Explaining Supply Chain Attacks: Here's What You Need to Know

What Are Supply Chain Attacks?

Supply chain attacks involve compromising a company that has some sort of access to the network of another company. A third party may be used to attack the intended target. There are different variants of a supply chain attack.

One approach is to attack one company to launch attacks against other companies. The SolarWinds attack serves as an example of this. Hackers installed malware on the software of the company.

When an update was sent to its clients, the malicious software was installed, unbeknownst to the clients or SolarWinds.

Supply Chain Attack Challenges for Organizations

Another supply chain attack example involves hackers attacking a company by going through a third party with a business/network connection to their main target. The best example of this is the cyber attack against Target.

The supermarket chain’s card readers had malware installed onto them by hackers. The credit card details of millions of customers were stolen as a result. Target’s relationship with a third-party company that serviced air conditioning units was instrumental in the attack.

In order for the company to access air conditioning units remotely, it established a VPN (Virtual Private Network) connection with Target.

After an employee of the company fell victim to a phishing attack, the hackers were able to gain access to the VPN connection and spread the malware for the main attack.

With new supply chain attack events, come more questions about what represents effective management of supply chain cyber security risks. There are many ways to execute supply chain attacks. The 3CX attack is a great example of this.

In a rare case, enterprise phone provider 3CX was compromised through another supply chain attack.

A malware-laced version of financial software, X_Trader, was used by hackers to compromise the systems of 3CX. Cybersecurity company, Madiant (which was hired to investigate the breach) suspected the attackers to be North Korean state-backed hackers.

A report by Google’s Threat Analysis group corroborates this finding. The report shows that Trading Technologies’ website was compromised in February 2022 as part of a North Korean operation targeting users of FinTech and cryptocurrency.

The investigation by Mandiant shows that an employee at 3CX downloaded a version of the X_Trader software in April 2022 (without realizing it contained malicious programming) from Trading Technologies’ website, which hackers digitally signed with the company’s then code-signing certificate to make the software look legitimate.

The X_Trader installer was digitally signed by a valid code signing certificate (which was set to expire in October 2022) with the subject of “Trading Technologies International, Inc.”

Despite the software being reportedly retired in 2020 by Trading Technologies, it was still made available for download on the Trading Technologies website in 2022. Using the software, the hacking group gained backdoor access to the device of the employee.

The access was used to move laterally through 3CX’s network and ultimately compromise the desktop phone application of 3CX. A Fast-Reverse Proxy tool was key in moving laterally in the environment of 3CX.

Information-stealing malware was planted inside the corporate networks of customers, marking the first time concrete evidence has been found of a software supply chain attack that leads to another supply chain attack.

“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” wrote Mandiant’s research team in a new disclosure blog.

The rare event shows the creative ways access to networks can be used to distribute malware, crossing over into verticals and using follow-on intrusion campaigns.

Malware, Veiledsignal, was instrumental in providing the threat actor with administrative-level access and persistence to the compromised system. Using this, they stole the credentials of the 3CX employee.

10 Million Affected by Cybersecurity Attacks

What may come as a surprise to many is that supply chain attacks surpassed malware-based attacks in 2022 by 40%. It would be interesting to know how and why this happened. 10 million people were affected by the attacks. You may ask yourself, how?

In contrast, malware-based attacks affected 4.3 million people. This points to the many vectors to exploit in supply chains. It’s hard to avoid activities that expose supply chains to cyber security risks.

Looking Forward and Risk Mitigation

The number of supply chain attacks increased by 600%. 88,000 reports surfaced of organizations compromised through their supply chains. Mitigation can be achieved through auditing third parties, using auditors to ensure accountability, and compliance with security standards.

Network access may also be limited so that a vendor only gets access to the information and privileges it needs to carry out its work.

There are so many vectors and vulnerabilities that can lead to supply chain attacks.

More creative methods of exploiting vulnerabilities have surfaced with time, giving rise to a greater need for cyber security strategies that not only take entities into consideration but also their vendors and others in the supply chain who may have a greater responsibility for the cyber security interests of other entities than themselves.

Education, automation, and segmentation will be critical in tightening the gaps in supply chains that make it easier for threat actors to compromise systems.

Sources:

• https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
• https://www.csoonline.com/article/573925/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html#:\~:text=The number of documented supply,supply chain management company Sonatype.
• https://blog.google/threat-analysis-group/
• https://www.project44.com/blog/supply-chain-cybersecurity#:\~:text=According to the report%2C more,and individuals from cyber-attacks.