Not even one year ago, what was called the largest cyber attack in history struck a major hospital chain in the United States. It affected 400 separate locations and put the lives of countless patients at risk. The most recent supply chain attack on Kaseya has dwarfed this event in scope and economic damage, with up to 1500 companies unable to access data and at least USD 11 million in ransom payments.
What exactly happened?
Unlike the attack on hospitals, which was primarily propagated by Trojans installed during phishing attacks, supply chain attacks are indirect system infiltrations. They exploit vulnerabilities in upstream service and even hardware providers, which makes them far less conspicuous and significantly more complex to detect. As a result, they can go unnoticed until it is too late.
In the case of this latest supply chain attack, hackers used a zero-day vulnerability in Kaseya’s software to circumvent the authentication process by spoofing (faking) their identities. This then gave the hackers access to Kaseya’s internal scripting engine, thereby making it possible for them to send an update to all clients, which appeared completely legitimate. Unfortunately, this update included malware, which deployed ransomware onto the infected systems once installed. The hackers then used their unauthorised access to encrypt all the data on its victims’ systems. In return for a hefty fee paid to the hackers, those affected would be sent an access code to decrypt their data.
Are there any precedents for supply chain attacks?
Supply chain attacks are hardly new. In fact, a similar attack occurred last year. By the time it was detected nine months later, it had already spread to 18,000 corporate and government networks, including those of the US Treasury and US Department of Commerce. Unlike the Kaseya attack, the SolarWinds Orion platform breach was more interested in spying on companies and government agencies than reaping profits. By installing malicious code into SolarWinds systems, hackers were able to deploy updates with malware to Orion users. This malware created a backdoor, which made it possible for hackers to view confidential information. In the case of Microsoft, one of its victims, this included source code for Microsoft products.
Why does protecting against supply chain attacks require extra vigilance?
As mentioned, supply chain attacks are incredibly difficult to recognise. This is because they attack upstream services and simply wait for this attack to compromise the systems of all downstream users.
To explain this in layman’s terms: consider any software that you use in your personal or professional life. Perhaps financial planning or income tax software. Many of these software providers rely on third-party providers for specific functionality, like data analysis or even to perform basic calculations. So when you download and install your software, you are not only providing significant access to your systems, you are also placing an enormous amount of trust in the providers’ own security protocols. You assume that they know exactly which components, for example commercial or open-source software, have been built into their own software to provide additional functionality. And you also depend on your providers to stay abreast of necessary updates and security patches released by their third-party providers. Only then can you be sure that your systems will not be compromised by running this software or installing any updates.
But what happens when your software provider is not fully informed about all its third-party providers, or any third-party solutions its providers might be relying on? This lack of comprehensive insight makes it impossible to provide extensive security and develop the appropriate security patches and warnings for downstream customers. And this leaves customers exposed and vulnerable. Which is exactly what happened in the Kaseya and SolarWinds attacks.
Who is at risk of falling prey to supply chain attacks?
This recent spate of attacks primarily affected businesses that outsource various operational functions to external service providers. Outsourcing is an especially common practice for smaller businesses whose specific expertise and knowledge do not encompass tasks like security, authentication, data backup and storage, logistics, distribution, help desk support, etc. This makes the pool of potential victims astronomical. Moreover, since they often outsource IT and security tasks, they are also largely unequipped and underprepared to tackle such an attack.
Thus far, attacks on Swedish supermarket chain Coop, which had to temporarily shutter all 800 of its stores, and 100 kindergartens in New Zealand have been traced back to the Kaseya infiltration. A Swiss price comparison website and the administrative offices of the German district of Anhalt-Bitterfeld, both forced to shut down operations, also suspect that they have fallen prey to this recent supply chain attack.
However, as mentioned above, anyone that relies on external service providers is at risk. And it is disconcerting to consider that this does not just refer to corporations, but also to essential services like energy providers and public administration offices. That makes it absolutely critical to seize on any and all security measures that minimise the risk of being attacked.
Where do we stand?
We can be certain that these types of attacks will not only continue but also increase in intensity and scale. Primarily because the scope of their reach and their potential payoff is exorbitant. By compromising one system, hackers can gain access to thousands more, which makes this a particularly lucrative form of ransomware.
So what is the solution? Should businesses, public administration offices, and schools stop employing third-party software? This is hardly a viable solution as it would require an incredibly high and, for smaller businesses perhaps insurmountable, investment in specialised services and skills to create software solutions that already exist. The best approach would be due diligence. What does that entail?
- Make secure authentication a top priority: Invest in two-factor and mutli-factor authentication tools. This will help deter spoofing attacks and prevent unauthorised access to your systems.
- Go passwordless: Ditching passwords for biometric authentication features, like facial recognition and fingerprint scanning, provide an added and less penetrable level of security.
- Implement access management: Limit access to specific data and systems via access management tools that let you restrict authorisation to specific individuals and require authentication for all access attempts.
- Review your providers’ security protocols: Confirm whether or not your software provider performs regular penetration tests, both internally and with external testing providers. Also, confirm that they comply with international data protection and security provisions like the General Data Protection Regulation (GDPR).
It is ultimately up to everyone involved in the entire supply chain to exercise immense caution and take the necessary steps to close any potential security gaps that could leave customers exposed. However, consumers and users of third-party service providers also have the power and a responsibility to protect themselves. When it comes to ransomware, there is no such thing as too much caution.
Update: REvil, the group responsible for this ransomware attack, has been offline since 13 July. It is still unclear if American or Russian leaders were involved or the group itself went dark. However, countless victims still can not access their data.