Supply Chain Attacks: Shipping the Exploits

Illustration: Supply Chain Attacks: Shipping the Exploits - Authentic8 Blog

Malware inserted along the business supply chain can be far more effective than directly compromising a single company’s network. Local browsers, used by vendors and customers alike, open the door for attackers.

*
What do banks and airlines, law firms and software makers, shipping companies and concert ticket sellers all have in common? Their day-to-day business depends on tightly integrated networks of service providers and product vendors.

Without functioning IT, most of these supply chains would break down. Network breaches can - and with increasing frequency do - result in significant damages.

A different kind of box office hit

Two recent incidents illustrate the broad spectrum and impact of web-borne third-party risks. Vendor vulnerabilities pose a growing threat not only to digital commerce but also to traditional sectors, such as the global shipping and logistics industry.

  • The first example, from June, involved online box office Ticketmaster. The incident highlights the vulnerability of the digital economy to exploits introduced into the software supply chain by SaaS vendors and developers.

    Criminals compromised Ticketmaster’s web server by slipping a malicious JavaScript snippet into code which support chat service provider Inbenta Technologies provided on Ticketmaster’s payment page. Using this indirect approach, the attackers were able to discreetly siphon off payment data and personal identifiable information (PII) of Ticketmaster users from February to June 2018.

  • The second example, from last week, serves as a reminder that much more than concert-goers’ credit card data is at stake. Sophisticated cyber attacks are increasingly disrupting the “traditional”, material-world supply chain. Crippling malware campaigns are threatening the movement and trade of raw materials, manufactured goods and perishables by air, land, and sea.

    Maritime intelligence service Lloyd’s List reported that Chinese container shipping giant Cosco had been “targeted” in a ransomware attack. The ocean freight carrier alerted its customers and business partners to a “local network breakdown” that subsequently caused the company to temporarily shut down the networks in its U.S. offices and seven other countries for systems clean-up. In addition, a terminal affiliated with Cosco Shipping at the Port of Long Beach, CA (the country's second-busiest container port) was hit by a ransomware attack.

Does this alarm from a global container shipping company sound familiar? If so, that’s because it should.

Almost exactly a year before, Denmark-based A.P. Møller-Maersk, the world’s largest container shipping company suffered a much-publicized and similarly debilitating ransomware attack (of the “NotPetya” variety). Estimated damage: more than $250 million. 4,000 servers and 45,000 PCs had to be wiped clean and reinstalled.

Supply Chain Attack Target A.P. Møller-Maersk (Authentic8 blog post)

Get ready for more, and far worse, attacks against the supply chains of various industries in the future, warn IT risk analysts with consulting firm BoozAllenHamilton in their Foresights 2018 report. Because companies rely increasingly on outsourcing for their day-to-day business, worries are growing that attacks via the supply chain will bypass the usual security fences.

In the cargo and shipping industry, these fences seem to be particularly low. Katharina Natividad, an international logistics consultant based in San Francisco, experienced first-hand last year’s attack that crippled Maersk. Its effects went far beyond the IT realm.

“Like a huge wave,” says Natividad, this attack hit the container industry, its infrastructure, partners, and customers. “Shippers had containers at the port that they could not get to, because all the computers were down,” she remembers. “No one could load, either.”

So the industry heeded the wake-up call, no?

In reality, says Natividad, even after NotPetya most shippers do not pay much attention to cybersecurity. “Many are small companies,” she explains. “They don’t have the deep pockets to pay for cybersecurity. They just hope that nothing happens. They are basically sitting ducks.”

Weak links, high stakes

It’s only logical, as the BoozAllenHamilton report points out, that attackers focus on the supply chain for maximum impact - with that many links, finding the weakest one requires more patience than sophistication.

Compromising a major tech company may not be as easy as breaching the network of a container port or the computers of a mom-and-pop freight forwarding firm. But it can wreak far more havoc - if the target’s software is used not only by global container ports or hundreds of cargo companies, but also in many other industries.

According to the BoozAllenHamilton report, “the most obvious fear is that a supply chain attack will successfully compromise an update or a download server for a truly popular piece of software.”

Piggybacking on antivirus tools

A 2017 incident involving the security software firm Avast shows just how this scenario can play out. The antivirus tool provider, whose products are used by many US businesses, found that a program it distributed, CCleaner, had put out an updated version of itself which contained a backdoor.

How did this happen? The subsequent investigation found that the perpetrators had initially gotten onto the developer’s London-based network, using stolen credentials. CCleaner end users never doubted they were receiving a legitimate copy of the update because it came from a trusted vendor.

