How supply Chain attack works - examples of attacks happened in companies-mitigations...

In this article

How supply chain attack works?

The supply chain attacks works by delivering viruses or other malicious software visa a supplier or vendor.

The attackers/hackers always seeks for an unprotected network protocols, unprotected server infrastructure or unsafe coding practices to target the victims.

The supply chain attacks is a type of cyber-attack  that targets an organization by looking for an weak point in an organizations supply chain. Supply chain is the network of all individuals , organization, resources, activities or technology involved in the creation or sales of the product. The supply chain encompasses everything from the delivery of the material to supplier to the manufacture through to its delivery to the end user. By targeting a weak point in a supply chain a cyber-attack may be more likely to succeed the attackers taking the advantages of the trust of the organizations may have in third party vendor.

Examples of supply chain attack that happened in big companies

Mimecast Attack

Date: January 2021

Mimecast, a cloud email management software company’s one of their certificate was used to authenticate their Microsoft 365 exchange web services was “compromised by a sophisticated threat actor”

The compromised certificate is most likely a trusted SSL/TLS certificate issued by mimecast that customers install on their exchange client access servers to secure the connection to Microsoft 365 servers.

10% of its customers used the impacted certificates .

How they handled the attack after the incident:

They made aware of this attack by Microsoft, and they do intend to disable the certificate’s use for Microsoft 365  effectively on January 18^th , 2021. And they issued the new secure certificates and is urging all customer to re-establish their connections to Microsoft with the renewed authentication.

Mitigations:

•  Monitoring digital certificates: It’s the first step of defence in preventing digital certificate compromise. Monitoring software should scan every certificate’s content and alert the team when it’s out of ordinary.
• Storing certificates and private keys in a secure location: storing certificates and keys away from network in a secure location should be an encrypted device such as USB , token and restrict access to the storage unit to privileged users using strong passwords and RBAC. 
• Automating Certificate and key management: Automating digital certificates can avoid human errors which is one of the significant reasons behind certificate vulnerabilities.
• Using built-in policy management: Using a certificate and key management software that automates policy management. The policy based automation of key and certificate lifecycle identities and decommissions rogue certificates, renews certificate nearing expiration, and ensures all of processes are compliant with government and industry regulation.
• Controlling user access with identity and access management: IAM tool ensure only the right people get access to the right assets through single sign-on, multi-factor authentication, privileged access management, and governance

 

Equifax Supply Chain Attack:

Date: September 2017 

Equifax, one of the largest credit card reporting agencies, experienced a data breach as a result of a website application vulnerability. The breach impacted over 147 million of Equifax’s customers, The stolen sensitive data included social security numbers, driver’s license number, Birth Dates, and addresses.

The crisis began in March of 2017. CVE-2017-5638, an open source development framework for creating enterprise Java applications, was discovered in that month.

 March 07, the Apache Software Foundation released a patch for the vulnerabilities

March 09, Equifax administrators were told to apply the patch to an affected systems but the employee didn’t do it.

March 15 the IT department checks for scan and identify that the systems are unpatched. And found  their were multiple vulnerable in the systems and none of the vulnerable systems were flagged or patched

 From May through July of 2017, the attackers gain the access to multiple Equifax database containing information on hundreds of millions of people.

How they handled the attack after the incident:

After the breach has been made public, the Equifax Created a separated domain Securityeuifax2017.com and they redirected to this website instead of the affected website URL equifaxsecurity2017.com. 

Mitigations:

• Conduct scan: conduct scan to ensure that the malware no longer exists on the device.
• Patch and update: it significantly reduces the cyber risk.
• Auto-setting for antivirus: Ensure that antivirus program, is set to update automatically.
• Install local firewalls on devices: Installing firewall that can assist with detection of malicious behaviour.
• Consider using a content filter and proxy server:  These items can help prevents users from unknowingly accessing a malicious website.
• Implement an email filter that can help eliminate malicious attachments:90% of cyber-attacks on enterprise systems derive from malicious emails. Email security can prevent malware from machine and from spreading to other devices.
• Monitor logs: Logs that can assist in keeping systems running optimally.Logs should be examined on a daily basis.

References:

https://www.venafi.com/blog/supply-chain-attack-targets-mimecast-digital-certificates

https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html