Issue #09 - May 12, 2023
Welcome back to Alice in Supply Chains!
As is usually the case, there is both good news and bad news in this issue of Alice in Supply Chains. For the bad, we have several new incidents from companies like Western Digital and AT&T, as well as a worrisome development in the 3CX incident we covered last month. We’re also once again reminded that ransomware threats are alive and well, causing disruptions and subjecting companies and their customers to impossible choices.
For the good news, there are increasing signs that awareness of risks involved in third-party cyber-risk management (TPCRM) is on the rise. More articles are being published on this subject, and some are targeted at different business sectors – even those many could wrongly say are “low-tech” (there is hardly such a thing as a “low-tech” business anymore).
There are also news stories we need to be a little more cautiously optimistic about. Government regulation and guidance is not only increasing but also becoming more specific, which can be a good thing so long as it’s both effective and realistic. Like many other things in the digital world, TPCRM is not a “solved problem” – it’s not that businesses choose not to follow the recipe for TPCRM; it’s that there is no such recipe yet, and regulations are being written despite that.
With the U.S. Tax Day in April, for example, threat actors made sure to target taxpayers, accounting firms, and software vendors to take advantage of this government-mandated responsibility. There’s little doubt that the government should act to tighten up the security of the tax filing process – including the third parties involved – but the big question is “how?”
As this newsletter aims to help you find your own answer to that question, it’s time to move on to the news stories from April. Enjoy!
Western Digital, Uber, AT&T and others disclose new security incidents
Data storage device supplier Western Digital disclosed an incident at the end of March. The company initially said that an unauthorized third party had gained access to many of its systems, causing disruptions to?My Cloud services.?
In the wake of the attack, the storage maker has implemented additional security measures to safeguard its systems and operations. These steps may impact some of the Western Digital services.
The company said that the incident “has caused and may continue to cause disruption to parts of the Company’s business operations.”
Since Sunday, multiple users of Western Digital’s network-attached storage (NAS) service My Cloud have been reporting they couldn’t access their cloud-hosted media repositories.
More recently, Western Digital customers have received notifications telling them that their data – including billing information, such as names and partial telephone numbers –?was obtained by the attacker,?and some services have yet to be restored (though they may be up by the time you’re reading this). There have been unconfirmed reports that, although no data was encrypted like in a normal ransomware incident, the attackers did demand ransom and?threatened to leak the information?if Western Digital refused to pay.
Before we move on to other new incidents, let’s go over some updates to the Fortra and 3CX incidents we covered last month. For Fortra, the number of victims is still increasing –?one of the latest being NationsBenefits, a provider of supplemental benefits for health insurance members?– and the company has published the?results of its investigation on the incident.
New research from Mandiant has found that the 3CX incident set “a new milestone” in supply-chain attacks: while the compromise was used to attack 3CX’s customers, the software company itself was hacked because an employee downloaded compromised third-party software from a vendor called Trading Technologies. The attack has been called a “threaded supply-chain attack,” and, like nothing else until now, it illustrates the “fourth-party problem,” what it means for our digital ecosystem to be connected, and the risks that emerge from it.
AT&T has confirmed unknown attackers were able to create secure keys for users with email accounts hosted on their services (such as att[.]net, sbcglobal[.]net, and bellsouth[.]net), which allowed them to access these accounts without using a password. The attacker used these keys?to steal the victim’s cryptocurrency?by resetting passwords on exchanges – so any users who relied on AT&T’s email service could have been impacted.
Uber disclosed another data breach, but the data accessed by the attackers was?stored by a law firm acting on behalf of Uber.?On the bright side, the incident seems to be isolated to drivers that completed trips in New Jersey.
Payment solutions provider NCR disclosed a ransomware incident that disrupted its Aloha point-of-sale service. The response?is ongoing, with the company aiming to bring more services back online in mid-May, almost a month after the initial disclosure. There have been?reports?that the ransomware involved is BlackCat, and that customer networks or data were also affected, but NCR said its investigations found no evidence of this.
Communications provider Lumen Technologies also disclosed two malware incidents to the U.S. Securities and Exchange Commission. Although this has caused?disruptions to their customers, the details are unclear.
The Irish Fermanagh and Omagh District Council?disclosed a data leak?resulting from a breach at a third-party data processor. Meanwhile, Capita, a group that provides services for the NHS in the U.K., has admitted that?hackers accessed customer, staff, and supplier data.
To wrap up this section, we recommend taking a look at this report on alcohol recovery startups?sharing private data with advertisers. This isn’t a security hack or compromise like the previous stories here, but it nonetheless shows the importance of finding trustworthy partners when sharing data pertinent to you or your business. The risk is in your data ending up in the hands of someone that shouldn’t have it, regardless of how it happens.
Threat actors compromise tax return software, taking advantage of U.S. Tax Day in phishing and other attacks?
