Issue #10 - June, 2023
Welcome back to Alice in Supply Chains
How deep does the supply chain hole go?
When we mentioned the Capita breach last month, we did not know it would turn out this way: as May went on, more reports started appearing and, by now, dozens – if not hundreds – of organizations and pension funds are investigating leaks stemming from the incident. Capita provides services to many business and government entities in the United Kingdom, so even as the damage to the company remains under control, the leaks have spread to many smaller organizations that rely on their services.
Large service and IT infrastructure providers are generally above average when it comes to security, so it is quite unusual to see an event of this magnitude unfold. Yet even a small breach in their ecosystem could easily have consequences for hundreds or even thousands of companies, and if these companies are themselves large – which is the case for Capita and its government clients – there will be implications for thousands of people.
When it comes to third-party risk management
Beyond Capita, we have several other relevant incidents here – many of them involving third parties. For example, an investment firm in Canada suffered an incident because one of its partners was compromised through the GoAnywhere flaw.
There is also some news on the geopolitical front, with more supply chain tensions mounting due to a strain on the relationship between China and the United States. And we have our usual round of surveys showing increased awareness about third-party risk management.
We hope you enjoy it!
Capita ransomware breach fallout reaches hundreds of pension funds and organizations
In our previous edition, we mentioned an incident at Capita, an IT services provider to the U.K. government, businesses, and pension funds (media reports say the company holds £6.5 billion worth of public sector contracts alone). First disclosed at the end of March, the incident was mostly downplayed by the firm, which seemed optimistic about the recovery. While in the spotlight, the company then had to deal with an unrelated incident in which a researcher found?600GB of data stored in an exposed Amazon Web Services cloud storage bucket.
Although very different, both incidents have become difficult to separate in recent coverage. One article by the BBC says?90 organizations have reported data breaches linked to Capita?to the Information Commissioners Office, but it is unclear to which incident these leaks are related to:
The Information Commissioners Office (ICO), the privacy and data watchdog, said that so far around 90 organisations had been in contact regarding Capita.
“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries”, said the ICO. […] The ICO is encouraging organisations to see if personal data they hold has been affected by the attack or by the exposed data.
The researcher who notified Capita about the exposed bucket is Kevin Beaumont. He later published a write-up with?evidence indicating that the bucket contained personal information, not just the software release documentation and guides mentioned by Capita in their initial statement to the press.
The first breach is being attributed to a ransomware attack by BlackBasta.?Capita said it is expecting to spend US$ 19 million to US$ 25 million?(£15 million to £20 million) in the aftermath of the breach to cover “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.”
There are still?questions?regarding the incident, including how many pension funds could have been affected (some reports say up to 350 such funds may be impacted, making it the largest such incident to date). The city council of Colchester has initiated a?probe into the matter.
From what the reports suggest, Capita provides services to many different businesses and government institutions. It’s understandable that all their clients are seeking clarity on what exactly has been leaked to better prepare their own response and expectations moving forward, and to determine the steps they must take to comply with privacy regulations.
The many narrative changes since the initial disclosure in March can end up sowing doubt about any new statements among their clients, leading to more panic. A few days after initially disclosing the incident – before confirming that personal data had been stolen – Capita’s CEO told The Times that their response would “go down as a case history for how to deal with a sophisticated cyberattack.” The company may find itself in an awkward position if it tries to defend this early optimism.
Assurances that only a fraction of a percent of their servers were compromised also do little to calm the thousands of people that had their data stolen – and that is one of the key lessons here: for a large services provider, even a small breach can be a total compromise of the data of many individuals and businesses that work with them.?
Luxottica, MSI, Bitmarck, Discord: several companies report security incidents
There are many incidents for us to mention in this edition, so some of the coverage will be a bit brief. As usual, remember to follow the links to know more.
We begin with eyewear company Luxottica, which confirmed a data breach that dates back to 2021 and involves millions of customers in the United States and Canada. The first public evidence of the leak appeared in 2022 after a posting in “Breach,” a hacker forum, tried to sell the data privately. The dataset has surfaced publicly, forcing the company to?confirm the incident. Luxottica further explained that the data was obtained from an unnamed third-party contractor “related to Luxottica retail customers”:
However, more recently, the database was leaked in its entirety for free on April 30th?and May 12th, 2023, on different hacking forums, making the data far more accessible to threat actors.
