Why supply chain attacks are on the rise and what you should do about it
Zero-day attacks are on the decline, according to Symantec’s 2018 Internet Security Threat Report (ISTR).
The report, which describes the cyber security threat landscape from the previous year, noted that zero-day attacks have become increasingly difficult for hackers to effectively launch.
This decline has contributed to an increase in supply chain attacks, which are considered by cyber criminals to be an effective alternative.
Whether you’re unfamiliar with the impact of supply chain attacks, or simply need a refresher on how to defend your organization against this growing threat, here are the different types of attacks, newsworthy events from 2017, and four ways to guard your environment.
What are supply chain attacks?
When typical threat vectors won’t work with a particular organization, hackers may utilize supply chain attacks to infect software updates and applications at the source. This process is especially sneaky, since hackers manage to compromise the trusted source material (be it the manufacturer, reseller, etc.), and the infection takes place at the point of download.
Hackers have found a couple different ways to exploit the supply chain:
- Direct attacks. The most lucrative — and most difficult — form is attacking the software supplier directly. This would involve gaining access to an insider’s account (such as a developer), and using that access to infect software updates and roll them out as seemingly standard patches. Depending on the level of access, it would even be possible for hackers to code-sign the update using digital certificates, making the threat even more difficult to detect.
- Indirect attacks. One indirect method of infiltrating supply chains is through an organization’s domain registrar. Through the registrar, hackers can roll out malicious updates from the domain server, or even transfer the domain entirely onto an infected server. Site visitors can then be unknowingly routed to a malicious website, casting a large net of potential targets.
One point to note is that sometimes hacking isn’t involved at all. For example, if an organization neglects to renew its domain upon its expiration, cyber criminals can purchase the rights to it, and run malicious activity out of that domain.
Petya/NotPetya and the future of supply chain attacks
Petya/NotPetya was one supply chain attack that made headlines in 2017. This outbreak of wiper malware locked down corporate networks across Ukraine. The attack originated from within a tax and accounting software package called M.E.Doc, which is widely utilized by Ukrainian corporations.
Cyber criminals obtained and utilized stolen credentials to infect the M.E.Doc web server with the malware. The payload was then delivered to end users at the point of download, disguised as the intended software application.
Upon further analysis, the M.E.Doc web server had been compromised for months before the Petya/NotPetya malware was discovered, with at least three malicious updates having been pushed out to users in that timeframe.
Analysts believe that supply chain attacks like this will only increase in the coming years – we’ve already seen several in 2018, one of which specifically targeted Mac users.
How to protect against supply chain attacks
As these attacks are rather difficult to detect, analysts advise implementing small changes in an organization’s environment in an attempt to spot unwanted activity. Here are four ways to avoid or fix supply chain attacks.
- Test new updates before rolling them out. By running any updates in a sandbox before installing them across your environment, you can effectively quarantine any malware that might have stowed away with the update. Sandboxing updates is a good idea anyway to make sure even legitimate updates won’t have negative effects on your systems or users.
- Monitor for unwanted activity. There are a number of software providers that offer tools to monitor your network for anything out of place. If any malware slips through, these tools will identify suspicious activity so you can root it out.
- Educate end users. Another way to monitor behavior is through education. The more you drill employees on what a phishing email looks like, for example, the better you’ll be able to influence their behavior and guard against attacks. This is especially important for software companies where hackers might make phishing attempts to gain access as part of a direct supply chain attack.
- Know your environment. Tighten the reins so admins have a holistic view of what websites, applications, hardware, and other IT assets are in use. Shadow IT can create risk around supply-chain attacks due to the lack of visibility – you can’t sandbox updates for software that you don’t know users have adopted.
With supply-chain attacks on the rise, all organizations, and especially software manufacturers, should keep a close eye on their environment and updates to avoid becoming the next victim.
If you have additional questions on how to do so, please contact your SHI account executive for more information.