The Chain Reaction

Published on 04 May 2020

Updated on 04 May 2020

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

 

OVERVIEW

Supply chain attacks involve targeting an organisation by exploiting weak links in the supply network.  Due to increasing efforts in strengthening organisations’ cybersecurity posture, it is believed that threat actors are increasingly resorting to supply chain attacks as it is becoming harder to directly infiltrate organisations. These attacks can be difficult to detect as related threat activities are often conducted beyond the organisation’s network boundaries. In addition, it is challenging to secure the supply network as organisations often rely on multiple suppliers for solutions and services. In other words, the supply chain inevitably broadens the attack surface of an organisation. According to a global survey, supply chain attacks increased more than double in 2019 and on the contrary, concerns from respondents around these threats had diminished.

 

Understanding supply chain attacks

Attacks can be targeted at a vulnerable supplier at any point of the supply chain. In these attacks, threat actors compromise part of the supply network first and subsequently exploit these compromised assets to gain access to their intended targets. In recent years, there have been a series of high profile campaigns targeted at supply chains. These campaigns serves as case studies that illustrate the extensive damage supply chain attacks can potentially have.

 

Case Study 1: Targeting software providers

Threat actors can compromise software providers with the end goal of infecting an unsuspecting organisation that is using the software or component. These attacks may be targeted at corrupting patches in the provider’s update server or even inserting malicious components in the software.

The actors behind the NotPetya incident in June 2017 targeted the update server of a widely deployed accounting software, M.E.Doc, to deliver the NotPetya ransomware[1]. One of its most high-profile victims was global shipping conglomerate Maersk. The company suffered severe disruption to its operations and restored only after 10 days as the ransomware spread throughout the core IT systems and prevented data access[2]. Similarly, in the third quarter of 2017, threat actors corrupted the NetSarang and CCleaner software updates[3],[4] to deliver malware to their customers. These attacks were significant as these software products were widely used by businesses.

Threat actors can also inject malicious code into open source projects[5] and infect victims upon utilisation of these projects. The public nature of such projects, which allows contribution by developers and even members of the public, renders them even more potentially vulnerable to code injection. One such incident was reported in July 2018 when hackers altered a widely used open source utility, eslint-scope, to steal login tokens of developers’ in order to insert malicious code into their programs[6].

 

Case Study 2: Targeting device suppliers

Threat actors can also compromise a supplier that produces devices for others. In February 2020, it was reported that three major manufacturers were targeted via infected Internet of Things (IoT) devices through supply chain attack. Experts believed that these devices served as the entry point to the victims’ network and they were infected before reaching these manufacturers[7].

 

Case Study 3: Targeting service providers

Over the years, it has become commonplace for organisations to outsource the management of their IT infrastructures to Managed Service Providers (MSPs), due to ease of scalability and lower implementation cost. However, MSPs often service a large number of customers and a cyber-attack on the MSPs network may likely affect other customers. Consequently, organisations need to take into consideration the associated risk of using MSPs when evaluating their attack surface.

APT10 is a threat actor that is known to focus on cyber espionage which includes targeting of intellectual property. It was reported in April 2017 that the actor launched a campaign (nicknamed “Operation Cloud Hopper” by the media and cybersecurity firms) against multiple MSPs[8]. As MSPs are responsible for managing customer IT infrastructure, they will generally have direct remote access into their clients’ network and a significant amount of customer data residing within their own infrastructure. Hence, successful compromise on these MSPs would allow the actor to exfiltrate intellectual property and sensitive data from the MSPs and their clients. Another example is the online entertainment retail service Ticketmaster UK breach reported in June 2018. The threat actor behind the breach infected Ticketmaster’s customer support system managed by its partner Inbenta Technologies to steal customers’ personal and payment details[9].

 

Whose responsibility is it?

The attack surface of an organisation increases proportionately to the size and complexity of its supply chain. While supply chain attacks are not new, they are becoming more sophisticated and pervasive, meaning organisations would have to devote greater efforts and resources to deal with them. In this regard, there is a need for organisations to be cognizant of the evolving nature of cyber-threats to the supply chain and manage the supply chain risk from the cybersecurity perspective.

Supply chain attacks are especially insidious as adversaries exploit organisations’ reliance on their service providers. Cybersecurity in the supply chain is not purely an IT problem. It involves sourcing, vendor management and evaluation of supply chain quality across multiple functions in an organisation where a coordinated effort is required. Organisations would need to adopt sound cybersecurity practices and processes to better manage their suppliers to defend effectively against supply-chain attacks.

 

REFERENCES:

[1] The MeDoc Connection

https://blog.talosintelligence.com/2017/07/the-medoc-connection.html

[2] NonPetya Ransomware Forced Maersk to Reinstall 40 000 servers, 45 000 PCs

https://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/

[3] Kaspersky Discovers Supply-chain Attack at NetSarang

https://www.csoonline.com/article/3216547/security/kaspersky-discovers-supply-chain-attack-at-netsarang.html

[4] Inside the Unnerving Supply Chain Attack That Corrupted CCleaner

https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/

[5] Open-source Software Supply Chain Vulns have Doubled in 12 Months

https://www.theregister.co.uk/2018/09/25/open_source_security/

[6] Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

https://www.theregister.co.uk/2018/07/12/npm_eslint

[7] IoT Devices at Major Manufacturers Infected with Malware via Supply Chain Attack

https://www.securityweek.com/iot-devices-major-manufacturers-infected-malware-supply-chain-attack

[8] APT10 – Operation Cloud Hopper

https://baesystemsai.blogspot.com/2017/04/apt10-operation-cloud-hopper_3.html

[9] Identity Theft Warning After Major Data Breach at Ticketmaster

https://www.theguardian.com/money/2018/jun/27/identity-theft-warning-after-major-data-breach-at-ticketmaster