Now more than ever, supply chains are attracting threat actor attention. As evidenced by attacks like the one which recently targeted the IT services provider Kaseya and over 1,500 of their clients, trusted relationships between service providers and users are ripe for exploitation.
For a malicious actor, hijacking a trusted application at the source means getting a free pass into the heart of your network. With defenses pointed outward, supply chain compromises also give cybercriminals the opportunity to deploy threats like ransomware without raising the alarm.
Regrettably, the often neglected nature of this threat vector means that supply chain attacks are a global cyber threat with tremendous room to grow. According to the European Agency for Cybersecurity, supply chain attacks, which compromise an entire supplier ecosystem, are expected to increase four times in 2021 alone.
Though a 400 percent predicted growth rate is massive, the immense returns cybercriminals receive from pulling off a successful attack, often giving them a way to infiltrate thousands of prime targets simultaneously, makes this prediction less surprising.
Paradoxically, organizations doing more to improve their cybersecurity might also be another reason cybercriminals are focusing on supply chains. Talking to Wired, Nick Weaver, a cybersecurity researcher at Berkeley College, recently outlined this reasoning from a threat actor's point of view: "If your actual targets are hard, this [the supply chain] might be the weakest point to let you get into them."
However, while supply chains as an attack vector are nothing new (the concept has been in existence since the 1980s), and their growth rate is understandable, the combination of supply chain attacks and ransomware is novel and deadly. Understanding the nature of the threat has a real, demonstrable impact on your ability to prevent breaches over the long term.
Ransomware and Supply Chains, Dangerously Complementary
In July 2021, affiliates of the Russian cybercriminal gang REvil gained access to Kaseya, a Florida-based IT services provider, through a zero-day exploit in the company's VSA product. The attackers then leveraged this exploit to move downstream and laterally into the networks of Kasey's clients. As a result, they deployed ransomware on endpoints belonging to more than 1,500 companies globally — all from a single attack.
The attack generated a ransom demand of over $70 million, which Kaseya has denied paying. However, regardless of whether a ransom payment was made, REvil nevertheless received an immense return on their investment by gaining access to networks belonging to over one thousand organizations, including 100 pre-schools in New Zealand.
This means that, even though no exfiltration of data has been observed to date, the possibility that a cybercrime gang equipped with ransomware capable of exfiltration may have stolen something from over 1,000 victims cannot be ruled out. This opens up hundreds of businesses to the threat of double extortion down the line.
What this attack demonstrates is the terrifying potential that ransomware combined with a compromised supply chain opens up. With such a diversity of profit opportunities and a scalable way of leveraging vast numbers of network breaches at once, ransomware is proving to be a perfect accompaniment to supply chain attacks for threat actors.
RaaS Gives Threat Actors Breathing Room
As supply chain attacks soar, ransomware has also never been easier for cybercriminals to access. The Kaseya attack highlights how the distribution of powerful malware through ransomware as a Service (RaaS) allows cybercriminals to double down on what they do best — finding and exploiting vulnerabilities.
Because cybersecurity gangs like REvil license extremely powerful ransomware to affiliates, the network of malicious "talent" they can draw from expands. Consequently, they can target "big fish" like IT services providers connected to other potential victims.
While this can often mean hacking a more prominent organization so they can compromise many smaller ones, as happened in a supply chain attack that impacted Apple earlier this year, upstream supply chain compromise can give cybercriminals access to tech giants.
When Quanta, an Apple supplier, rejected initial ransom demands, threat actors immediately escalated their attacks by exfiltrating invaluable device schematics belonging to Apple themselves. Thus a supply chain compromise was swiftly able to impact a company that once boasted it had the best cybersecurity in the world.
Preventing Ransomware Isn’t Impossible
Demanding third-party risk testing is vital, but it cannot be relied upon. That Apple, an organization with a forensic approach to supply chain security, fell victim to an attack from one of their largest suppliers demonstrates this. Because supply chain attacks can deliver malware like ransomware directly through trusted applications, doubling down on the standard perimeter-based approach won't give you real protection either. No matter how advanced your detection-based defenses are, by the time they pick up an infection stemming from a supposedly "friendly" application or service, it is already far too late.
This doesn’t mean that preventing ransomware or halting supply chain attacks is impossible. Rather, the challenges detection-based tools face lie in several items: they often require manual intervention to investigate false positives, they need to observe an attack chain in progress to make an accurate detection, and the machine learning algorithms many leading solutions use are easy to confuse with junk data.
These failings don’t mean that detection-based tools don’t have a role to play. Many of them do very well at detecting and blocking known attacks, as long as the vendors have enough time to update their signature database or machine learning algorithm. The problem is that evasive attacks designed to circumvent these tools proliferate in the cybercriminal landscape, and even the best detection-based tool still has a lag time between when it finds an attack in progress and when it can respond.
What organizations need is a breach prevention solution, like the one we designed at Morphisec. A prevention-focused tool ideally doesn’t emphasize detecting anything in progress. It focuses on stopping attacks before they deploy or gain persistence in critical infrastructure. One of the biggest issues with ransomware is reaching the domain controller, and threat actors are very good at bypassing detection tools to achieve that goal.
Prevention-based security solutions like the Morphisec Breach Prevention Platform short-circuit the attack chain proactively to stop threat actors from ever achieving their goal. This automatic blocking thus saves time, allowing teams with limited IT and security resources to secure their systems against the evasive threats that often bypass detection-based tools. It’s with these prevention-centric tools that organizations of all sizes can secure their systems against ransomware and supply chain attacks, and ensure continued business operations.
Want to learn more about the Morphisec Breach Prevention Platform? Click here to book a demo today.