Supply Chain Cyberattacks are a new form of Privilege Escalation and Lateral Movement Attacks that originate outside of the otherwise secure networks of targeted organizations. As evident from the SolarWinds Orion hack, organizations must not only build strong defences for themselves, but also stay extra vigilant when dealing with third-party contractors, vendors, freelancers, and even remotely working employees.
Supply chain attacks the supply or value chain of an organization in order to gain access to a downstream target. The very nature and scale of such attacks are quite large, but the attackers are always extremely careful to hide their tracks and movements, leading to late discovery of the impact of such breaches. These attacks invariably involve a very high degree of planning, sophistication, and dedication. Needless to add, in addition to the targeted organization, any Supply Chain Cyberattack deeply impacts all organizations in the “blast radius” of the original compromise.
What Are Supply Chain Cyberattacks and How Do They Differ from The Traditional ‘Island Hopping’ Attacks?
“Island hopping” attacks involve going after potentially vulnerable partners or elements in the value chain. Advanced Persistent Threat (APT) groups try to obtain privileged access to penetrate deep into the actual target network. This type of attack often includes exploiting multiple “weak points” in order to gain access to the actual target of the attack.
Supply Chain Cyberattacks are not just different, but are far more sophisticated. To successfully conduct such attacks, APT groups seek to exploit the long-term trust relationship that businesses have established with legitimate products. So far, malicious code writers have sought to gain unauthorized access to a target organization by implanting backdoors into products that the companies have used for quite some time.
A typical Supply Chain Cyberattack can plant malicious code inside popular and reliable software. The most common route or channel of delivery is automated patches or software updates. Since such updates or patches usually arrive from the same channel or source, they aren’t scrutinized thoroughly.
Needless to mention, Island-Hopping Attacks and Supply Chain Cyberattacks might target more than one organization. Moreover, the objective might be to gain access or to collect information on multiple industries within the same segment. On the other hand, quite a few victims are just a means to go after the intended or targeted industry.
The SolarWinds Hack Explained:
The most prolific and concerning example of a Supply Chain Cyberattack is undoubtedly the SolarWinds Orion. However, such long-chained attacks aren’t new and they began with Island-Hopping Attacks. The most noticeable examples are Target and Home Depot. They involved cybercriminals who were attempting to harvest payment card information on a large scale.
There has been a lot said and written about the SolarWinds Orion Supply Chain Cyberattack. The backdoor dubbed “SUNBURST” is at the core of the attack. Instead of going into the specifics again, it would be better to understand the impact, fallout and insights that companies can gain.
Who was affected by the SolarWinds Supply Chain Cyberattack?
In the simplest of terms, any company that used SolarWinds Orion products and their multiple iterations or versions are potential victims. However, to ensure the attack remain undetected the APT group activated or used the SUNBURST backdoor in cases where the target environment appeared of specific interest.
Companies who suspect they are victims of the SolarWinds Supply Chain Cyberattack need to conduct a thorough audit of their cybersecurity protocols and practices. Due to the extensive volume of data involved, many organizations might still be unaware if they were a victim.
Detecting Security Compromises Due To SolarWinds Supply Chain Cyberattacks
Detecting the SUNBURST backdoor implanted in SolarWinds Orion is a complex task. In fact, the existing automated capabilities of patches and updates delivery, make it near impossible. Moreover, the APT group behind the attack took extreme care to hide not only their attacks but also their tracks and activities.
They delivered the SUNBURST backdoor through a legitimate software update to a known monitoring and management tool. Needless to add, for the software update containing the backdoor to be successfully installed, companies had to have specific software components to already be present on the target system. After the initial compromise, the adversary used well-known tools and techniques to harvest admin credentials, establish persistence, and gain remote access to the compromised system.
Hence, the most reliable way to detect if the company has been a victim of SolarWinds Supply Chain Cyberattack is to closely monitor abnormal network activity from the SolarWinds Orion platform. Needless to add, the APT group has taken multiple steps and precautions to hoodwink reliable security platforms.
Avoiding Supply Chain Cyberattacks
The extensive and deep integration of third-party vendors, contractors, and in the current, ongoing scenario, remotely working employees, are the potential targets for conducting Supply Chain Cyberattack. It is, however, important to note that such agencies are unavoidable as they allow organizations to implement highly efficient processes. Companies need design, prototyping, manufacturing, logistics, and philosophies such as just-in-time delivery to the end customer. And, relying on interconnected third-party vendors is critical for such companies.
While such interconnectivity can and does save companies a lot of money, it can be exploited by APT groups. Hence, security researchers have now started adopting the Zero Trust Security Model that requires interconnected process automation to be treated with the same distrust as any other anonymous connection.
Moreover, organizations need to have strong Identity and Access Management policies. Companies can follow the “Least Access” philosophy to ensure that any account has the least required rights and privileges to do the job. This will significantly minimize the impact of a compromised account. Essentially, restricting inbound and outbound component access to the minimum limits the APT’s abilities to exploit their position.
As discussed previously, contractors and third-party vendors do require secure access. While they are an unavoidable and critical component in modern-day companies, companies need to routinely conduct security and access audits to spot potential weak points.
Basically, routinely checking who has what access will allow companies to remain vigilant. Such an assessment will provide the proactive access controls measure that will limit an adversary’s success.
The SolarWinds Supply Chain Cyberattack is a grim reminder that there’s no such thing as a secured network. Moreover, there will be techniques and methods of attack that can fool even the most robust of security measures. However, vigilant companies who monitor their data flow, restrict access to applications data to bare minimum, and deploy security measures such as multi-factor authentication, will be able to detect anomalies and take necessary steps to safeguard their digital assets from exfiltration, destruction or being held for ransom.