Andrea Draghetti, the leading researcher of the Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to BleepingComputer that it contains 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses. […]
After BleepingComputer contacted Luxottica about the published data, the firm confirmed that the leaked data came from a security incident that impacted a third-party contractor holding customer data.
We move on to Canadian-based Mackenzie Investments, which?confirmed a data leak in a third-party vendor, InterCOM, that itself was attributed to a third party, GoAnywhere. We already covered the GoAnywhere incident in ou?April 2023 issue, if you want to read more.
Voice chat and messaging platform Discord is notifying users of a data breach after?a third-party support agent got hacked. The data obtained by the attacker is limited to the agent’s ticket queue, but it includes any attachments sent by the users, which means the impact can vary depending on its contents.
The BlackBasta ransomware, which allegedly hit Capita, also attacked other firms that provide services and goods to corporate customers, including?Rheinmetall, a German automotive and arms manufacturer, and Swiss automation provider?ABB.?
An incident at PC part and computer manufacturer MSI led to a leak of signing keys used to authenticate a motherboard’s firmware. There are fears this could?create a “doomsday” scenario?for a supply chain attack – one in which the very software responsible for booting up the computer is compromised by an attacker in a way that would be very difficult to detect, bypassing the protections that exist to make this impossible. This seems to be mostly speculation for now, and we can be cautiously optimistic that such a scenario is not possible (at least not for non-MSI boards – although other kinds of vulnerabilities in such boards are?not unheard of).
WIRED ran a story by Kim Zetter with newer and more in-depth details on the SolarWinds hack, which they’re calling the “boldest supply-chain hack ever.”?It’s a very well-written piece that shows how the hack was identified and the challenging forensics work that was required to understand how it all happened.
Here are some other incidents:
There have been some software supply chain incidents as well. Notably, PyPI (Python Package Index)?suspended new projects and users?due to a surge in malicious activity that its maintainers could no longer keep up with. Meanwhile, Orqa, a drone goggles maker, had to contend with a “software time bomb”?introduced on its devices by a contractor.
Geopolitical tensions continue with Micron ban and government probes on suppliers
We mentioned last month that China launched a probe on American memory maker Micron following certain security concerns. It has now come to light that this probe concluded that Micron poses a national security risk to China. As such,?operators of critical infrastructure must stop being Micron’s products:
China’s government told operators of “critical information infrastructure” to stop buying Micron Technology’s products Sunday and claimed the U.S. chipmaker threatened national security.
The Cyberspace Administration of China’s claims, which a U.S. Commerce Department spokesperson in a statement to media Sunday evening said had “no basis in fact,” followed a security review of the Idaho-based firm.
Micron said in a statement to news outlets it’s “evaluating the conclusion” of the CAC report, assessing next steps and looked forward to “continuing to engage in discussions with Chinese authorities.”
This seems to be one more chapter in the ongoing geopolitical struggle which has resulted in Chinese products (especially cameras and telecommunications equipment) being banned or restricted in several countries. In fact,?Portugal may soon ban Chinese 5G equipment from its infrastructure, joining the likes of the U.K. and Australia.
Still in the international sphere, an initiative spearheaded by the White House last year is now?considering a ban on ransomware payments. Although the ban is expected to have some kind of waiver, the details are very much still in the works. Since the ban is only likely to be effective if enforced by all countries participating in the International Counter Ransomware Initiative, it’s safe to assume this will not be an easy policy to negotiate or implement. While countries that do not implement this ban risk becoming prime ransomware targets, the participating countries must be prepared for more destructive attacks as the incentive the attackers have to maintain some means of recovery (through the ransom payment) will be gone.
More strictly inside the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) is?urging organizations to check if they have equipment deemed “high risk” by the FCC. The FCC’s?list?is basically comprised of Chinese companies or subsidiaries (such as ZTE, Huawei, China Telecom, and Dahua), as well as Russia’s Kaspersky. The government also launched a?probe into Rockwell Automation over its operations in China, showing that these geopolitical supply chain tensions can escalate toward domestic companies as well.
