Cybereason Blog | Cybersecurity News and Analysis

Defending Against Supply Chain and Ransomware Attacks

Written by Anthony M. Freed | Sep 27, 2022 2:43:58 PM

“The level of damage associated with ransomware-based supply chain attacks has never been higher,” warned a recent article. These attacks are so disruptive because, as one consultancy firm revealed, the average company has 3,000 suppliers per $1 billion US in spend. That means when it comes to ransomware attacks, you’re considering the security of up to thousands of other networks besides your own. 

Is there a way to defend your organization against external attacks, regardless of the source? Or are we left chasing hundreds of vendors down for security audits before we sign on, slowing business and multiplying friction? The answer is yes – both are a possibility, but if you avail yourself of the right technology and policies, you won’t be worrying about anyone’s security but your own.

Ransomware Attacks and the Supply Chain

Attacks on organizations that originate from third-party partners and service providers are expected to rise in the coming years as attackers look for weak links in software supply chains in an effort to “attack one to attack all.” 

The European Union Agency for Cybersecurity (ENISA) reported that supply chain attacks were expected to increase by a factor of four in 2021, and the risk seems to be just as high, if not greater, today. 

Supply chain attacks are largely ransomware attacks that have simply hit higher up the food chain. The following ransomware risks will directly impact the vulnerability of upstream vendors: 

  • Increased hybrid work and sporting events exponentiates the number of opportunities to hack often less-than-secure networks, endpoints and users–attackers can pivot from there
  • Ongoing IT/OT convergence (especially in industries with legacy systems) brings its own host of stale firmware vulnerabilities and increasing weaponization of hardware-level exploits
  • Phishing remains a primary source of data breaches and which connotes internal network access, and over 80% of companies reported phishing attacks last year alone

The above issues, coupled with the growth of complex RansomOps attacks and the ransomware economy, creates a perfect storm for compromise within primary and supply chain vendors alike. 

Recent Supply Chain Attacks

Recently, we’ve seen the unfortunate aftermath of supply chain attacks in several high-profile cases. Perhaps the most interesting part is the use of RaaS (Ransomware-as-a-Service), in these multimillion-dollar supply chain ransom cases that brought some large organizations to their knees through attacking third-parties. 

With supply chain attacks increasing, organizations with even a single vendor should consider their defenses and take heed of lessons to be learned from some recent, high profile supply chain attacks.

 

  • SolarWinds: The SANS Institute describes the SolarWinds supply chain attack as “one of the most potentially damaging attacks we’ve seen in recent memory.” Nation-state attackers known as Nobelium breached the Texas-based software services provider and infiltrated their Orion offering by installing a malicious implant dubbed SUNBURST, a backdoor that would then deploy on the networks of Orion users. “The breadth of the hack is unprecedented and one of the largest, if not the largest, of its kind ever recorded <affecting> more than 30,000 public and private organizations.” Due to the advanced evasion techniques of the highly sophisticated, manual supply chain attack,” forensics suggest that monitoring Indicators of Behavior (IOBs), with the right tooling, could have prevented what only monitoring Indicators of Compromise (IOCs) could not. 
  • Apple/ Quanta: A suspected nation-state attack from Russia touted by the gang as the “largest attack ever” allegedly stole “all local network data” from a US-based company, resulting in a $50 million ransom demand. Quanta, laptop manufacturer and business partner to Apple, was perhaps caught in the crossfire of a larger geopolitical debate. Following White House sanctions imposed on Russia, the attackers unleashed their attack during Apple’s Spring Loaded event. While awaiting the ransom payment, the attackers leaked several proprietary blueprints for Apple devices. According to Sam Curry, CSO, Cybereason, “the shocking Apple cyberattack is a reminder that ransomware sits at the forefront of a new cyberwar that nation-states are waging on western corporations and government agencies... Either REvil is benefitting indirectly from pariah policies related to cybercrime in Russia or is directly taking orders from a government sending a message around the world to Washington. Either way, this is one to watch as only the ongoing story unfolds.”

XDR for Supply Chain and Ransomware Attack Prevention

It’s possible for organizations to defend themselves at each stage of a supply chain or ransomware attack. The primary target (supplier), for instance, can use an XDR solution to detect the initial delivery stage using malicious links or malicious macros attached documents to block suspicious emails, which gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices. 

When the attackers attempt to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use XDR to correlate threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices, and more.

Defenders can also leverage an AI-driven XDR solution to flag resources that are attempting to gain access to other network resources with which they don’t normally interact, and discover attempts to exfiltrate data as well as encrypt files. Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organization.

For client organizations who may be impacted by a supply chain attack on one of their suppliers, despite the fact that a malicious payload appears to be part of a legitimate software update signed by a valid digital certificate, as we saw in the SolarWinds attacks. 

An AI-driven XDR solution can detect and block the attack because it doesn't inherently rely on trust regarding other software on the network, because it does not depend upon “trusting” what the system identifies as “legitimate” files or processes. If the behavior of those files or processes is statistically rare or inherently, especially when correlated with other activity of potentially high value to an attacker, an XDR solution can detect the malicious behavior irrespective of the trusted status of the software.

As Curry states, “With great power comes great responsibility, and it’s time for everyone to ask not just the fashionable; how could my supply chain be used against me?' but also ‘how could I be used against those I supply?'”

These questions, no matter what the answer, can be stopped by using AI-driven XDR technology that lets you monitor, detect and squash early signs of a supply chain and/or ransomware attack in your environment – keeping you and those connected to you secure.

 

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.