- Dvir Sayag, Cyber Research Content Lead
- September 6, 2021
As can be seen in the number of headlines in recent months around the topic, the threat of supply chain attacks is on the rise, with the number of attacks spiking and the consequences of those being devastating in many cases due to their magnitude.
More than a simple perception derived by what we read in the media, according to research by the Identity Theft Resource Center (ITRC), supply chain attacks are indeed steadily increasing: there were 42% more supply chain attacks in the first quarter of 2021 compared to the prior quarter, affecting more than 7 million people.
Probably the two clearest examples we have of recent attacks are the infamous SolarWinds breach the past month of December of 2020, where about 18,000 customers were affected after attackers exploited a vulnerability in the SolarWinds’ IT management software Orion; and the second one which took place in July this year when the REvil APT group exploited a vulnerability in Kaseya - an IT solutions development company - VSA software. During this campaign hundreds of Kaseya’s customers were infected worldwide, with a special impact in the US.
In our quest to learn more about supply chain attacks and whether organizations can actually do anything to deal with them before the damage is done, we recently hosted Amit Serper, VP Security Research North America at Guardicore, and Shahar Vaknin, Threat Researcher at Hunters, at our “Hands-On Security” podcast. Throughout this blog post we share some of the key insights and recommendations we gathered from our conversation with them.
The Impact of Supply Chain Attacks
To be able to understand the impact that supply chain attacks can have, we first need to understand how they work. A supply chain attack is a type of attack where a highly trusted software in the organization, for example, Kaseya or SolarWinds, gets breached typically leveraging the weaker links in the chain, and used to get access to its users further down the chain. In the Kaseya example, attackers used their program to control the installation of software or update packages or patches as a bridge into the organization to deploy ransomware.
To answer the question of the impact of supply chain attacks in simple terms, just like any other cyber attack, supply chain attacks significantly disrupt the business continuity of the organization that gets breached. But maybe, more importantly, it allows breaching as many organizations as the ‘originally’ breached company counts in its user base, with the aggravating fact that they are extremely difficult to detect in most cases since no matter how good an organization's defenses are, the attackers seek to infiltrate their suppliers through the weakest link in the supply chain.
Adopting the Correct Strategy
Dealing with supply chain attacks, naturally, is challenging because we could basically claim these are an ‘insider’ type of threat: no matter how good the victim’s defenses are, the attackers will get to them by leveraging the suppliers in their supply chain, which may not be as secure as the target organization.
In the face of despair, though, there are ways that organizations can minimize the damage generated by these attacks and strategies to detect them fast enough to avoid major losses.
1. Restrictions and Segmentations: Zero-Trust Approach
In many cases, third-party management software has few network restrictions and may access unneeded assets. Our advice is to have restrictions in place to limit access to assets that are irrelevant to their activity.
In Kaseya’s case, there is an external-facing server that is used mostly for IT administrators to connect from the Internet and make internal network changes. However, it also makes it vulnerable for external attackers to be able to pivot from these external-facing servers to the internal network. The recommendation here would be to restrict the access to and from this server to the internal network, by using a VPN so the access to this server would be available only from the VPN IP. From this server to the internal network, we recommend allowing connection only by necessary ports needed for communicating with the agent.
While it may sound obvious, it’s important to reinforce the need to build secure networks by design: the different machines in the network need to have the accesses and restrictions in place to only reach the machines they need to in order to perform their activity. For example, there is no reason for the Community Manager's machine to be able to connect via RDP to the domain controller. These kinds of mistakes might have serious consequences in the case of a breach.
2. Detection and Response Tools: Traffic Inspection
Every organization should be able to inspect the network traffic and be alerted that a breach is occurring. The ability to investigate logs, anomalies, known IOCs and TTPs, and have concluding insights will be life-saving when breaches like the Kaseya supply chain attack take place.
There are a variety of tools that provide that ability. As we mentioned before, because supply chain attacks are like an insider threat, the attacker starts from an advanced point in the cyber kill chain, that was already accessed by them in the organization and probably has a way to execute code and operate in high privileges. This is why the most important thing is to react quickly.
When using the right detection and response tool, the security team will be able to quickly understand where the threat is coming from and shut it down immediately.
Patching will resonate as the classic advice from any security practitioner, and as such, we cannot ignore it. Having the right strategy in place to continuously patch the IT environment will be crucial to avoid the exploitation of known vulnerabilities in a timely manner.
The focus should be on patching the external-facing servers which are more vulnerable to attacks; operating systems; and third-party vendor software. Our recommendation is to have an overview report on the key assets’ patching status (we bet you’ll be surprised to see how many vulnerable assets are unpatched!).
Another important advice is using either Microsoft Group Policy in the Windows environment and an equivalent for Mac (such as Jamf) to align and control a patching deployment strategy and policy. A timely enforcement policy for patching employees’ computers should be a mandatory requirement too, as an unpatched system can be the source of critical security issues.
Hunting Thesis - Prevent the Next Supply Chain Attack
Every organization has security gaps that can be exploited by attackers. Our key suggestion is not to wait for the next attack to happen, but rather to be proactive and work on closing those gaps as much as possible. To help with that, we present here two theses that will look for network posture and visibility gaps that will help prevent the next attack.1. Kerberoasting
Let's use as an example a known attack called Kerberoasting, where an attacker asks for a Kerberos ticket and then cracks it, allowing them to get the hash in case that the encryption of the ticket is weak. Many organizations still have those old encryptions, from 10-15 years ago, that were published when Windows 2003 was introduced. These legacy configurations are gold for attackers looking to execute this kind of attack.
We recommend using EDR logs and event logs to identify old encryptions, by placing the right filters. That can be done by filtering for event ID 4769 and then looking for the ticket encryption type. Once able to filter for cases where Kerberos is being used with weak encryption, the services that are vulnerable to the next attacker exploit will surface.
2. Old Operating Systems and Protocols
While Microsoft is great with supporting legacy OS, this might be a security nightmare too. There is always the old Windows XP machine or even Windows 2000 machine in a network that no one is familiar with. But having these machines on the network requires a lot of legacy protocols to still be accepted, like LM and NTLM.
There is the known phrase that “a Windows network is only as secure as its oldest computer running the oldest version of Windows”; an attacker only needs one breach to infiltrate an entire network. In order to deal with this, we first recommend having a visibility report on all the operating systems in the network. Having that will allow understanding where an upgrade is needed and where upgrades are not possible, decide on what other security measures can be taken.
Secondly, ensuring that the authentication protocols that are in place in the network are all up to date too.
In this blog post we have covered three different tips and actions to take to proactively defend the organization from supply chain attacks, in general, and specifically from the latest Kaseya supply chain attack. Our advice is to implement proper restrictions in the network, having the right detection and response tools, and adopting the right patching strategy.
Moreover, in order to stop attackers when trying to compromise the organization, adopting the right hunting theses will help with closing existing gaps. Stay tuned for an upcoming Hunting blog series from Hunters’ Team Axon.