Security Market Segment LS
Monday, 04 November 2019 16:04

Supply chain attacks becoming more commonplace: claim

Sophos principal research scientist Chester Wisniewski Sophos principal research scientist Chester Wisniewski

Improvements in patching hygiene have led criminals to divert their attention away from browsers and turn instead to supply chain weaknesses, according to a security vendor.

When people talk about supply chain security, "our mind always goes to the spy story," but the "James Bond worthy" claim by Bloomberg – that malicious chips had been fitted to Supermicro motherboards* supplied to US companies and government agencies – is "a distraction," Sophos principal research scientist Chester Wisniewski told iTWire.

There are many types of supply chain attacks that are really happening, he said, and they all prey on organisation's inherent trust of their suppliers.

For example, 22 municipalities in Texas were hit in one night by ransomware via a service provider they all used, and a similar thing happened to more than 400 dental practices in the US.

If an attacker successfully phishes just one employee at a service provider, that can put all of the company's clients at risk.

Another opportunity for attackers is opened up through bespoke software development and deployment.

Pre-built Docker containers are widely reused, for instance when setting up web servers. "We have blind faith in these containers [and associated software]," Wisniewski said, so criminals are booby-trapping them.

Similarly, extensive use is made of certain open source libraries, giving attackers another route for covertly introducing malicious code into otherwise legitimate applications.

"This has always been a problem with open source," he said.

The trick, Wisniewski suggested, is for an attacker to identify a library that isn't being actively maintained.

In one case, he said, an attacker spotted two inactive libraries within the very popular Node.js JavaScript runtime, and successfully volunteered to take them over. According to reports, bitcoin-stealing code was added to one library, and went undetected for two months.

Such libraries do not need to be very widely used in order to be a worthwhile target: an "audience" of 10,000 users is sufficiently attractive, he said.

That's just two types of supply chain attack. But what steps can organisations take to protect themselves?

Phishing attacks can be effectively eliminated by using two-factor authentication, so it makes sense to ensure that your service providers are using 2FA.

The code and container problem isn't so easy to deal with.

Sophos uses a lot of outside libraries, Wisniewski said, and has adopted a two-step strategy to minimise the associated risks.

Firstly, it carries out a code audit before adopting a new version of a library. That's not a simple task, but should be within the capabilities of developers who use that library.

Secondly, it only adopts new versions that address specific, relevant vulnerabilities. Criminals generally promote feature updates rather than security updates, he observed.

This significantly reduces the number of audits required. If you only take two updates a year, you can afford the time required, he suggested.

In the wake of the long-standing Heartbleed flaw in OpenSSL, some big companies invested in auditing the most commonly used libraries and packages, so criminals find smaller targets so their changes are less likely to be noticed, according to Wisniewski.

When it comes to containers, you could build your own in the time it takes to audit the contents of a prefabricated container, so that is his recommended approach.

In one case, there was nothing wrong with a malicious container apart from the fact that a criminal had installed their own SSH key, allowing them to log into any instance of that container.

"It's a difficult challenge," he said.

While there are some centralised distribution points (eg, Docker for containers and Github for open source projects), large organisations seem reluctant to reveal whether any particular version has passed their audit process, possibly fearing reputational loss if someone discovers an issue they overlooked.

However, cloud services such as AWS and Azure are heavily audited and employ some of the best security people in the world, so it makes sense to use their libraries and containers, Wisniewski suggested.

He drew a parallel with the way some of the major app stores vet software before releasing it: "we know they're not perfect... but they're pretty darned good."

Another advantage of app stores is that they provide a central point where a piece of software found to be malicious can be 'recalled'.

Improved patching habits mean that where browsers were once exploited in around 80% of attacks, that has now fallen to approximately 10%, so criminals are turning to other approaches.

"Most of us are hit by opportunistic attacks" rather than being specifically identified, he said, so making sure you're not an easy target substantially reduces the chance of being affected.

It's the old story: if your doors are locked and your neighbours' aren't, you're less likely to be burgled even though locks don't provide 100% protection.

Similarly, countermeasures against supply chain exploits generally aim to increase criminals' cost of doing business by eliminating or at least greatly reducing the number of easy targets.


* Although the Bloomberg claim has been widely discredited, last month a security researcher revealed a proof of concept that showed how less than US$200 worth of equipment could be used to fit a US$2 chip to a Cisco firewall in order to take remote control of the device.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments