Supply chain attacks
A supply chain attack is where an attacker gains access to an organisation by compromising part of its supply chain e.g. a partner organisation or software provider etc. These attacks have been increasing in recent years and are an important topic in security.
In 2020, we saw a massive supply chain attack occur when software provider Solarwinds was compromised, leading to numerous attacks on their customers. The attack will without doubt be considered a watershed moment in cyber security — for being the largest supply-chain breach of all time and also the moment that 3rd party cyber risk became front of mind for security professionals globally.
Solarwinds software is used by tens of thousands of organisations around the world, including governments, with Solarwinds Orion representing one of their leading products. In December 2020, it became known that malicious attackers had compromised the software build process of Orion and had implemented a backdoor to a legitimate DLL file earlier in the year. When Solarwinds pushed out their latest software, this backdoor was then distributed to Solarwinds customers globally in March 2020 as part of this seemingly normal software update.
This then allowed the hackers to gain access to the network of any company that had downloaded the software update — most likely sensitive parts of these company’s networks too. The attacker, now believed to be a nation-state sponsored group originating from Russia, are believed to have first tested code in September 2019. This demonstrates the long-term and highly strategic nature of the attack and shows a very high level of sophistication in being able to remain undetected for so long. For more detail, you can read Microsoft’s article on how the attack started.
It also transpires that the hackers had a targeted list of organisations that they wanted to access (e.g. US Government departments), allowing them to silently steal data and undertake other malicious activity. The attackers were able to cherry pick targets before human operated ‘hands-on-keyboard’ attacks took place from May. In June 2020, the backdoor was removed, although the hands-on-keyboard attacks continued. The hackers seemingly removed the backdoor to cover their tracks, although later in the year the breach became public (in December 2020) when compromised security company FireEye noticed they had been breached via Solarwinds. Forensic investigations are ongoing and the full extent of the attack may never be understood.
Quite simply, this was a supply chain attack on a level that the world has never seen before. Many companies may have been breached that don’t even know it yet. The attackers were able to compromise organisations for months on end whilst remaining undetected. What is certain is that supply chain attacks will now garner significantly more attention for both defenders and attackers. The Solarwinds attack has demonstrated how organisations can be compromised when they don’t even use the compromised product, due to the massive web of interconnectivity that is a global supply chain. No doubt we’ll see more vendor audits etc. in the coming years, but there are significant limitations to such processes. No one would have expected Solarwinds to be breached like that — until it happened.
Phishing and business email compromise
It’s no surprise that Covid-19 related attacks spiked in March 2020 as restrictions and lockdowns took place around the world. Phishing played a big part in this. As people clamoured for new information about the virus, during the initial absence or lack of scientific consensus around the virus, hackers used this opportunity for widespread phishing campaigns. This saw emails delivered asking for payments to fake charities, credential harvesting and malware delivery etc. The Anti-Phishing Working Group (APWG) found that the number of phishing sites doubled in 2020, growing throughout the year.
According to Microsoft’s Digital Defense Report (FY2020), the main types of phishing that enterprises faced included: credential phishing, business email compromise and a mix of both.
Credential phishing is an extremely common technique. Phishing kits are widely available and easy to use, ensuring a low barrier to entry for entry-level hackers. These attacks usually involve an email which has been adapted to look as if it belongs to a well-known household brand. A link will typically divert the unsuspecting victim to a malicious webpage where it will capture the user’s credentials via a fake webform or it might trigger malware automatically to steal credentials from the device or browser. Either way, the attackers can then use the compromised credentials to access the corporate network — allowing them to steal sensitive data or conduct further attacks throughout the organisation e.g. spear phishing or ransomware etc.
Business email compromise on the other hand is a form of social engineering which targets businesses and specific people in roles within that business. This technique involves the attacker sending emails to their victim which will appear to come from someone the victim would usually trust and expect to receive communications from. For example, attackers might impersonate a specific individual (e.g. the company CEO) or spoof a company domain that the victim often engages with (e.g. a partner company that the victim often financially contracts with). If the attacker has gained access to the corporate network via compromised credentials, they may be able to use compromised mailboxes to send emails using a legitimate email address from the company — requesting some sort of financial action to be taken by the victim.
Ransomware continued to prove extremely popular with cyber criminals in 2020, largely due to the profitability for financially motivated attackers. UK-based ransomware attacks jumped by 80% in the last quarter of 2020 compared to the first half. In 2020, we saw a host of high profile breaches which involved ransomware deployment and it continues to be one of the most common types of attack. For example, the well-publicised attack on Australian logistics company Toll Group saw them suffer two separate ransomware attacks in only three months, which caused them issues far beyond the costly ‘contain and remediate’ stages of their response including customer concerns and regulatory impacts.
Whilst many think of ransomware as simply being malware which infects and spreads across devices, encrypting the data and systems it touches like the infamous Wannacry ransomware did in 2017, human-operated ransomware is now a critical threat to organisations and growing in popularity. This type of threat involves cyber criminals gaining access to corporate networks via a variety of entry vectors, before moving laterally across the network using compromised high-privileged account credentials to access various systems. As the attackers move, they are able to deploy dormant ransomware (for activation and file encryption later) and also exfiltrate sensitive data. By stealing company data, the attackers can threaten to leak this data if the ransom isn’t paid – threatening further reputational damage and regulatory penalties which provides another incentive for the victims to pay the ransom.
These techniques being used by financially motivated hacking groups are more similar to the types of advanced techniques often used by state-sponsored hacks. By also planting backdoors in the systems they attack, they also leave vulnerabilities which they can exploit again in future attacks.
DDoS attacks involve cyber criminals directing a huge amount of web traffic as a specific website, overloading it to the point where the website is unusable for legitimate users of the business. The financial implications of not being able to transact online can be huge for many organisations. DDoS attacks reached record levels in 2020, increasing by over 20% from the previous year. The shift to ‘remote everything’ meant we found ourselves with a greater reliance on online services as well as greater volumes of internet traffic. This was significant for DDoS attacks, as the financial implications for businesses was often even greater.
DDoS attacks are also becoming more popular due to the rise of crypto currency as a form of payment. In the past, hackers often targeted sites for non-financial reasons, whereas now it’s becoming a very lucrative form of attack for financially-motivated cyber criminals. Attackers can simply contact a company and tell them that their website will be taken down unless they make a crypto payment to the attackers.
What we are also seeing is a continued rise in cheap unsecured Internet of Things (IoT) devices which aren’t properly secured or patched. Thousands of IoT devices are often compromised with malware and then connected to form a Botnet which provides a platform used to launch massive DDoS attacks. Until there’s more regulation of the IoT device industry, these attacks are likely to continue increasing.