How Today’s Supply Chain Attacks Are Changing Enterprise Security

Exploiting Trust

When we think of the word ‘trust’, what thoughts jump to the forefront of our minds? It initially evokes thoughts of personal relationships, with our closest family members and long term friendships or colleagues, where you know those individuals are consistently and reliably there for you. They are trusted for their authenticity, their integrity and honesty, they listen to you and ultimately are discreet with your information. However, that trust as we have often experienced is something that is fragile and easily damaged. While it is implicit for some relationships, for others, it is easier to lose that feeling of trust.

If we relate trust to the information security industry and the third party tools and systems that we implement to help secure our organisations, then the same concepts hold true. We place our trust in security systems that have earned trust by proving to be reliable and consistent, by demonstrating integrity, value and confidentiality, through a trusted network of recommendations amongst many other data points.

That trust is used to help us manage and mitigate risk and in turn helps other business relationships place their trust in us, and so trust is chained together from business to business, supplier to supplier, vendor to vendor.

However, when we select a security system to help protect ourselves, we are also accepting hidden areas of trust: relationships that you are unaware that you have agreed to, ones that were made on your behalf in a chain of relationships beyond your immediate control. These chains sometimes have weak points, areas where a gap has been identified, where a process or tool might not be quite as robust as yours, and this is what the supply chain attackers in the last 10 years have looked to exploit.

Supply chain attacks look to areas of trust that are fragile. Weaknesses in these chains can be used to bypass the implicit trust you have in your own security systems, processes and organisations. Something you were, until that point, completely unaware of.

In this post, we will explore some of the high-profile examples of where these chains have been compromised and look to learn lessons from these incidents, to help identify trust weaknesses and help mitigate potential future problems.

RSA Security – 2011

Back in 2011, RSA – the security division of EMC – was attacked and critical SecurID product secrets were stolen. These secrets would allow an attacker to clone and replicate the two factor authentication system supplied by RSA.

RSA SecurID token at the time was a very popular hardware based (something you have), six digit, one-time token-based password system used by companies to reduce the reliance and insecurity of static usernames and passwords. By breaking into RSA, the attacker accessed product seed data that compromised up to 40 million tokens in the field.

The attackers’ ultimate goal was to target military secrets held by Lockheed Martin and Northrop Grumman, but they had been prevented from doing so by those organizations’ use of the strong authentication token supplied by RSA.

Organizations had placed their trust in the RSA SecurID system to provide an additional layer of security, and the attackers bypassed the trust of this system by targeting the supplier of the tokens directly.

At the time, the attacker employed a zero day vulnerability in Adobe Flash Player to inject their backdoor, delivered by a phishing email to an RSA employee.

CCleaner March 2017

In March 2017, the hugely popular computer cleaning software called CCleaner was compromised by an attacker to help distribute their malicious code to unsuspecting victims that used CCleaner as a trustworthy tool. It was a devastatingly successful attack, which reportedly led to approximately 1.6 million downloads of the infected copy of CCleaner.

The attackers compromised the maker of CCleaner’s network to inject their software, known as ShadowPad, into the application. The attackers were specifically targeting a smaller group of companies and some eleven of those targeted were successfully compromised by the backdoored CCleaner application.

NotPetya June 2017

The NotPeyta attack of summer 2017 involved a ransomware-style attack which encrypted data and in some cases also destroyed the MBR (Master Boot Record) of infected computers.

This attack leveraged the Shadowbrokers recently released Eternalblue and EternalRomance exploits, which took advantage of vulnerabilities within the SMBv1 (Server Message Block) protocols for computers running MS Windows. These were the same vulnerabilities that were used in the WannaCry outbreak earlier that year.

A similar theme of leveraging the trust in the supply chain was implemented. The attackers used a legitimate software package update mechanism of a company called M.E.Doc, a financial software package predominantly used by Ukrainian financial institutions, to launch their attack. While it was clear the target of the attack was Ukraine, the attack quickly spread elsewhere.

What became most interesting was that the encrypted computers were not designed to be decrypted; therefore, the purpose of the attack was solely destructive rather than a financially-motivated ransomware attack. It is widely accepted that the financial impact of this attack was in the region of $10bn.

ASUS Software Update 2019

In 2019, computer manufacturing giant ASUSTek Computer – more commonly known as ASUS – identified a problem with its live update service, learning as a result that it had been compromised earlier in 2018. The compromise allowed this supposedly legitimate and trusted software to deliver malware to thousands of ASUS customers.

According to one report, it impacted 13,000 computers; 80% were consumer customers, and the remainder were businesses. However, the 2nd stage malware was highly targeted via a list of specific MAC addresses. Malicious versions of ASUS’ Live Update software (normally used to deliver updates to ASUS components and applications), was found to be installed and used to deliver a secondary payload of malware.

