IMPERSONATION RISK
THE RISKY BUSINESS OF SUPPLY CHAIN THREATS
Director, Product Marketing, Proofpoint
By leveraging compromised supplier accounts to steal user credentials, send malware, and scam organizations with business email compromise (BEC) attacks, threat actors have turned the supply chain and partner ecosystem into the newest threat vector.
According to the 2023 FBI Internet Crime Report, business email compromise (BEC) attacks were a top concern, costing over $2.9 billion dollars.
TechCrunch reports(2) that the largest supply chain compromise in 2023 cost the impacted businesses more than $9.9 billion. That incident had a direct impact on more than 1,000 businesses and over 60 million people.
Internet Crime Report(1), business email compromise (BEC) attacks were a top concern, costing over $2.9 billion dollars.
TechCrunch reports that the largest supply chain compromise in 2023 cost the impacted businesses more than $9.9 billion. That incident had a direct impact on more than 1,000 businesses and over 60 million people.
So, what can you do to protect your people from supply chain attacks?
Let’s analyze the latest trends in the threat landscape and shine a light on these techniques.
Supply chain threats are among the most common and costly forms of BEC attack. Not only do four out of five businesses experience this type of attack every month, but it is also the initiating factor in around one-fifth of ransomware incidents.
While compromising supplier accounts can be a complex business in some cases, in others, it requires very little skill on behalf of the threat actor. One of the easiest methods involves spoofing legitimate supplier domains to target people in your organization. This requires no credentials or account access, but it is much easier to thwart with simple controls and procedures such as the implementation of DMARC policy checks and reviews of domain age.
At the other end of the scale, cybercriminals can compromise legitimate accounts and insert themselves into email flows unnoticed.
themselves into email flows unnoticed.
Once in communication, they use their perceived authenticity to pass on malicious payloads, make fraudulent requests for payment or gather intel to compromise more accounts and or escalate their own privileges.
The differing tactics and level of access required to launch a supply chain attack means a single tool or control is not enough to keep them at bay. Instead, organizations require a defense-in-depth security approach in order to defend across the entire attack chain to spot threats wherever they originate.
The more we understand supply chain attacks, the better we are equipped to detect and prevent them before they harm organizations. And there is no better way to learn than by examining real-world examples. Unfortunately, there are many for us to cast our eyes over.
In 2022, one of the world's leading semiconductor manufacturers, suffered a ransomware attack at the hands of a compromised supplier. It is believed that the supplier in question suffered its own ransomware attack in the months prior, likely attributable to a global campaign against vulnerable, unpatched VMware ESXi servers.
Whatever the source, the consequences were significant, interrupting order processing and shipping – and costing the company $250 million.
Such is the potential payload of a supply chain attack, be it financial gain or widespread disruption, that it has caught the eye of nation-state threat actors.
In what's thought to be a first of its kind, a VoIP provider recently suffered a supply chain attack that launched malware to thousands of its customers.
What makes this attack different is that an employee of the VoIP provider installed a malware software package distributed via an earlier supply chain compromise that began with another vendor.
The perpetrators, believed to be the North Korea-backed Kimsuky, effectively used one supply chain attack to carry out a second, much larger one – a supply chain to supply chain reaction.
Finally, an unfortunate example of the far-reaching consequences of supply chain attacks comes from Progress, which suffered a mass exploit of a zero-day vulnerability in its MOVEit file-transfer software.
As MOVEit is used by thousands of organizations around the world, the attack is estimated to have exposed the data of at least 62 million people. This supplier chain attack has directly impacted thousands of organizations worldwide, including major airlines, oil companies, and government agencies. While the full consequences of the incident are unlikely to be known for years to come, estimated losses are already predicted to be in the region of $10 billion.
Typical, supply chain attacks have three distinct phases: The first involves brute force. During the initial compromise, threat actors target organizations, usually with packaged attacks or tools, to get at usernames and passwords.
They are not necessarily impersonating anyone at this stage, but they will be targeting users with phishing emails or malicious links and attachments containing key loggers to harvest credentials.
Next comes reconnaissance. With credentials secured, threat actors will now move laterally inside your network. They will monitor communications with your suppliers and customers, set their sights on the most lucrative targets, and potentially compromise more legitimate accounts along the supply chain with credential phishing or malware.
Once satisfied that their lure is likely to appear convincing, threat actors move to the final stage of the attack chain – show me the money.
Posing as a trusted supplier, they will now submit fraudulent invoices or amend the account payment details of legitimate invoices in order to divert funds into their own account.
If an organization fails to implement adequate processes and controls, this stage of the attack is surprisingly simple, relying on legitimacy, urgency and social engineering rather than technology.
To effectively break the attack chain and stop supply chain attacks, we must place controls and defenses along every stage, from initial compromise to delivery.
This starts at the initial compromise stage of the attack chain - pretakeover with basic measures – strong passwords, multi-factor authentication and superior email security controls to block targeted attacks. Security training is crucial here, too.
Your people need to know how to spot a phishing lure or malicious payload and how to respond when they do. Additionally, organizations need comprehensive supplier account visibility, who is compromised, how they are being compromised, and who they are talking to.
None of these controls are a silver bullet, of course. But the more predelivery detection and prevention you can implement and obstacles in the way of a threat actor in the early stages, the more likely you are to thwart an attack.
Further in-depth defense is required during the takeover stage. This means leveraging comprehensive threat intelligence and AI-powered behavioral analytics to spot and highlight suspicious activity. At this stage, it is also important to understand how your account was compromised to halt and remediate the current attack.
Speed is vital here. The longer an adversary can maneuver inside your defenses, the broader the scope of damage they can inflict.
This brings us to the post-takeover stage of the attack chain. Again, there is no single solution for remediation. Instead, we must deploy numerous tactics to expel a threat actor from our network. This includes everything from post-delivery threat analysis, automated malicious email remediation, to changing passwords, and revoking sessions to investigating and restoring any alterations made to mailbox rules.
Ultimately, there is no “silver bullet” solution to stopping attacks originating in the supply chain. Keeping them at bay requires a series of pragmatic, preventative measures, combining simple best practice, advanced detection, prevention and rapid response. The more protections we put in place, the more chances we have to get it right.
Extend the power of Proofpoint Supplier Threat Protection by detecting compromised suppliers and other third parties accounts to help defend your supply chain against phishing, malware and business email compromise (BEC).
Find out more
Read the blog