Far-reaching supply chains also serve as a staging ground for surprisingly pinpointed attacks. This particular attack provides a textbook example. What looked like a straightforward malware insertion at first turned out to be a veritable twofer:

  1. The malware shipped with CCleaner transmitted information like computer names, IP addresses, installed software, active running software, network adapter information and more to the attackers. However, that was only Phase 1 of the attack.

  2. In Phase 2, a selected few - only 40 of the 1.5 million computers that responded - were targeted with a payload called ShadowPad. These 40 machines were the true targets - even though the attack had to infect more than a million computers to get to them.

Deep-reaching software supply chain infiltrations provide a vector to more than one potential target inside an organization. They don’t raise any red flags - software updates are a routine part of normal operations.

This also means that traditional antivirus, threat detection, and analysis tools often provide little or no protection. Attackers gain access to their targets and go undetected for much longer than with malware delivered through channels less trusted than, say, the company’s antivirus tool provider.

Oh, the irony.

Are your vendors sufficiently vetted?

One problem, a Ponemon Institute report on supply chain cybersecurity from 2017 indicates, seems to be that companies put too much trust in third parties. Rarely do they verify if their vendors deserve that trust, as research reports reviewed on this blog show.

In the Ponemon survey, more than half - 56 percent - of respondents stated that they suffered a breach which was caused by one of their vendors. The report also found that the average number of third parties with access to sensitive information at each organization had increased from 378 to 471 over the prior year.

Bottomline: The report confirms the trend of companies allowing ever more insufficiently vetted third parties to access their systems and data.

Photo: Tropical Pete on Flickr

This (too) trusting relationship between organizations and their suppliers renders the victims almost defenseless to supply chain attackers who exploit that false sense of security to buy time for threading the needle and remain undetected for extended periods of time.

Open source trust issues

The open source software community prides itself on its spirit of collaboration and peer-validated trust. Yet many projects are a third-party cybersecurity incident waiting to happen. All it takes is one compromised developer platform or repository.

Stored code libraries used by a Linux distribution or program are a favorite target for hijackers. In a popular repository where code libraries are stored, they can replace them with altered versions, which from there may find their way into all kinds of applications, including large-scale enterprise software packages.

One such exploit was uncovered in June of 2018 by Snyk, I’ve written about it here. The malware, named ZipSlip, was found to affect many open source files that were residing on such repositories. Snyk researchers reported that Oracle, Amazon, Linkedin, Twitter, Alibaba, Eclipse, OWASP, SonarCube, OpenTable and Arduino were among the companies that used the libraries or relied on code vulnerable to the ZipSlip exploit.

You may have suffered a supply chain attack, too

All traditional local browsers are vulnerable to compromises of their third-party developer ecosystem. The most common method involves the hijacking of a browser extension, by way of a developer’s (email) account.

This is what happened to the popular Chrome extension Web Developer, which was hijacked by unknown attackers using the supply chain approach. As TheHackerNews reported, first they phished the target’s Google account, updated the extension to version 0.4.9, and then pushed it out to the tool’s 1,044,000 users. The “updated” version had been changed to forcibly inject advertisements into the user’s browser.

Local browsers: Supply chain attack vector #1

Most businesses use a browser to interact with their vendors and contractors and to access 3rd-party apps or service provider websites, from logistics to banking to Human Resources. Third parties also coordinate and provide their services using a browser.
Most attacks on the supply chain are web-related. The regular browser not only suffers from supply chain vulnerabilities of its own. Exploits introduced through plugins, add-ons and extensions are just one visible expression of its security weakness.

Because local browsers indiscriminately download and process code (not just through malicious extensions) from the web locally, they expose local machines to malware and spyware that then can spread through the (supply chain) network.

Research indicates that more than 80 percent of IT security incidents are web-related. Its ubiquitous use, the tight integration with the OS and inherent security weakness make the regular web browser the main gateway for web-borne exploits and attacks on supply chains in all industries and the government sector.

Instead of risking valued relationships with vendors or customers/clients by playing the blame game when it’s too late, perhaps the question we all should ask now, ourselves and our suppliers and contractors: “Can you trust your browser?”

Can you?

*

Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM's SecurityIntelligence as well as Security Now.

Guest Contributor - Authentic8 welcomes suggestions and submissions from guest contributors. Blog posts should be relevant, non-promotional and add valuable and actionable insights for improving IT security on the web.

Topics: News, Security