What was most interesting about this attack was that the version of ASUS Live Update that was compromised to deliver malware was legitimately signed by an ASUSTek Computer certificate. By obtaining access to the signing authority for this application, the attackers were able to effectively bypass the trust relationship that had been placed in the certificate infrastructure.

In 2020, responsibility for the ASUS supply chain attack was attributed to APT41.

SolarWinds December 2020

While there seemed to be a temporary lull in supply chain attacks after those mentioned above, the Solarwinds attack put them firmly back on the map back in December 2020.

SolarWinds is a widely trusted software vendor with some 300,000 customers, but as the story unfolded it became clear that their Orion software had been severely compromised. The attackers managed to incorporate their malware into a legitimate Symantec certificate, which was used to update the SolarWinds software.

After further investigation, SolarWinds reported that there was evidence that the malicious code was placed into their software and updates between March and June 2020. They also reported that they believed it to impact some 18,000 of their customers.

The SolarWinds attack was highly sophisticated. For example, the malware was sandbox aware and only activated after 14 days of dormancy. Given the nature of the targets impacted, such as US government institutions, and the attackers level of sophistication, it was rapidly apparent that the threat actor was APT in nature, and now widely attributed to the Russian Foreign Intelligence Service (SVR).

Kayesa July 2021

Fast forward to summer 2021 and the discovery that Kaseya VSA software, responsible for monitoring and troubleshooting endpoint computers and widely used by Managed Service Providers to help support their customers, had also been compromised. An update to the VSA software included a ransomware component that went on to compromise some 1500 customers. The attackers leveraged two vulnerabilities, one known since April 2021 and the other since July 2015, in the VSA software.

What is most interesting about this particular attack is that the motivation seemed to be purely financial as the attackers were initially asking $70M for the recovery of the decrypted data of their victims.

This attack leveraged the REvil group’s ransomware. It is also worth noting that the delivery vehicle of the ransomware was only the externally facing Kaseya VSA infrastructure, exploited by known vulnerabilities rather than through an internal breach.

Supply Chain Attack Commonalities

Analysis of these examples shows that adversaries are often either manipulating the code signing procedures via compromised but legitimate digital signing of certificates, hijacking the update distribution network of an ISV solution, or compromising original source code.

The majority of the attackers have a high sophistication level, with the exception of the recent Kayesa attack, which leveraged an external facing service with known vulnerabilities.

Preventing and Mitigating Supply Chain Attacks

Attackers always attempt to take the least path of resistence. Today, it’s often done by first compromising one of the end targets’ upstream suppliers and then abusing the trust relationship that they have to the true target to obtain their goals.

Naturally when we think of our technology defenses, we expect to be facing out, expecting the attackers from the outside, whereas, these supply chain attacks exploit a trusted component within our environments: just where we are most vulnerable and where we have the least visibility.

As part of any organization’s risk management program, supply chain attacks must be factored in, so what are the typical processes for compliance, governance and technology areas that could be bolstered to help mitigate these problems?

  1. Develop and implement a vendor risk management program to evaluate, track, and measure 3rd-party risk.
  2. Enforce through contractual requirements vendor cybersecurity assessments, including for the vendors own supply chain risk.
  3. Require ISO 27001 certification or CMMI and/or comply with cybersecurity frameworks like NIST or CIS
  4. Plan to move to a zero trust network (ZTA) architecture ensuring that all identities and endpoints are no longer trusted by default but instead continuously validated for each access request.
  5. Deploy a modern, platform-agnostic XDR platform capable of detecting and remediating sophisticated attacks across your endpoints, cloud and network infrastructure.
  6. Enforce multi factor authentication (MFA) to prevent the most typical of authentication brute forcing attacks
  7. Increase your network and endpoint visibility retention rates so that long lasting attacks can be identified. (the SolarWinds attackers were present for at least 5 months before launching their outward-facing attack)
  8. Be exceptionally careful as to how and where you configure your endpoint tool exceptions. Being overly permissive here with tools that you supposedly trust could lead to detection gaps.
  9. If you are an ISV then ensure best practices for Secure Development Lifecycle (SDL), vulnerability assessment and patch management programs to address identified issues.

Conclusion

The real challenge with these sophisticated supply chain attacks are that they leverage the implicit trust we place into our 3rd parties and also the implicit trust we place in the tools we use to support our businesses.

The real benefit to the attacker is that if they are successful, they have potentially increased their ability to scale the targets that they can infect, as well as allowing them the benefit of going completely undetected for potentially many weeks or months in length, depending on the goal of the attack.

It is essential that organizations review their cybersecurity requirements, gain visibility into supply chain dependencies, and deploy a modern XDR platform that can identify and contain a breach even if it originates deep within the company’s own supply chain.

