Uncovering security risks in digital supply chains

Chester Wisniewski, Principal Research Scientist in the Office of the CTO at Sophos. Image courtesy of Sophos.

Chester Wisniewski, Principal Research Scientist in the Office of the CTO at Sophos, is a three-decade veteran of the security space. He has seen everything from firmware attacks, SQL injections and credential stuffing to “script kiddies” and nation states play in the battleground that is the modern enterprise security space.

The trend he observes is that mid-tier and low-tier cybercriminals often copy what sophisticated nation-state level actors get up to, and often crudely replicate the latter’s efforts to target enterprises. And one of the consequences of this is that while it’s sometimes hard to break into a large enterprise, the digital connections that the enterprise is plugged into might form the weakest link of its security posture, allowing in attackers.

In a chat with Frontier Enterprise, he talks about very specific cases of how this has been done, and what an enterprise can to do secure its digital supply chain from skilled attackers.

Why is the supply chain a top security risk, and what can happen if it is not adequately secured?

Nobody has a crystal ball, but I’ve been doing this for 25 years and time and time again, we see what the nation states develop is taken on by skilled criminals 18 months later. Lo and behold, four to five years later, we see script kiddies do the same. This adoption trend has been pretty consistent. Ransomware wasn’t a new thing in 2013 but somebody figured out a new way to monetize it by using cryptocurrency as a payment method – turning it into the next big thing that hundreds of cybercriminals took on.

This ‘nation-state’ behavior is what we’ve observed being ramped up the supply chain aspects of things. When people think of supply chain, they think of a compromised chip in a phone or a router – like a software supply chain. We’ve seen the starting signs of the utilization of the software supply chain and the Duqu Virus was probably the first ‘nation-state’ example of it. Five to six years ago, the Duqu Virus abused the Microsoft Windows Update Model in order to get malware on the systems, they were able to forge a certificate because it was MB5. Microsoft is still using the MB5 cert for some Windows Updates and they were able to be able to create a collision and use the Windows Update in order to introduce malware onto people’s computers.

That’s a supply chain thing. They were compromising Microsoft to get to the third-party company that used Microsoft’s products. Without even breaking into Microsoft they were just using its weakness in its own product, as a method. More recently, Kaspersky published research on ASUS, the Taiwanese motherboard laptop manufacturer, where their auto update mechanisms are being abused in order to get malicious code onto people’s systems. While nobody has properly attributed it, it looks like it’s probably nation-state due to its number of targeted computers.

So, what are the common malware hits caused by?

One way is by RDP credentials. Another way malware hits systems is through auto update mechanisms. Auto update mechanisms are designed to bring code in and run it so as to abuse those mechanisms. We’re also seeing supply chain attacks against service providers, in instances where there have been some vulnerabilities in situations like Corsair which is used by a lot of MSPs. Corsair, of course, allows remote access to all their customers so that they can manage their solutions for them. If they can break into one MSP, they’ve got access to all of their clients, ultimately compromising them.

Bringing us back to another supply chain, especially point-of-sale environments see tons of this. Point-of-sale vendors have remote access to every restaurant, every pub, everywhere that they’ve got point of sale terminals to do remote maintenance. They usually have one password in order to give all their technicians access to any of their clients. So, if cybercriminals are targeting those organizations, they are doing that knowing they can potentially steal credit cards from 500 restaurants with one password. It requires a little bit of creativity but let’s say there is a broader picture than the regular ‘planting a secret chip on a motherboard’ method – basically anything that a third-party has been granted privileges into is the victim of interest.

As a cybersecurity company, is Sophos also at risk?

Well yeah, of course these risks are ever-present because we’ve got cloud-based products that administrators log in to, to manage their own cyber hygiene. If one of those administrators’ passwords are compromised through a phishing attack, they can just log into the software and turn it off.

We see a lot of attacks against our infrastructure, and we’re working towards being more robust and implementing more multi-factor authentication for our partner’s systems. As partners, they are a gateway to our customers. We have to secure everything as much as possible – for the bigger, more valuable targets that have good security programs, the best way is through is the side door out of these supply chain attacks.

Now, criminals look for economies of scale. They’ll look at the number of victims they could get with one password because that is more valuable than hacking individuals one by one.

Can you share more about Cybersecurity-as a-System approach to tackle and manage the supply chain?

Companies need to start vetting relationships with their vendors and suppliers every time they’re renewing contracts and ensure that they, too, are compliant with regulations, such as the GDPR if they do business in Europe.

