Issue #04 - December 12, 2022
Welcome to Alice in Supply Chains!
Welcome back to Alice in Supply Chains - Third-Party Cyber Risk Management Newsletter! In this December issue, we have more Tenchi Day insights to share – this time, for the financial sector. We’ll be touching on the FTX collapse from the third-party cyber risk management angle as well, and highlighting recent reports suggesting that nation-state threat actors have set their sights on IT service providers in order to attack their actual targets.
As usual, there are a few law enforcement and regulation news items in the mix, including SolarWinds ’ US$26 million settlement over the Orion incident in 2020. At the very end, we have a few stories with interesting predictions for 2023.
Since this is the last issue for the year, we at Tenchi Security wish you a happy and prosperous New Year. Thank you for following Alice in Supply Chains in 2022 – and see you in 2023!
Eduardo Pinheiro - Director of Engineering at Tenchi Security
----------------------------------------------------------------------------------------
Financial sector: Tenchi Day insights
We are dedicating this section to our continued coverage of?Tenchi Day 22 – First Third-Party Cyber Risk Management, the event we held in S?o Paulo to bring people together and discuss TPCRM. While we covered healthcare last month, we are bringing insights from the financial sector this time.
Speakers at the financial sector panel included Salvador Medeiros, Information Security Manager at Itaú Unibanco ; Erica Correa , Information Security Manager at Bradesco ; Jeferson Prevedello , CISO at XP Investimentos ; and Leonardo Muroya , CISO at banco BV . The moderator for the panel was Tenchi’s own CTO and Co-Founder, Alexandre Sieira .
Thanks to innovative technologies and new business models brought about by fintech startups, even the most established financial institutions are seeing the need to adapt and move faster to remain competitive. This is where third parties come in: they bring the expertise and the means to turn ideas into products and solutions faster.
However, since the market and regulatory bodies expect a lot from these institutions when it comes to security, caution is also necessary. And unfortunately, as our guests at the panel explained, sometimes the banks may be more familiar with the risks than the third parties they are reaching out to.
Salvador from Itaú Unibanco pointed out that other business units are participating in the risk management process. When security and business are linked from the start, it’s much easier to make forward progress without sacrificing safety. “Today, there are security goals tied to the business from top to bottom, bursting its bubble and allowing for third-party risks and other subjects to flow into each new business discussion. Business and security go together,” he said.
To smooth things out, however, the institutions need to have the right approach towards their third parties.?Prevedello from XP Investimentos argues that third parties must be willing to take initiative as well. By showing how much the organization can share, it’s possible for third parties to make improvements too. “The whole process was turned on its head. We’re no longer knocking on their doors to check their compliance level, and instead they are the ones knocking on our door.”
While Banco BV’s Muroya also agrees with this approach, he says that each organization must set their own limits. In other words, the third party should be responsible for its own security, and the financial institution, as the one contracting the third party, has the right to choose the best partners. “It’s important to manage third parties inside the organization, but we can’t be the ones responsible for their security,” he said. This process, Muroya explained, is comprised of technical and non-technical assessments performed before the partner becomes part of the corporate ecosystem.
----------------------------------------------------------------------------------------
The FTX collapse and third parties
The biggest story of the month was the collapse of the FTX cryptocurrency exchange. It had a US$32 billion valuation and billions from their customers are missing. A third party did not specifically cause it – even though initial reports suggest that a large amount of money was lost due to improper transactions at Alameda Research , a company that was supposedly a third party to FTX, but actually wasn’t.
As an article by the Bitcoin Magazine points out, however, the collapse also?impacted other companies which relied on FTX or some of its sister companies, like Genesis Trading.
It has become apparent that Genesis didn’t have the best due-diligence process when issuing loans to counterparties because they had to write down two nine-figure loans to zero this year after lending out money to Three Arrows Capital and Alameda Research.
The article’s key point is that blockchains already have features like multisig to mitigate risks like these, but they are simply not used often enough. This results in unnecessary exposure to risk.
Although this advice is specific to companies that rely on blockchains, the concept of “unnecessary exposure” is by no means exclusive to them. At the end of the day, companies must use all the tools at their disposal to manage third-party risk.
As the regulations in the financial sector tend to be tighter (at least in comparison to other industries), several guidelines and regulations have already been updated to account for the changes in the sector, including supply chain risk. We mentioned the regulation changes coming for Australia in the first edition of Alice in Supply Chains, but there’s more?for Canada, which is revising guidelines for outsourcing, and now also considerations for insurance policies that?may not cover everything fintech startups believe that they do.