As day-to-day activities move to the Internet and begin to rely on the complex ecosystem behind it, it’s important to make sure all parties involved are trustworthy and that users are adequately aware of any threats or pitfalls. As is usually the case, attackers can exploit the fact that this isn’t always true, as we saw on this year’s Tax Day (April 18th). eFile, a tax return application authorized by the U.S. Internal Revenue Service (IRS) was?serving JavaScript malware to its users:
Security researchers state the malicious JavaScript file existed on eFile.com website for weeks. BleepingComputer has been able to confirm the existence of the malicious JavaScript file in question, at the time. […]
BleepingComputer analyzed a sample of the PHP script seen by MalwareHunterTeam and determined that it is a backdoor malware that allows the threat actor to remotely access an infected device.
When the malware infects a device, it will execute a PHP script that runs quietly in the background.
Every ten seconds, the malware will connect to a remote command and control server run by the threat actors to receive a task to execute on the infected device.
Users also had to face phishing and other social engineering attempts,?as Microsoft showed in a blog post. Sophos released a detailed write-up on what is apparently a different attack in which the victim has to?reply to the attacker to receive the malicious file. Fortinet also has published its own?analysis?of this campaign.
In the past, engaging with technology and software to file tax-related paperwork was an option. Today, it may be unrealistic to do it any other way, and it can even be a requirement in certain jurisdictions. After all, any data filed by taxpayers will have to be moved to the government’s digital database at some point.
But technology is complex, and taxpayers will have to rely on software, network providers, hardware providers, and other companies along the chain, much like the government itself must rely on contractors and vendors to help build or maintain its infrastructure. The relationship between the taxpayer and these companies is much different than the one the taxpayer would have with the manufacturers of the typewriter that would have been used in years past.
Managing third-party risk in this environment is essential to avoid such incidents, and it must be an ongoing effort.?
Continuous monitoring, secure-by-design and other best practices in third-party and cyber-risk management?
As the Healthcare Information and Management Systems Society held its HIMSS23 event, HIMSS TV published a short video interview with Intermountain Healthcare VP and CISO Erik Decker in which he mentioned the need to move from a “transactional” approach to a continuous monitoring approach to manage third-party risk. Among other things, he advocates for security information management (SIM) for third parties. You can watch the video?here, and below is a short excerpt:
领英推荐
One of the major issues with third party is we’ve been approaching this in a very transactional and manual mindset for understanding our risks with these third parties. Historically, it’s been very data security-driven, privacy-driven, confidentiality-driven. [...]
We live in a different world. We live in an ecosystem, we have thousands of vendors that are connecting to healthcare entities, and, in order to keep up with the kinds of risks that come from our third parties themselves, we have to somehow change our models and operational models and mindsets, how we actually evaluate these risks and work through them. […]?
[The third parties] are also all working off digital systems. So if they go down, and they can’t supply physical products, we have a problem on our hands. We really need to change the way that we think about how our third parties are inherently risky in our environments, and planning for inevitability – planning for “they will go down, now what do we do?”?
Some more ideas for managing third-party risk come from Grant Thornton in an article that has a broad overview on how to plan for?third-party incident response management, while CISA and a few others published guidance on secure-by-design development principles (source,?coverage) mostly targeted at software manufacturers (but, since we all need to select our software vendors or develop our own tools to interact with digital services, this has repercussions for everyone).
“How to reduce cyber attacks in the global supply chain” has opinions from many experts and researchers. Despite what the title suggests, it isn’t a simple guide on how to reduce risk; rather, it combines several opinions and views explaining the overall scene and the challenges we face, and only covers solutions in broad strokes. “3 Best Practices For Maturing?Healthcare Third-Party Risk Management” is a good follow-up to look into some practical ideas.
U.S., U.K., Australia, Canada and New Zealand address supply chain cybersecurity in new best practices for smart cities
CISA and its partners have also released another set of guidelines (PDF) for “smart cities,” dealing with subjects like the Internet of Things (IoT) and infrastructure automation. It builds upon their secure-by-design guidelines released a few days before, saying that vendors should adhere to this principle, among other things, in order to?improve the security of the supply chain:
The risk from a single smart city vendor could be much higher than in other ICT supply chains or infrastructure operations, given the increased interdependencies between technologies and basic or vital services. Organizations should consider risks from each vendor carefully to avoid exposing citizens, businesses, and communities to both potentially unreliable hardware and software and deliberate exploitation of supply chain vulnerabilities as an attack vector. This includes scrutinizing vendors from nation-states associated with cyberattacks, or those subject to national legislation requiring them to hand over data to foreign intelligence services.
In this excerpt, CISA is basically telling city administrations to be careful when dealing with suppliers from nations associated with cyberattacks. Perhaps unsurprisingly – given CISA’s recommendations and current events – the Biden administration is said to be?considering action against Kaspersky, a Russian security firm with operations worldwide that has been targeted by the U.S. government in the past as an alleged threat to national security.
