When you deploy a security card reader or install antivirus software, it’s because you want tighter security, right?
Yet, these very same security measures could become yet another weakness in your security.
No matter what steps you take, it always seems like something else comes up.
Well, now there’s another problem to watch out for, and this one isn’t an issue you have much control over: supply chain attacks.
If attackers can’t find a way into your systems directly, they can still get in through the partners and vendors you work with.
These attacks, like walking in through a side door, often bypass much of your security stack, allowing attackers to operate inside your networks.
To counter these sneaky supply chain attacks, you need to know the latest methods of entrance, so your security teams can take appropriate measures.
Let’s take a look at some of the newest attacks discovered, and what you can do about them.
Corrupted Antivirus Files
You probably rely upon antivirus and other endpoint protection solutions heavily to monitor your security.
Unfortunately, some attackers have found ways to corrupt these same antivirus programs to deliver and maintain malware.
Attackers know that endpoint protection software runs with very high privileges, and that security teams don’t always monitor the activity.
Thus, when the attacker loads a malicious DLL file into the endpoint directory, it can often be used to load malware without detection.
To prevent future exploits of this method, Trend Micro recently published an advisory and updated their antivirus software. However, Kaspersky 2013, McAfee, and Symantec were also found vulnerable to DLL search order hijacking, but haven’t yet published any patches.
If you’re using Trend Micro, make sure you update to the latest version (don’t click that ‘Remind me later’ button!) And, if you’re using one of the others mentioned, make sure to stay alert for any future patches.
Python Supply Chain Attacks
While a corrupted antivirus file requires an attacker gain access to the endpoint, they can bypass the access issue by striking further up the chain.
As evidence, attackers recently corrupted PyPI repositories of open-source Python packages already incorporated into applications, so that they also contain malicious code.
In one attack, malicious actors uploaded a package named ‘pymafka’ to trick programmers searching for PyKafka, a popular Apache Kafka client downloaded over 4 million times.
Developers who mistakenly incorporate the newly-corrupted package expose systems to file-less shellcode agents and Linux backdoors.
A similar attack replaced existing ctx and phpass modules with a corrupted module that enables theft of Amazon AWS keys, credentials, and other environmental variables.
In this second attack, the threat actor also corrupted older versions of the packages, so users can’t even try to undo the damage by reloading older versions.
Similar to standard phishing prevention techniques, you always want to double-check the files you download are truly the ones you’re looking for.
Other Supply Chain Attacks
As security solutions become stronger and more effective, attackers look for softer targets within your supply chain.
So, how common is it?
Research by Mandiant indicates that as much as 17% of attacks (approx. 1 in 6) initially come through supply chain compromise.
Researchers also note the rising attacker interest in Operational Technology (OT) and Industrial Control Systems (ICS). While the additional data extracted from OT/ICS can be used to optimize operations, a corruption in the continuous integration chain can also provide threat actors access to related networks and resources.
For example, attackers were found attempting to embed threats into telecom supplier components to gain future access to 5G networks.
Other attackers embedded malware into firmware updates for the Common Access Card readers used to authorize access for Department of Defense, military, and other government employees.
While these types of attacks can often be detected by careful inspection of your hardware or software, most companies simply don’t have the time or resources for such inspections.
However, not all attacks focus on hardware and software. Some target the people in your supply chain and attempt to corrupt credentials.
Earlier this year, Okta suffered a high-profile breach of 2.5% of its customer’s credentials.
How did it start?
A threat actor obtained the credentials for an Okta customer-support engineer account managed by Sitel – a third-party provider for some of Okta’s customer support.
The attackers (in this case members of the Lapsus$ gang) simply found the weakest link in the supply chain, leaving Okta to deal with the headaches.
In this type of breach, the victim (Okta), can’t even perform the investigation into the incident, because it occurred in a subsidiary. Instead, the victim is virtually helpless while they wait for results.
Of course, victims can also take preventative measures once they know a breach occurred.
When taken immediately, steps like changing passwords, adding additional MFA to critical accounts, and sharing information with customers all help limit the damage.
Find and Lock Your Side Doors
You know how important it is to stay secure, and you use all the right security features.
But, can you say the same about your vendors, partners, and everyone else your business interacts with?
Detecting an unused side door, zero-day vulnerability, misuse of necessary applications, or other unknown weakness remains very difficult.
However, once a someone begins trying to exploit the weakness, security tools such as endpoint protection, network security, and cybersecurity monitoring can catch the malicious action.
You don’t need to feel like you’re at the mercy of your supply chain’s security struggles.
For help blocking, investigating, and mitigating possible supply chain attacks, contact Blue Bastion at 412-349-6680, or fill out the form below.
Our team will provide a simple-to-understand, no-obligation consultation to discuss your questions, concerns, and solutions for any need and budget.
