Supply Chain: Risks to Users and Organizations Continue
April 4, 2019
TLP: WHITE | The NJCCIC assesses with high confidence that software supply chain vendors are at risk from local and foreign threat actors infiltrating strong security systems of organizations through the exploitation of an established and trusted distribution channel. General software update attacks can lead to supplementary targeted campaigns of specific regions, sectors, or personnel. Modern supply chain networks are more global, integrated, and open to cyber supply chain attacks. According to the World Economic Forum’s Global Risks Report 2019, cyber attacks rank fifth in the top ten risks in terms of likelihood and seventh in terms of impact. Around 80 percent of survey respondents expect an increased risk in attacks with the consequences of the disruption of operations and the theft of money and data. Supply chain compromises can consist of the manipulation of both hardware and software information systems. Hardware attacks require physical access to equipment, altered at the start of manufacturing (seeding) or at some point en route to the customer. Symantec defines software update attacks as the implantation of malware into an otherwise legitimate software package at its usual distribution location, during production at the software vendor, at a third-party storage location, or through redirection. Findings from the 2019 Internet Security Threat Report reveal that these types of attacks are more common, increasing by 78 percent in 2018 compared to a 200 percent increase in 2017 with at least one massive attack reported monthly. Of all the methods threat actors use to infect software supply chains, compromising the vendor’s software package directly is difficult to execute, but proves to be highly effective as it is very challenging to detect. The amount of damage is exemplified in the Petya-NotPetya attack from June 2017. MEDoc, a Ukrainian tax and accounting software vendor, was compromised and sent software update packages containing malware to users around the world. Threat actors are infecting open-source software, which are heavily utilized components in supply chain networks. In response to this growing threat, in October 2018, the US Department of Homeland Security (DHS) announced the formation of the first Information and Communications Technology (ICT) Supply Chain Risk Management Task Force. This task force is a public-private partnership, third-party team with the key goal of identifying and managing risks to the global supply chain. They also provide agencies and procurement officials with more information on products to prevent the purchase of technology with security problems. DHS states that “government and industry have a shared interest and thus a shared responsibility in identifying and mitigating these threats." Managing software supply chain hygiene results in improved quality, security, and speed to market.
Recent Supply Chain Incidents
In October 2018, Bloomberg Businessweek published an article on hardware infiltration in the supply chain. The Chinese threat actors were able to manipulate the Supermicro server motherboards and add malicious chips, which "allowed attackers to create a stealth doorway into any network that included the altered machines." Of at least 30 US companies and government agencies that could have been affected, Amazon and Apple were cited as having been infected, yet deny these claims.
In July 2018, threat intelligence firms, Digital Shadows Ltd. and Onapsis Inc., released a research report on the evolving threats and exploitation of SAP and ERP applications. Their goal was to “warn organizations and raise awareness of the risks and threats of not properly taking care of the security of ERP applications."
In January 2018, it was announced that due to hardware bugs in Intel chips, the Intel, AMD, and ARM processors are vulnerable to attacks that grant low-privilege and untrusted programs access to a device’s memory and the ability to steal data. Meltdown and Spectre are two attacks that were carried out from the exploitation of this speculative execution vulnerability. “Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine." Intel responded to the security research findings with the belief that the “exploits do not have the potential to corrupt, modify or delete data."
In 2016, Russian agents launched spear-phishing and watering hole campaigns on contractors and subcontractors of utilities and government agencies not privy to cybersecurity attacks from foreign threat actors to obtain credentials and eventually gain access to sensitive power-utility networks. Through the infiltration of the US power grid, which is a system of interconnected electric networks, Russian government hackers can remain undetected while conducting reconnaissance.
In May 2016, the US Department of Homeland Security (DHS) US-CERT issued an alert on the exploitation of a SAP business application vulnerability. This allowed unauthenticated, remote attackers to have complete control of business information and processes, affecting at least 36 global enterprises. According to security researchers at Onapsis, because the patch for this vulnerability had been available for over five years, “this was not a SAP problem, but a lack of visibility, governance, and control over cybersecurity risks found in SAP platforms."
Recommendations to Improve Supply Chain Security
The following list of security measures is not exhaustive and is intended to provide the most basic and necessary practices to manage risk posed by vendors, suppliers, and other third-parties. For comprehensive sets of recommendations on supply chain security practices, refer to the resources provided below by the National Institute of Standards and Technology (NIST), SANS Institute, the Software Engineering Institute at Carnegie Mellon University, and others.
Implement a comprehensive vendor management program, beginning with audits of all current vendors.
Prior to implementing new hardware or software products into a production environment, fully vet the product to ensure it works as expected in a test environment.
Leverage trusted third-party security review resources including the National Information Assurance Partnership, FedRamp and Cloud Security Alliance CSTAR certifications, etc.
If possible, conduct source code reviews of all third-party software used within the enterprise.
Establish security controls and regularly audit vendor access to networks, systems, and sensitive data.
Apply the Principle of Least Privilege when creating user accounts for vendors and regularly monitor and audit accounts for abuse and privilege escalation.
Require multi-factor authentication, the use of a VPN, and/or apply IP address whitelisting for remote access to all systems and portals that contain sensitive data.
Limit or eliminate the transmission or storage of unnecessary customer and client information.
Maintain awareness of all compliance mandates, security standards, and reporting requirements and update policies and procedures to incorporate changes as needed.
Ensure that all security requirements, including acceptable use policies, are clearly defined in vendor contracts.
Implement proper network segmentation to protect systems and data from unauthorized access by vendors and other external threats.
Block traffic to unneeded ports both at the network perimeter and on internal systems, servers, and firewalls.
Disable, delete, or block the use of unnecessary remote access tools such as PsExec, Microsoft Remote Desktop, TeamViewer, VNC, LogMeIn, etc.
Whitelist authorized applications and proactively block the installation and usage of unauthorized software.
Consider implementing a data loss prevention (DLP) solution that includes monitoring of all egress traffic for unauthorized data exfiltration.
Follow established change management processes.
Supply Chain Controls
Require all vendors to review, sign, and maintain compliance with security requirements and acceptable use policies.
Require vendors who transmit or store sensitive data to encrypt it both at rest and in transit.
Require vendors to provide immediate notification of any data breaches or cybersecurity incidents that may impact the organization, clients, or customers.
Require that vendors perform comprehensive background checks on their employees. These background checks should be performed regularly, preferably on an annual or bi-annual basis.
Require that all software and systems used by vendors to access networks or sensitive data are running antivirus software and kept up-to-date with the latest security patches.
SANS Institute InfoSec Reading Room: Combatting Cyber Risks in the Supply Chain.
Software Engineering Institute, Carnegie Mellon University: Common Sense Guide to Mitigating Insider Threats.
Federal Deposit Insurance Corporation: Guidance for Managing Third-Party Risk.
PCI Security Standards Council: PCI DSS Quick Reference Guide.