领英推荐
Moving on to new regulations in the cybersecurity sector, you probably want to check out?this informative breakdown of the new rules proposed by the SEC. For us here, the changes for third-party providers are the most important, but there are other interesting bits relating to incident response programs and disclosure requirements.
Meanwhile, the NIST?wants to hear from organizations interested in a project?that seeks to determine software supply chain and secure DevOps practices.?
To wrap up this section, the New York’s Department of Financial Services (NYDFS) fined?OneMain US$ 4.5 million for third-party security management failures, such as allowing a vendor to work for the company before a security assessment is finished and not updating this assessment in a timely manner due to changes (such as a new incident).
‘Most companies can’t handle cybersecurity alone’
An interesting article in the Harvard Business Review gets right to the point in its very title “Most companies can’t handle cybersecurity alone”:
We have reached a tipping point where cybersecurity has become too difficult and moves too fast for most organizations to manage it effectively on their own. […]
With adversaries continuously innovating and industrializing their ability to evade defense technologies, cybersecurity-as-a-service (CSaaS) may be the most viable economic approach to managing cybersecurity — especially amidst today’s macroeconomic climate. […]
The way to detect and neutralize determined attackers is with 24/7 eyes-on-glass delivered by expert security operations professionals. These highly skilled operators have never been more critically urgent.
The overall argument is that cybersecurity is challenging, specialized, and continuous. We believe the same is true for third-party risk management – having clear visibility over the security of your partners helps to ensure everyone is on the same page. But there is also something else here: in the current market, outsourcing can become pretty much a requirement to remain competitive.
In other words, businesses can easily find that this applies to other tasks as well. Outsourcing often allows them to be more efficient and to move faster. There are risks, of course, but it’s worthwhile to look for a path through which we can take advantage of these benefits while minimizing the risks. In tech and other high-complexity sectors like healthcare, it’s impossible to do much without relying on others — we need to learn how to do it safely.
Thankfully, we have several guidance pieces this month to help with just that. The first link here has some?specific ideas for local governments, and we got a second one concerning?ports?– and as usual, the fact we’re seeing articles for specific entities like those indicates awareness of third-party risk management is increasing.
Of course, there are articles covering TPCRM more broadly too: at Future of Sourcing, Dean Alms writes about the?concept of an “extended enterprise.”
Jason Chan has a different take as he explores his experience at Netflix and the so-called “Rambo architecture,” the idea that “each system has to be able to succeed, no matter what, even all on its own.” Chan argues that tackling third-party security through “finger pointing and questionnaire swapping” is little more than security theater, and his article is worth a read.
Forbes has a piece on the many third parties that are present in our online shopping experience and how they can?increase the risk for the e-commerce businesses that rely on them. Until privacy regulations and mandatory incident disclosures came along, many websites didn’t evaluate risk when integrating code or third-party services into their ecosystem, and some operators now have a complex infrastructure they need to reevaluate and assess for compliance – and this piece highlights why this is important.
At SupplyChainBrain, Erika Peters?makes a link between the environmental, social, and corporate governance (ESG) framework and supply chain management, with a special focus on governance – an area where cybersecurity efforts and technology can contribute a lot.
9 out of 10 companies detected software supply chain security risks
A new survey carried out by Dimensional Research suggests that?9 out of 10 companies detected some kind of software supply chain security risk:
Nearly 90% of technology professionals detected significant risks in their software supply chain in the last year. More than 70% said that current application security solutions aren’t providing necessary protections.
More than 300 global executives, technology and security professionals at all seniority levels directly responsible for software at enterprise companies, were surveyed for the study. […]
Nearly all respondents (98%) recognized that software supply chain issues pose a significant business risk.
There has been a big push to increase awareness of software supply chain risks, so this kind of finding is perhaps unsurprising to some extent. A lot of companies are still trying to figure out what this means for their business, but we would like to stress that it’s better to look beyond software-related risks. Attacks can leverage software or IT services as a medium even when they don’t happen because of software flaws or insecurities.
A social engineering attack or an infrastructure compromise can be equally viable as means of entry. This was the case for LastPass in their recent incident: a developer machine was compromised through a vulnerability in a completely unrelated software package. This is not a software problem. Rather, the fault lies in the fact that a privileged user was allowed to log into critical company systems from an unmanaged personal device running untrusted and unpatched software.