The reliance of banks on a few cloud providers is also drawing attention. As we mentioned just above, even established banks accustomed to sprawling self-hosted IT infrastructures are seeing the need to adapt and move faster in response to competition from startups – usually, this means moving to the cloud. As this migration occurs,?regulators are watching. The genie is not going back into the bottle, but authorities are much more likely to act when money goes missing, or when large chunks of critical infrastructure all become reliant on a few players.
----------------------------------------------------------------------------------------
SolarWinds settles lawsuit over Orion breach
SolarWinds made headlines in 2020 after attackers compromised updates for its Orion software in an attempt to access corporate networks of companies like 微软 and FireEye, Inc. . That was one of the biggest stories of the year, and a clear example of attackers turning their attention to suppliers to reach their actual targets.
The legal aftermath of that incident is still ongoing, as SolarWinds settled a class-action lawsuit for US$26 million. But the company it is not out of the woods yet, as the Securities and Exchange Commission is investigating the incident as well:
The SEC provided SolarWinds with a Wells Notice to recommend enforcement action alleging violations of certain securities laws related to cybersecurity disclosures and public statements. It is also looking into internal controls and disclosure controls and procedures. […] The company also entered into a $26 million settlement in late October in a class action lawsuit related to the cyberattack. The agreement would also cover legal and administrative fees.?
Although SolarWinds was a business supplier, regulators are looking at regular users, too. In November, the Digital Services Services Act (DSA) entered into force in the European Union, and, among many other things, it says platforms?must vet the credentials of third-party suppliers.
Hardware makers are not exempt. The Irish government, for one, wants the?power to ban vendors from telecom networks. The U.S. already?went ahead with the ban on equipment from Huawei and ZTE, and surveillance equipment from Dahua, Hikvision, and Hytera are also in the FCC’s crosshairs.
----------------------------------------------------------------------------------------
Russian software disguised as American finds its way into U.S. Army, CDC apps (and other nation-state considerations)
Reuters reported that U.S. government agencies and the military were using a mobile app containing code by Pushwoosh , a company which they say is Russian but disguised itself as American. Given current tensions between the U.S. and Russia over the war in Ukraine and other considerations, the app?was uninstalled from the devices.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia. [… ] On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
Pushwoosh has?denied the allegations that they are Russian, but did confirm it outsourced some development to the company cited by Reuters. While this story is quite nuanced, it does raise the issue of how third parties can be exploited by nation-state threat actors.
It’s not necessary to speculate much though, as Russian military hackers are?believed to be behind ransomware attacks in Ukraine and Poland.?Furthermore, another report suggests that these nation-state groups are?shifting tactics?and looking at IT service providers:
领英推荐
“Nation-state actors targeted IT companies more heavily than other sectors [over the last year]. IT companies, such as cloud services providers and managed services providers, accounted for 22% of the organizations that these groups targeted this year.”
As Microsoft itself says, these providers are not actually the target. Much like in the SolarWinds’ incident, they are a means to reach their customers. Most importantly, they believe this trend represents a shift away from attacks on the software supply chain which used to be their focus.
----------------------------------------------------------------------------------------
Hundreds of U.S. news sites push malware in supply-chain attack
The websites of more than 250 newspapers across the U.S. started to distribute malware after threat actors compromised the infrastructure of an unnamed media company. Bleeping Computer, which ran the story, also noted the?SocGholish malware family, which was being installed by this attack, has links to ransomware.
This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., xn--chrom-3we.xn--udat-y4d6d.zip, Chrome.Updater.zip, xn--firefo-gsf.xn--udat-y4d6d.zip, xn--oper-83d.xn--updte-6ve.zip, Oper.Updte.zip) via fake update alerts.
“Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,” Proofpoint’s Threat Insight team revealed [in a Nov. 2] Twitter thread.
As websites often load content from several different sources, any of these third parties can serve malicious code to visitors. While even the largest ad providers are not immune to the occasional bad ad, a compromised infrastructure is a much bigger issue.
Although it can be said that newspapers usually deal with information that is public or is going to be public soon, media outlets can also be exploited for?watering hole attacks. Since a report suggests?more than 87% of Pentagon supply chain fails basic cybersecurity minimums, it’s unsurprising that cash-strapped local and regional newspapers would have issues, too.
Let's take this opportunity to mention a few more incidents. A real-world tale published recently goes through?some of the steps in the aftermath after a third party suffered an extortion attack, noting that operational impacts were not avoided even when the network and data were secure.?
Attackers hit Dropbox with a phishing campaign and breached?130 of the company’s GitHub repositories?(no core services were impacted, according to them), while AWS?fixed a cross-tenant vulnerability in AppSync?(the flaw was reported by researchers and there’s no evidence about it being employed in any attacks). LastPass disclosed?yet another security incident, which they are still investigating. Since all three are IT service providers, many organizations rely on them as third parties and should be watching their responses to these incidents.