Want to know more about how SentinelOne can help? Contact us for more information, or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Yaydoo secures $20M, aims to simplify B2B collections, payments

It’s no secret that the technology for easy business-to-business payments has not yet caught up to its peer-to-peer counterparts, but Yaydoo thinks it has the answer.

The Mexico City-based B2B software and payments company provides three products, VendorPlace, P-Card and PorCobrar, for managing cash flow, optimizing access to smart liquidity, and connecting small, midsize and large businesses to an ecosystem of digital tools.

Sergio Almaguer, Guillermo Treviño and Roberto Flores founded Yaydoo — the name combines “yay” and “do” to show the happiness of doing something — in 2017. Today, the company announced the close of a $20.4 million Series A round co-led by Base10 Partners and monashees.

Joining them in the round were SoftBank’s Latin America Fund and Leap Global Partners. In total, Yaydoo has raised $21.5 million, Almaguer told TechCrunch.

Prior to starting the company, Almaguer was working at another company in Mexico doing point-of-sale. His large enterprise customers wanted automation for their payments, but he noticed that the same tools were too expensive for small businesses.

The co-founders started Yaydoo to provide procurement, accounts payable and accounts receivables, but in a simpler format so that the collection and payment of B2B transactions was affordable for small businesses.

Image Credits: Yaydoo

The idea is taking off, and vendors are adding their own customers so that they are all part of the network to better link invoices to purchase orders and then connect to accounts payable, Almaguer said. Yaydoo estimates that the automation workflows reduced 80% of time wasted paying vendors, on average.

Yaydoo is joining a sector of fintech that is heating up — the global B2B payments market is valued at $120 trillion annually. Last week, B2B payments platform Nium announced a $200 million in Series D funding on a $1 billion valuation. Others attracting funding recently include Paystand, which raised $50 million in Series C funding to make B2B payments cashless, while Dwolla raised $21 million for its API that allows companies to build and facilitate fast payments.

The new funding will enable the company to attract new hires in Mexico and when the company expands into other Latin American countries. Yaydoo is also looking at future opportunities for its working capital business, like understanding how many invoices customers are setting, the access to actual payments, and how money flows out and in so that it can provide insights on working capital funding gaps. The company will also invest in product development.

The company has grown to over 800 customers, up from 200 in the first quarter of 2020. Its headcount also grew to 100 from 30 during the same time. In the last 12 months, over 70,000 companies have transacted on the Yaydoo network, and total payment volume grew to hundreds of millions of dollars.

Yaydoo is a SaaS subscription model, but the new funding will also enable the company to create a pool of potential customers with a “freemium” offering with the goal of converting those customers into the subscription model as they grow, Almaguer said.

Rexhi Dollaku, partner at Base10 Partners, said the firm saw the way B2B payments were becoming modernized and “was impressed” by the Yaydoo team and how it built a complicated infrastructure, but made it easy to use.

He believes Latin America is 10 years behind in terms of B2B payments but will catch up sooner than later because of the digital transformation going on in the region.

“We are starting to see early signs of the network being built out of the payments product, and that is a good indication,” Dollaku said. “With the funding, Yaydoo will be also able to provide more financial services options for businesses to address a working fund gap.”

Cloud infrastructure market kept growing in Q2, reaching $42B

It’s often said in baseball that a prospect has a high ceiling, reflecting the tremendous potential of a young player with plenty of room to get better. The same could be said for the cloud infrastructure market, which just keeps growing, with little sign of slowing down any time soon. The market hit $42 billion in total revenue with all major vendors reporting, up $2 billion from Q1.

Synergy Research reports that the revenue grew at a speedy 39% clip, the fourth consecutive quarter that it has increased. AWS led the way per usual, but Microsoft continued growing at a rapid pace and Google also kept the momentum going.

AWS continues to defy market logic, actually increasing growth by 5% over the previous quarter at 37%, an amazing feat for a company with the market maturity of AWS. That accounted for $14.81 billion in revenue for Amazon’s cloud division, putting it close to a $60 billion run rate, good for a market leading 33% share. While that share has remained fairly steady for a number of years, the revenue continues to grow as the market pie grows ever larger.

Microsoft grew even faster at 51%, and while Microsoft cloud infrastructure data isn’t always easy to nail down, with 20% of market share according to Synergy Research, that puts it at $8.4 billion as it continues to push upward with revenue up from $7.8 billion last quarter.

Google too continued its slow and steady progress under the leadership of Thomas Kurian, leading the growth numbers with a 54% increase in cloud revenue in Q2 on revenue of $4.2 billion, good for 10% market share, the first time Google Cloud has reached double figures in Synergy’s quarterly tracking data. That’s up from $3.5 billion last quarter.

Synergy Research cloud infrastructure market share chart.

