The supply chain trust is being abused by our adversaries: They continue to use our tools against us
I think that GLaDOS, the evil AI from Portal, was trying to convey the importance of security through her song “Still Alive.” Portal’s fictional artificially intelligent computer system sang “But there’s not sense crying over every error.” It’s just a matter of keeping trying until you’re out of cake.” She was probably referring to how we are our worst enemies because we trust our supply chains until there’s nothing left.
Our trust is so great in our systems, vendors, partners and vendors for software deployment, monitoring network performance, patching (both software and hardware), procuring software/hardware and many other tasks. One such system was used to attack thousands of companies in a ransomware attack.
This attack targeted Kaseya VSA IT Management Software. It was intended to enable IT administrators to monitor and automate routine tasks, patch systems, and deploy software. An attacker was able to exploit the zero-day vulnerability to gain access to customer instances of Kaseya VSA IT Management Software and then use its native functionality for ransomware deployment to these customers’ endpoints.
Managed service providers (MSPs), who use Kaseya software for managing their customer environments, compound the problem. The ransomware was spread to customers by the MSPs after the Kaseya software was compromised.
This is just one example of the many ways attackers abuse trust in unique and unusual ways. IT professionals and security experts alike are left wondering, “Why hasn’t this happened sooner?”
Attackers are getting bolder
Ransomware group REvil is getting bolder. It is clear that an attack such as the one against Kaseya was planned and designed to inflict maximum damage on the largest number of targets. They boasted about infecting over a million devices and demanded $70 million ransom immediately after the attack. They promised that the decryptor would work for all affected organizations if one company paid them.
This highlights a worrying trend that we are seeing: Attack targets shifting away from specific organizations to exploit platforms like Kaseya and SolarWinds that allow multiple organizations to be affected. The attackers continue to study the tools we rely on in order to exploit the native functionality to execute attacks. This attack took advantage of an older version of Microsoft Defender, which allowed sideloading other files.
Software is vulnerable all the way down the chain
Let’s be real. We don’t know what this thing is. You can just put it in the corner and I’ll deal later with it.” — GLaDOS
All the tools that organizations rely on — such as tax software, oil pipeline sensors, collaboration platforms, and even security agents — are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately. | All tools used by organizations — including tax software, oil pipeline sensors and collaboration platforms — are built on the same vulnerable code platforms and software libraries your vulnerability management team is screeching from the hills to update or patch immediately. }
Both organizations and their suppliers must hold vendors, partners, and other parties accountable for the security vulnerabilities in the software they’ve created. They also need to understand the risks they are taking by deploying the software within their environment.
You can run faster than the next guy; take defensive steps now
Allie Mellen (our blog Ransomware: Survive by Outrunning the Guy Next to You) and I discuss ransomware protection. We talk about how to harden systems so that your organization is a difficult target. By exploiting trust in systems, supply chain attacks can bypass defenses. You must examine the trust that you place in your supply chain to protect yourself from them.
Organizations should begin by taking inventory of key partners who have a significant presence in their environment. This could include vendors that provide collaboration/email, MSPs responsible for monitoring and managing infrastructure, or security providers that might have agents deployed to all systems. Once you have compiled your list, the next step is to:
- Ask your partners about the preventive measures they are taking to stop you becoming another victim of a destructive attack. Ask about the gating process used to push updates to your environment. How does the solution provider validate updates before pushing them? Also, ask how they assess code for vulnerabilities.
- Ask if they have the right processes and architecture to stop the kind of lateral movement that we witnessed with the latest attack. Ask them how they protect their environments, including their update servers. Ask for third-party assessment or audit results.
- To find out which contractual responsibility your partners have for keeping you safe from ransomware or malware, review your service agreements. If you are the victim, understand your rights to seek compensation if they use their systems as delivery vehicles.
Forrester addressed third-party risk in its top recommendations for the year. We also recommend that organizations take proactive steps to implement the prescriptive ransomware advice, as well as look at the additional ransomware resources that we have collected to reduce the attack radius.