Finally, Ars Technica also published an interesting piece?about computer repair shops. The report is based on a study conducted by researchers at the University of Guelph in Ontario, Canada, which found that privacy violations occurred with at least 50 percent of the devices being repaired. With the adoption of consumer devices into corporate networks through BYOD policies, it is not unthinkable for employees to simply take their devices to a repair shop when they have a problem. Encryption is a clear ally here, but what is important is to remember that third parties can come into play even when the organization is not the one hiring them.
----------------------------------------------------------------------------------------
Supply chain security considerations make Gartner and Deloitte’s trends for 2023
As this is the last edition of Alice in Supply Chains to be sent in 2022, let’s explore a few predictions about what may be coming in the next year. Among ten predictions for 2023, 德勤 believes that “complex supply chain security risks will continue to emerge.” This wording is interesting: it means not only that our supply chains are complex (which they often are), but that unexpected risks may emerge from this. The recommendation here is to stay focused on identity and access management to mitigate these unforeseen issues:
Organizations are also focusing on deploying and operating identity and access management (IAM) and Zero Trust capabilities that better enforce authorized third-party access to systems and data and reduce the consequences of a compromised third-party. […] The threats introduced into the supply chain continue to evolve in complexity, scale, and frequency, so organizations need to continue the momentum with innovating and maturing their supply chain security and risk transformation capabilities.
Moving on, Gartner ’s “Audit Plan Hot Spots” has both “Third-Party Risk Management” and “ Supply Chain” among its top 12 picks. As Gartner explains, these “hot spots” are “focus areas for Chief Audit Executives (CAEs) to help them identify risks to their organizations and plan audit coverage for the coming year.”
The 2023 Digital Leadership Agenda event at the University of California, Irvine - The Paul Merage School of Business , focused on trends for 2023, and artificial intelligence and cyber security made the cut. And, more specifically,?supply chains:
Nicole Ford, Vice President of Global Security and Chief Information Security Officer for Rockwell Automation, said that companies like hers can also have trouble with vendors conforming to proficient security standards. […] We really need to make sure that we’re training our third, fourth and fifth parties on what our expectations are from a cyber security perspective and hold them accountable to those responsibilities.
”This is a very interesting view from the standpoint of a manufacturer, and Ford went all the way to the “fifth party.” Connected ecosystems mean that even a manufacturer is “an IT company” in some regards – at the very least, they must know how to evaluate their IT providers.
----------------------------------------------------------------------------------------
Finally, just like last month, we have some bonus stories you do not want to miss:
Google’s Project Zero security research team has a blog post detailing exploits it found based within Arm’s Mali GPU driver. Mobile chipsets from the likes of Samsung (Exynos), Google (Tensor), and MediaTek that include the GPU may be affected — not so much those owning devices running a Snapdragon SoC as those feature Qulacomm’s own Adreno GPU design.
[…] The aim of the post is to get OEMs to “mind the patch gap” and do their best to roll out security fixes to users as soon as possible. With a public callout like this, your phone’s manufacturer will be under pressure to pass along the patches — one Googler notes in Project Zero’s dedicated issue tracker that the company will make manufacturers take the patches as part of future security patch requirements with Pixels being among the first to adopt them in “the coming weeks.”
The story of ransomware may go back over a decade. But it’s in the past few years and during the pandemic in particular that the threat truly accelerated. According to FBI figures, associated costs soared 449% between 2019 and 2021, while the volume of reports jumped 109% from 2017 to 2021. Why did the pandemic have such a profound impact on this thriving corner of the cybercrime underground? A perfect storm of digital transformation, home working and cybercrime innovation.
[H]ackers thrive on chaos and uncertainty — and economic turmoil isn’t going away any time soon. To guard against cybercrime, it’s critical to monitor and assess every secret window into your organization’s operations. For most, these gateways are in the supply chain among third parties — and it’s how criminals are breaking in and wreaking havoc, particularly with ransomware.[…]
It’s alarming to note that ransomware is the most common attack method of third-party attacks. In 2021, Forrester predicted 60% of security incidents in 2022 would result from third-party incidents. Even more shocking is that the average time for companies to identify a third-party breach is 287 days — nearly 9.5 months.
[…] Geopolitical challenges and global volatility may be on the rise — but businesses don’t have to let the bad guys win. Tech can enable businesses to move beyond meaningless cyber scores and checklists for vendors. While a bird’s eye view may show a decent cyber rating, the weeds can reveal a massive opportunity for bugs, CVE codes, and severities to thrive. By efficiently assessing and continuously monitoring the cyber health of your supply chain, it’s possible to stay to the left of boom.
+