Supply Chain Hacking 101
An educational piece about the supply chain attack
By Jesse Wilson, CISSP, @CyberWarior1775
To start, let’s talk about what the supply chain is in relation to Information Technology.
In this case, the supply chain refers to the coordination of order generation; order processing; order fulfillment via the distribution of products, services and/or information; manufacturing; and — if needed — warehousing of product(s).
For example, we at Structured facilitate and fulfill our customers’ IT orders and work with product manufacturers and distributors to ensure delivery of that hardware and software. So, we are a crucial part of the supply chain. We take our role as a solution provider seriously and go to great lengths to ensure our people, processes and technology are up to snuff.
Now, let’s look into what the typical IT supply chain looks like in a medium-sized company. We can accomplish this by simply listing an example of common technologies used today:
- Software – For operating systems, business impact analysis, HR, accounting, legal, etc.
- Devices and Infrastructure – Next-gen security products, switching/routing, servers, desktops, laptops, wireless systems, mobile devices, etc.
- IT and Business Services – IT helpdesk ticketing system, CRM, marketing platforms, etc.
- Emerging Tech – IoT, blockchain, etc.
- Unified Communications – VoIP, PBX, hosted systems, etc.
The list above is meant to paint a clearer picture of the elements in your supply chain. As you can see — even at a mid-size company — there can be a great deal of complexity and a lot of elements that defy tight control. (For deeper exploration, here is a great website dedicated to information about all things supply chain.)
Why do cybercriminals choose supply chain attack?
It’s one of the easiest points of entry. From a cybercriminal’s perspective, it is far easier to infect the supply chain with a root kit or nefarious software/firmware than it is to create a targeted attack against an individual or a specific company. A supply chain attack can hit hardware or software. For the latter, it’s usually delivered via an update package from a “trusted vendor.”
Cybercriminals often target a supply chain that is widely dispersed. Once the chain is infected, they can pull information from a large customer base and simply parse the information to gain insights on the best assets to exploit.
One of the most recent supply chain attacks via software was a very sophisticated strike against Asus’s Live Update Utility (discovered January 2019 but in the wild since 2018).
“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS,” said Liam O’Murchu, director of development for the Security Technology and Response group at Symantec.
Here is a great chart provided by NIST on Software Supply Chain Attacks
As for the supply chain hacking of hardware, this topic has a plethora of information; one of the biggest attacks of this kind in the past few years is detailed here.
To mitigate a supply chain attack:
- Be sure to use verification of distributed binaries through hash checking or other integrity checking mechanisms.
- Scan downloads for malicious signatures and test software/updates prior to deployment while taking note of any suspicious activity.
- Perform physical inspection of hardware to look for potential tampering.
- Do not use preconfigured utilities on PCs, laptops and/or servers; ‘write erase reload’ the system with a copy of the OS validated by a cybersecurity professional (some companies refer to this as a Gold Image).
- Use vendors that follow standards such as IEEE, ANSI, ISO or ITU.
Jesse Wilson, a senior security engineer with Structured and CISSP, possesses more than 15 years of experience in security and networking. His background includes security infrastructure design, network infrastructure design, troubleshooting, implementation, information security assessments and compliance auditing. He has designed and implemented access and security solutions for companies of all sizes; performed security assessments and penetration testing; and provided emergency troubleshooting services and support for companies experiencing a wide variety of computer-related problems.
He has special expertise with device security and management, data loss prevention (DLP), network access control, secure remote access and authentication, next-generation firewalls, security event and information management (SIEM), incident response, risk assessment, penetration testing, policy development and regulatory compliance.
Jesse’s preferred soundtracks for CTF activities are Danzig or Paul Van Dyke, and — in spare moments not contemplating weighty cybersecurity concepts — he daydreams about owning a blue Audi S6 Avant.