It has been a bumpy year for IT security. Organisations have been forced to face the task of trying to secure a fragmented workforce, often instituting remote working policies for the first time while the threat landscape was looking stormier than ever.
But of the many threats that have emerged, or intensified, during the pandemic, supply chain attacks are one of the most concerning.
Supply chains have expanded exponentially in recent years as the growth in digital services made it easier for businesses to outsource work. The largest multinationals have supply chains that involve tens of thousands of partners and suppliers, but even small businesses can have hundreds of connections, particularly when the expanded network – a supplier’s suppliers – is taken into account.
By and large this is a good development for businesses, making it easier to access services and expertise as and when it is needed, particularly with the flexible cloud-based “X-as-a-service” model. But each link in the supply chain also provides a potential opportunity for threat actors to exploit.
Perhaps the most extreme example was the SolarWinds supply chain cyber-attack unearthed at the end of 2020. The attack saw high level threat actors infiltrate SolarWinds’ systems and covertly place malicious code in an update for the popular Orion platform. As a result, the servers of at least 18,000 customers in the supply chain were compromised.
The scale and sophistication of the incident is attention-grabbing, but it’s important to remember it’s an outlier as far as supply chain cyber-attacks go. The attack required an extensive campaign that involved months of careful preparation, and appears to have had the backing of a nation state. But supply chain attacks are also used extensively by common cyber criminals and need not be anywhere near so elaborate.
Exploiting email contacts
Malicious emails are one of the most common forms of supply chain attack. We’ve gotten so used to dealing with hundreds of messages a day that we don’t spare most of them a second glace, making it fairly easy for attackers to deceive their targets with a few simple tricks.
Business Email Compromise (BEC) attacks, where threat actors impersonate trusted contacts, often senior executives such as the CEO themselves, are a particularly prevalent form of supply chain attack.
Impersonating a supplier or partner is an effective way for attackers to get their victims to drop their guards, especially if they’ve done their homework and have convincingly spoofed the supposed sender’s address and copied their branding.
Even more dangerous are account takeover attacks where the criminal has actually hijacked a real email address rather than merely spoofing it. Unless the imposter acts wildly out of character these attacks are extremely tough for both personnel and security solutions to spot.
Hiding behind the guise of a trusted supplier, the threat actor can achieve multiple attack objectives, tricking their victim into downloading malware-laden files or clicking malicious links. While a fake invoice laced with malware used to be a mainstay tactic, improving detection capabilities have seen most attackers shifting to more subtle tactics. Login credentials and other sensitive data can be harvested via direct email requests or by linking through to fake web portals.
Stealing login details paves the way for…
Credential stuffing attacks
Once they have successfully harvested account information, attackers can start logging into their victim’s profiles and wreaking all manner of havoc. They can also initiate credential stuffing attacks, where automated bots search out other systems that use the same credentials. As most people tend to reuse their passwords across multiple systems, a single set of stolen credentials can grant access to many different networks and applications.
This is particularly dangerous in the era of the cloud, where getting into a service like SharePoint provides access to a huge array of sensitive data and applications. This can also be used to fuel further supply chain attacks, either through a compromised email address or via the inbuilt sharing tools that most cloud platforms include.
Keeping the supply chain secure from cyber threats
While events like SolarWinds are a rarity, even common supply chain attacks can be insidious and hard to spot. But as with most cyber threats, a few basic precautions can make all the difference.
Multi-Factor Authentication (MFA) is particularly effective here. Requiring two-step identity verification through a secondary channel such as a mobile app or soft token will stop most credential stuffing attempts dead in their tracks.
A solid MFA policy will greatly mitigate the threat posed by credential stuffing, as well as reducing the chances of attackers compromising profiles for dangerous account takeover attacks.
Alongside this, companies should also look to invest in security awareness training to help their personnel identify and report suspicious emails, as well as following best practice for sharing credentials and other sensitive data.
As supply chains continue to grow in scope and complexity, firms need to take precautions to stop attackers exploiting them. Training staff to be more cautious about emails will go a long way, but implementing verifications steps like MFA will help keep the supply chain safe without fostering mistrust or slowing operations down.