Another survey by Compliance Week and FTI Consulting found that third-party risk management is a?key priority for compliance leaders: 62% of respondents cited it as a major concern for 2023. The survey was conducted with “151 legal and compliance decision-makers between February and March of this year.”
There is another story at Supply Chain Management Review that takes data from two studies, one of them from Gartner, to make the case that?cybersecurity risk is becoming a buying criteria for chief supply chain officers (CSCOs). According to the Gartner study, “60% of supply chain organizations plan to use cybersecurity risk as a ‘significant determinant’ in conducting third-party transactions and business engagements by 2025.” This, the article points out, can be especially relevant to small businesses, as they too are often targeted by cyberattacks.
Backup and data protection company Veeam published a?report on Ransomware Trends. Based on a survey of 1,200 organizations, the report argues that there is a shift in how cyber insurers deal with ransomware. In brief:
There is more in the report, but what this data suggests is that insurers may no longer be willing to cover ransomware payments. It’s undeniable that there has been ongoing discussion regarding the role of cyber insurers, and the U.S. National Cybersecurity Strategy published in March also says the government wants to explore a “federal cyber insurer backstop.” The idea that companies shouldn’t fully rely on insurance to fix cybersecurity incidents is sound, especially when this involves rewarding criminals — and perhaps it’s why the government is also thinking of prohibiting this practice. We are starting to see some companies requiring that critical third parties be covered by cyber insurance, and the findings in the report highlight the cost and limits of that approach.
On the topic of the National Cybersecurity Strategy, our last story for this section is an article at TechTarget with?several (generally positive) opinions?on the government’s attempt to enforce software liability.
Audit firms facing scrutiny over bank failures and confidentiality breach
We’ve recently argued against the idea that one-time audits should be seen as the ultimate solution for third-party security assessments (see our comments on the?French Cyberscore Law?in April, if you missed them). While useful in many cases, audits can be challenging and even problematic when it comes to time-sensitive matters. Cybersecurity falls right into that camp.
In May, however, this went a step further. Two of the big four audit firms are facing government scrutiny. In Australia, it’s because of?a scandal springing from an information leak:
The scandal engulfing global consulting giant PwC has deepened, with an Australian senator accusing its proposed internal inquiry of “continuing a cover-up” amid calls by a Greens senator for an investigation by the Australian federal police.
PwC is the subject of multiple investigations after a former senior executive breached confidentiality agreements while working with Treasury and shared information about future tax policies with colleagues. That information was later used to help clients and make millions of dollars. […]
The 144 pages of internal PwC emails are heavily redacted with names and full email addresses removed. It is not clear how many people who received the confidential information or acted on it, are still employed by the company.
PwC Australia is taking several steps in response.?Nine partners were put on leave, and its board was overhauled?(the chair of the governance board stepped down). This story is still developing for now.
Meanwhile,?U.S. senators are probing KPMG due to its relationship with three failed banks. The company had issued clean audits for SVB, Signature Bank, and First Republic Bank — all of which recently collapsed, sending shockwaves through the American finance sector.
Auditing is a well-established practice, Because recent regulations aren’t always explicit in how companies should deal with risks or issues (the new third-party management guidelines in Canada are an example here), getting a provider or supplier cleared through an audit can seem like a natural step to remain compliant. However, it may not be enough in practice. In the digital world, scenarios can change quickly and unexpectedly, and we must take that into account when developing and deploying effective measures
As usual, we have a couple of bonus links below. The first is a security check on messaging app Converso, while the second has a tale from security firm Dragos regarding an incident they had.
How I accidentally breached a nonexistent database and found every private key in a ‘state-of-the-art’ encrypted messenger called Converso.
On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform.
Dragos has a culture of transparency and a commitment to providing educational material to the community. This is why it’s important to us to share what happened during a recent failed extortion scheme against Dragos in which a cybercriminal group attempted to compromise our information resources. We want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events.
Regional Sales Manager at PD7 Tech - Cybersecurity/ Obeservability / CLOUD / APM / ITSI / OT / SD-WAN/ SASE / SSE/ WI-FI / ZTNA
1 年Sou eu mesma rsssss