Using Our Tools Against Us: Adversaries Continue To Abuse Trust In The Supply Chain
I believe that GLaDOS (the evil AI from the Portal video game franchise) may have been trying to make a point about the state of security with her song “Still Alive.” The fictional, artificially super intelligent computer system from Portal once sang, “But there’s no sense crying over every mistake. You just keep on trying ’til you run out of cake.” I’m pretty sure she was describing how we continue to be our own worst enemies by inherently trusting our supply chain until there’s nothing left to destroy.
We trust so much in our organizations — systems, partners, and vendors — for deploying software, monitoring network performance, patching (both systems and software), procuring software/hardware, and performing so many other tasks. A recent ransomware attack used one such system to successfully target thousands of victim companies.
In this most recent example, attackers targeted Kaseya VSA IT Management Software, which was designed to allow IT admins to monitor systems, automate mundane tasks, deploy software, and patch systems. Attackers were able to exploit a zero day to access customer instances of the product and use its native functionality to deploy ransomware to those customers endpoints.
Further compounding the problem, managed service providers (MSPs) use Kaseya software to manage their customer environments. When the attackers compromised Kaseya, the MSPs inadvertently and unknowingly spread the ransomware to their customers.
This is only one example of how attackers continue to abuse trust in unique ways that leaves many security and IT practitioners to wonder, “Why didn’t something like this happen sooner?”
Attackers Are Getting Bolder
Ransomware group REvil continues to get even bolder. Make no mistake, an attack like we saw against Kaseya was prescriptive and purposeful to inflict the maximum amount of damage to the most amount of targets. Immediately after the attack, they bragged about infecting more than a million devices and set a ransom demand of $70 million. If one organization paid, they promised that the decryptor would work across all organizations that were affected.
This shines a light on a troubling trend we’re seeing, where attack targets are shifting from individual organizations to exploiting platforms, like Kaseya or SolarWinds, that allow for multiple organizations to be affected. Attackers continue to research the tools we all rely on to find ways to abuse the native functionality to effectively execute an attack. This latest attack abused an old copy of Microsoft Defender that allowed sideloading of other files.
Software Is Vulnerable All The Way Down The Chain
“Let’s be honest. Neither one of us knows what that thing does. Just put it in the corner, and I’ll deal with it later.” — GLaDOS
All the tools that organizations rely on — such as tax software, oil pipeline sensors, collaboration platforms, and even security agents — are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately.
Organizations need to both hold their supply chain partners, vendors, and others accountable for addressing the vulnerabilities in the software that they’ve built on top of this house of cards as well as understand the exposure they have by deploying said software within their environments.
Run Faster Than The Next Guy; Take Defensive Steps Now
In our blog, Ransomware: Survive By Outrunning The Guy Next To You, Allie Mellen and I discuss protecting against ransomware by hardening systems to make your organization a hard target. Supply chain attacks bypass defenses by exploiting your trust in systems. To protect against them, you have to scrutinize the inherent trust you’ve placed on your supply chain.
To start, organizations should take an inventory of the critical partners that have a large foothold within their environment, such as the vendors used for collaboration/email, MSPs that manage and monitor infrastructure, or security providers that may have an agent deployed to every system. After compiling your list, you should:
- Ask those partners what they’re doing to prevent you from being the next victim of a destructive attack. Ask about the gating process for pushing updates to your environment. How do they QA updates before they’re pushed? Ask solution providers how they secure their code, and assess that code for vulnerabilities.
- Find out if they have the appropriate processes and architecture in place to prevent the type of lateral movement we saw with the latest attack. Ask how they secure their own environments, especially their update servers. Ask to see audit or assessment results from third-party assessors.
- Review your service agreements to find out what contractual responsibility those partners have to keep you safe from ransomware and malware. Understand what rights you have to demand compensation, if you are the victim of an attack due to a service provider’s systems being used as a delivery vehicle.
Forrester covered third-party risk in our top recommendations for this year. Organizations should take aggressive steps to implement some of the prescriptive ransomware advice we’ve blogged about before as well as take a look at some of the additional ransomware resources we’ve collected to limit the blast radius of an attack.
If Forrester clients have any questions on anything covered here, please reach out to schedule an inquiry with us.