It’s hard to say if this unprecedented “action” is going to have any teeth. The U.S. Federal Trade Commission recently filed a complaint against payment firm Nexway for knowingly assisting tech support scammers. But the FTC?decreased the settlement?from $49.5 million to $650,000. Actions against companies from other countries can also increase geopolitical tensions and invite reprisals, such as?China’s probe of U.S. memory maker Micron.
For our last couple of government and regulation news items, the Office of the Superintendent of Financial Institutions (OSFI) published the?Third-Party Risk Management Guideline, setting out supply chain risk management expectations for any Federally Regulated Financial Institutions (FRFI) in Canada, and EY was?banned from a new audit business in Germany?(alternate link at CNN)?– a move that also highlights the challenges of auditing in general, since the ban is based on EY’s failures as the auditor of Wirecard.
‘Cybercriminals often target supply chains with ransomware’
An article by Theuns Kotze from the British Standards Institution goes over the supply chain risks as they relate to the logistics sector,?with a focus on ransomware:
The logistics and transportation industry are plagued by several significant cyber risks such as ransomware, phishing, and intercepts from sensors and industrial technology, which can pose major consequences if not tackled. Ransomware, a malware that prevents or limits users from accessing their system until a ransom is paid, has become increasingly sophisticated, with cybercriminals often targeting supply chains to maximize impact by threatening the entire ecosystem of an organization that impacts multiple businesses. Shipping and Logistics companies are on the radar of cybercriminals.
The takeaway here is that awareness about supply chain and third-party risks is reaching new business sectors and coming from unlikely sources as well, which is great to see – after all, it’s easier to cooperate and work to find solutions when everyone agrees it’s necessary to do so.
Jeff Schilling from Teleperformance wrote an article that tackles this topic?from the perspective of a third party, which is interesting because we also need to understand the reality our vendors face.?
Finally, there’s a series of articles at Lawfare on the?Enforcement of Cybersecurity Regulations. We’re linking part 2 here, as it has relevant insights on how effective "independent" audits are when the auditors are selected by and paid for the audited organization. Which is often the case for third-party risk and other related standards and certifications used for attest good security practices like PCI DSS, ISO 27001 and SOC2.
Survey: almost a quarter of companies do not evaluate third-party risk
A new survey that investigated many security challenges in today’s landscape has found that 23% of companies among its respondents?do not evaluate third-party risk:
What’s more concerning is this [lack of evaluation] is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.
Respondents also noted that traditional risk assessments are difficult to complete and take too much time – and perhaps that’s why many of them decide to skip it when it comes to their partners. This is not a true solution, of course, as preventing your company from having visibility into the problem will not make it disappear. The need for a smarter strategy that is better aligned to the business and produces real results is clear.
Eset has also published more highlights from its SMB Digital Security Sentiment Report. We did mention it in a previous edition, but their new blog post looks into the different security concerns by?business sector.?If we understand that different businesses have different needs, it does follow that we need to model our solutions according to these different needs, and Eset’s post makes it clear that companies have varying levels of confidence in their own cybersecurity expertise depending on their sector.
It’s difficult to say whether a company’s trust in its own cybersecurity expertise is deserved – Eset says that certain businesses may be harboring a false sense of security. Nevertheless, these are all things that need to be in the back of your mind when hiring a company as a supplier that will essentially become a partner in your own security.
As a parting gift, here are our bonus links for the month:
We bring this to your attention as another example of how airlines are no different from other suppliers, and that network incidents disrupting their operations may also impact any businesses that rely on them for travel. We’ve been mentioning this since our second issue, so you can read more?here.
“Southwest has resumed operations after temporarily pausing flight activity this morning to work through data connection issues resulting from a firewall failure,” the company said in a statement. “Early this morning, a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost. Southwest Teams worked quickly to minimize flight disruptions.”
On what started as one of these typical days, we went on to discover a surprisingly critical exploitation path utilizing Microsoft Azure Shared Key authorization – a secret key-based authentication method to storage accounts. With this key, obtained either through a leakage or appropriate AD Role, an attacker can not only gain full access to storage accounts and potentially critical business assets, but also move laterally in the environment and even execute remote code.
Tenchi 1:1 "MITRE′s System of Trust (SoT) and its progress"
This week we launched another Tenchi 1:1 webinar.? Alexandre Sieira , our CTO & Co-Founder, talked about MITRE′s System of Trust (SoT) and its progress with Robert Martin . The?System of Trust Framework?aims to provide a comprehensive, consistent, and repeatable supply chain security?risk assessment?process that is customizable, evidence-based, and scalable, and will enable all organizations within the supply chain to have confidence in each other, service offerings, and the supplies being delivered.
Don't miss it! Watch now. Click here.