Tag: supplychain | Page 2

What the SolarWinds Hack Tells Us About IoT and Supply-Chain Security | 2021-03-15

March 14, 2021/in Computer Security

No matter the industry, cybersecurity breaches seem to be escalating in size and scale.

The sprawling hacking campaign launched by Russia three months ago — which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp. — is an egregious example of the far reach of a potential supply-chain attack.

The term “supply-chain risk” is a large umbrella that covers lots of security threats and vulnerabilities. In the SolarWinds case, the threat actors, believed to be working on behalf of a foreign government, trojanized the software updates to a popular tool SolarWinds Orion. The attack left potential backdoor access points to hundreds of companies and nine federal agencies. And that’s only what we know — we will likely be uncovering the effects of this breach for years to come.

Other supply-chain risks may manifest as security flaws baked into electronic devices. Manufacturers of smartphones, printers, routers, internet-of-things devices and critical infrastructure systems buy components from third parties. These components are shipped with embedded firmware that may have existing security flaws. What’s more, some of that firmware wasn’t written by the manufacturer, but comes from open-source code maintained by volunteers in the I.T. community.

Here’s what the broader supply-chain industry needs to know about cyberattacks.

Veiled Software

There’s a growing movement of purchasers that are demanding comprehensive lists of the software within a device — but for now, it’s rare for manufacturers to provide it. That list, known as a software bill of material (SBOM) is key to supply-chain security, but it’s important to note that it’s not a cure-all. For example, an SBOM would not have caught the SolarWinds backdoor. What was needed was for a security team member to analyze the final software files themselves, before it was released to customers.

A Back Seat

Software developers and device manufacturers have shifted to rapid development processes. On the software side, this agile development framework pushes numerous and rapid updates, sometimes to add new features, occasionally to fix security flaws. There’s a similar push…

Source…

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

February 25, 2021/in Computer Security

Ukraine is formally pointing fingers at Russian hackers for hacking into one of its government systems and attempting to plant and distribute malicious documents that would install malware on target systems of public authorities.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” the National Security and Defense Council of Ukraine (NSDC) said in a statement published on Wednesday.

The NSDC’s National Coordination Center for Cybersecurity (NCCC) termed it a supply chain attack aimed at the System of Electronic Interaction of Executive Bodies (SEI EB), which is used to distribute documents to officials.

Calling it a work of threat actors with ties to Russia, the NSDC said the malicious documents came embedded with a macro that, when opened, stealthily downloaded malicious code to control the compromised system remotely.

“The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation,” the agency said.

While the NSDC did not take any names, it’s not immediately clear when the attack took place, how long the breach lasted, and if any of the infections were successful.

The development comes two days after the NSDC and NCCC warned of massive distributed denial-of-service (DDoS) attacks singling out websites belonging to the security and defense sector, including that of the NSDC.

“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the NSDC said, while stopping short of directly accusing the country.

The NCCC also stated the “attackers used a new mechanism of cyberattacks” that involved using a previously undocumented strain of malware that was planted on vulnerable Ukrainian government servers, and in the process, coopted the devices into an attacker-controlled botnet.

The infected systems were then used to carry out further DDoS attacks on other Ukrainian sites, the agency said.

Source...

[the_ad_group id="27628"]

Chinese Supply-Chain Attack on Computer Systems

February 14, 2021/in Computer Security

Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.

There’s lots of detail in the article, and I recommend that you read it through.

This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. I didn’t believe the story back then, writing:

I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

I seem to have been wrong. From the current Bloomberg story:

Mike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force. Quinn was working for a company that was a potential bidder for Air Force contracts, and the officials wanted to ensure that any work would not include Supermicro equipment, he said. Bloomberg agreed not to specify when Quinn received the briefing or identify the company he was working for at the time.

“This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” Quinn said, recalling details provided by Air Force officials. The chip “was blended into the trace on a multilayered board,” he said.

“The attackers knew…

Source…

Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple

February 10, 2021/in Internet Security

Ethical hacker Alex Birsan developed a way to inject malicious code into open-source developer tools to exploit dependencies in organizations internal applications.

Source…

Tag Archive for: supplychain