As part of the vendor process, we’ve built in these checks where we go, “Is the vendor compliant with the regulations that we’re required to comply with?”

Cybersecurity questions need to start becoming a vital part of the vendor process.

If you’re going to grant trusted, remote, control to the party that’s providing you with credit card processing, you need to be asking them the right questions – like how they are managing credentials, do they require multi-factor authentication, or if they even use VPN?

These are the kind of measures that can prevent these types of attacks. However, outside the line of defense and governments come with long contractual processes with 400-page agreements, this is pretty new for regular organizations who are hiring external vendors. But we don’t want pages and pages to go through; we need practical security. Practical security is what we’re working towards.  

Is there a checklist of sorts for businesses to look at?

Yes, things like: what are the procedures for authenticating users before they can access an environment? Is this thing exposed to the internet? Because information like that should not be exposed directly to the internet. They need to be behind some sort of VPN or multi factor access in order to provide some level of security.

Do companies pay attention to revoking employee access after they have left their organization? Shared passwords are so common by many of these companies out there, which means ex-employees still know how to get into the database. This is unacceptable and has always been unacceptable. It’s just that the risks weren’t as high as before and most of us did not ask the right questions or did not even know to ask the right questions. This is why it is important to have a checklist to vet through any current or new vendor coming into a company, dealing with data.

Finally, how do you see this security scenario evolve, with IoT and AI coming up?

I don’t think AI is going to be a problem from an attacker standpoint. I think attackers poisoning our AI is the real problem, which will continue to get worse because they know that they can muddy the water enough to confuse the AI.

And that’s just one method of attack.

I don’t see criminals themselves using it because it’s too hard. The good guys are only now getting around to coming up with good ways to use it and are investing millions of dollars in AI. It’ll be a while before the criminals are able to do that effectively. I’m not saying they won’t ever, but I think people are a little pessimistic there because we’re ok on that front.

There are a number of insecure devices out there, especially at home, because home appliances are multiplying and there is no life cycle for these things. One could buy an Internet of Thing (IoT) device and in three years, even if it’s working just fine, it will never get an update again. And that’s a problem. These things are getting unmaintained quite quickly even when they’re expensive. And that is something that somebody spent around four thousand dollars on, and if that’s getting discontinued in three years then, is there any hope for the smart light bulb and the robot vacuum?

The device is getting abandoned long before we’re ready to abandon it. So, that leads me to think about what is going to happen: we’re probably going to continue seeing less and less negative impact from the low-skilled script kiddie groups. They’re going to continue to make a lot of noise, but we’re already so good at blocking it with our own AI heuristic stuff with the next generation end point.

Don’t you think that the low-skilled criminals can still pack a punch?

Sure, they can do some damage, but we’re good at blocking the noise of the Internet, the spam, and the vast majority of that malware coming out of the auto generated systems by these unskilled groups. Most of the damage that these unskilled groups are going to do is by hacking billions of devices into DDoS.

I don’t think we’re going to see large data losses, or major cyberbreaches [as a result of unskilled hacking]. In fact, I think we’re going to see fewer and fewer of them causing direct financial harm to individual people like we’ve seen with ransomware and other things. They are probably going to evolve into more and more DDoS. With ransomware, just a hijack of a million smart devices or holding someone’s website hostage by simply blasting them with data will do the trick. Because we’ve all got broadband and smart robot vacuums that aren’t as smart as we thought. Which will be largely good for individuals as it’s going to cause a lot less individual harm than we’ve seen in the past from malware. Though, unfortunately, it’s going to cause its own kind of new mayhem and havoc but that’s really what those unskilled criminals are going to be trapped in.

They’re just going to be causing havoc and a lot of annoyance with tons of background radiation, if you will. But, very little direct individual harm will come to regular people.

These mid-skilled attackers are the ones that I think are going to really excel for the next few years because it’s always about a blueprint. Somebody came up with a criminal business model that worked and everybody went right for it and made billions of dollars.

Attacks like SamSam, MegaCortex, we’ve seen these high value ransoms one at a time or five at a time but at very low volume. Sadly, they’ve set a blueprint. Anybody with skills in the criminal underground will gain inspiration and go “That’s a business model, I can do that”.

So, instead of hearing about millions of victims of Conficker we’re going to be hearing about dozens of victims every week. But each one is losing millions of dollars, so obviously, that does still have a negative impact on general society because that means the cost of our products go up because the businesses making those products are being robbed. And that has a cost to our economy.