, which gets harder and harder as more and more players get involved. All a supply chain attack really boils down to is a breach of the weakest link in the chain.
You don’t necessarily attack a business itself to damage it. Threat actors can target a manufacturer of a component to inject malware so that the business or target they’re aiming for is compromised without every targeting said business. Injecting malicious code or even just a backdoor in a software component can create an almost impossible to detect compromise without seriously invasive measures. The more indirect the attack, the harder it is to really know how deep it goes or what the goals are until the damage is done.
Most devices aren’t analog anymore – they’re computers in some form. A supply chain attack works by exploiting the flexibility of a computing device and the weakness in the chain of trust for a given process.
Real World Supply Chain Attacks
Let’s dive into some examples and explain why they are supply chain attacks. Kaseya is facing a supply chain attack which wasn’t a software supply chain attack, but is still a supply chain attack. Confused yet?
This attack is the most recent, starting around July 2nd, 2021 and ongoing as of writing. This attack meets the more abstract definition of a supply chain attack but wasn’t a supply chain attack against the application development process itself. REvil hit Kaseya in a supply chain ransomware attack via a zero-day exploit (as of writing).
SolarWinds was hit in late 2020 with a true supply chain attack. The threat attackers managed to compromise a trusted component (specifically the Orion component) distributed by the application to infiltrate multiple target organizations which leveraged SolarWinds. Since the application was trusted and masqueraded its operations as standard parts of the whole system, it was undetected for a bit.
Target was compromised in 2013 by a supply chain attack. This one didn’t involve specific components distributed by Target itself, but a vendor which served Target. This is the more abstract form of a supply chain attack (which some may split hairs about). It is a supply chain attack since the end goal was to harvest sensitive financial data (such as credit card numbers) and it leveraged a vendor in the most general sense of the sales process (potentially even an HVAC vendor).
Stuxnet is one of the most famous supply chain attacks. It originally started with compromised flash drives to make it into certain Iranian nuclear plants, but the involved governments lost control. This attack showed that even air-gapped networks are easily infiltrated with the right tools and tactics against the human element somewhere. Hybrid attacks using multiple tools are common, but hackers realized how little most people understood the implications of what they do with technology. A rogue flash drive could become a digital bomb carried into the right facility.
Greater Aspirations
Supply chain attacks are strategic.
These attacks aren’t just about hitting a business, they’re about exploiting a process which isn’t instantaneous. These types of attacks are well funded and may even be nation-state attacks. REvil isn’t just a group, they play a geopolitical role in cyber attacks. They also aren’t the only players on the board.
Stuxnet was a product of the US government and the Israeli government which escaped its confines. REvil attacks are often linked to Russian goals, though Russia firmly denies their involvement. Warfare has evolved past bombs and mortars into attacks on infrastructure and beyond. A cyber attack can do more damage than a skirmish with far fewer consequences for the aggressor.
The SolarWinds attack was linked to Russian goals but so far there have been no real repercussions. Dead soldiers or shots fired across a border are easier to prove than a digital hit on a random company which drives up prices of beef to damage the economy of a nation or region. Warfare has gotten more and more complicated and proving the attack is as important as responding to it for national security.
Security Implications
Businesses like MSPs have been lucrative on paper, but arguably hard to cash in on until the past few years. Now, that cat’s out of the bag and even the feds are warning MSPs about potential attacks.
Many major Remote Monitoring and Management (RMM) tools have been hit. ConnectWise was the first that really showcased how big a threat (and how profitable) hitting MSPs and RMM tools was. It wasn’t just a theoretical concern anymore, it became a real threat for security professionals.
RMM tools have privileged access and most administrators set their security suites to ignore what they do. It’s hard to tell the difference between deleting files to free up space and deleting files as they’re ransomed. Fileless malware can easily be tossed into a script and deployed with virtually any RMM. IT needs privileged access to do their job, but that privileged access can become a double-edged sword.
The more trust you place in one part of the process, the more susceptible it is to compromise. Why breach a company directly when you can just breach someone they trust with laxer practices or more privileged access? Supply chain attacks rely on the interconnectedness of the modern internet and the fact that companies don’t exist in a vacuum. Every vendor, every service, every partner can become an avenue of ingress into a business.
Prevention
The only real solution is to reduce the amount of trust for any given process. Zero trust has existed as a concept for ages, but there really hasn’t been a reason for most businesses to take the plunge. Put simply, it was too hard and too costly to make financial sense when comparing risk and reward for most businesses. Implementing zero trust architecture requires understanding what every piece in the process does and what exact limits it will need.
Zero trust architecture boils down to a process where you reduce the communications and trust between components to reduce the damage they can do. A flat network is great for ease of access, but that ease of access extends to malware and threat actors as well. Zero trust means that even if the network is theoretically flat, there are processes in place to prevent the open exchange of data and a compromise of one machine doesn’t necessarily spell a compromise of everything.
You don’t let guests on the guest WiFi just jump on the main network in any sane setup, so why would you do the same just because you’re paying someone to be there? A vendor walking in with a laptop might also unknowingly walk in with a trojan and the second they jack into the wrong port, your whole site is infected depending on security and setup. All it took was the wrong flash drives to really get Stuxnet going in air-gapped environments.
How can you reduce the trust you have for each agent? What happens if a single machine is compromised and how do you prevent it from spreading? Even if a true zero trust solution doesn’t work, that doesn’t mean you can’t take sane steps to reduce the trust between devices. The more things a given person or system can access, the more damaging it is if they are compromised.
Image by Markus Distelrath from Pixabay