Image Credits: Synergy Research

After the Big 3, Alibaba held steady over Q1 at 6% (but will only report this week), with IBM falling a point from Q1 to 4% as Big Blue continues to struggle in pure infrastructure as it makes the transition to more of a hybrid cloud management player.

John Dinsdale, chief analyst at Synergy, says that the Big 3 are spending big to help fuel this growth. “Amazon, Microsoft and Google in aggregate are typically investing over $25 billion in capex per quarter, much of which is going towards building and equipping their fleet of over 340 hyperscale data centers,” he said in a statement.

Meanwhile, Canalys had similar numbers, but saw the overall market slightly higher at $47 billion. Their market share broke down to Amazon with 31%, Microsoft with 22% and Google with 8% of that total number.

Canalys analyst Blake Murray says that part of the reason companies are shifting workloads to the cloud is to help achieve environmental sustainability goals as the cloud vendors are working toward using more renewable energy to run their massive data centers.

“The best practices and technology utilized by these companies will filter to the rest of the industry, while customers will increasingly use cloud services to relieve some of their environmental responsibilities and meet sustainability goals,” Murray said in a statement.

Regardless of whether companies are moving to the cloud to get out of the data center business or because they hope to piggyback on the sustainability efforts of the Big 3, companies are continuing a steady march to the cloud. With some estimates of worldwide cloud usage at around 25%, the potential for continued growth remains strong, especially with many markets still untapped outside the U.S.

That bodes well for the Big 3 and for other smaller operators who can find a way to tap into slices of market share that add up to big revenue. “There remains a wealth of opportunity for smaller, more focused cloud providers, but it can be hard to look away from the eye-popping numbers coming out of the Big 3,” Dinsdale said.

In fact, it’s hard to see the ceiling for these companies any time in the foreseeable future.

Salesforce steps into RPA buying Servicetrace and teaming it with Mulesoft

Over the last couple of years, robotic process automation or RPA has been red hot with tons of investor activity and M&A from companies like SAP, IBM and ServiceNow. UIPath had a major IPO in April and has a market cap over $30 billion. I wondered when Salesforce would get involved and today the company dipped its toe into the RPA pool, announcing its intent to buy German RPA company Servicetrace.

Salesforce intends to make Servicetrace part of Mulesoft, the company it bought in 2018 for $6.5 billion. The companies aren’t divulging the purchase price, suggesting it’s a much smaller deal. When Servicetrace is in the fold, it should fit in well with Mulesoft’s API integration, helping to add an automation layer to Mulesoft’s tool kit.

“With the addition of Servicetrace, MuleSoft will be able to deliver a leading unified integration, API management and RPA platform, which will further enrich the Salesforce Customer 360 — empowering organizations to deliver connected experiences from anywhere. The new RPA capabilities will enhance Salesforce’s Einstein Automate solution, enabling end-to-end workflow automation across any system for service, sales, industries, and more,” Mulesoft CEO Brent Hayward wrote in a blog post announcing the deal.

While Einstein, Salesforce’s artificial intelligence layer, gives companies with more modern tooling the ability to automate certain tasks, RPA is suited to more legacy operations, and this acquisition could be another step in helping Salesforce bridge the gap between older on-prem tools and more modern cloud software.

Brent Leary, founder and principal analyst at CRM Essentials says that it brings another dimension to Salesforce’s digital transformation tools. “It didn’t take Salesforce long to move to the next acquisition after closing their biggest purchase with Slack. But automation of processes and workflows fueled by real-time data coming from a growing variety of sources is becoming a key to finding success with digital transformation. And this adds a critical piece to that puzzle for Salesforce/MuleSoft,” he said.

While it feels like Salesforce is joining the market late, in an investor survey we published in May, Laela Sturdy, general partner at CapitalG, told us that we are just skimming the surface so far when it comes to RPA’s potential.

“We’re a long way from needing to think about the space maturing. In fact, RPA adoption is still in its early infancy when you consider its immense potential. Most companies are only now just beginning to explore the numerous use cases that exist across industries. The more enterprises dip their toes into RPA, the more use cases they envision,” Sturdy responded in the survey.

Servicetrace was founded in 2004, long before the notion of RPA even existed. Neither Crunchbase nor PitchBook shows any money raised, but the website suggests a mature company with a rich product set. Customers include Fujitsu, Siemens, Merck and Deutsche Telekom.

Mixlab raises $20M to provide purrfect pharmacy experience for pet parents

Pet pharmacy Mixlab has developed a digital platform enabling veterinarians to prescribe medications and have them delivered — sometimes on the same day — to pet parents.

The New York-based company raised a $20 million Series A in a round of funding led by Sonoma Brands and including Global Founders Capital, Monogram Capital, Lakehouse Ventures and Brand Foundry. The new investment gives Mixlab total funding of $30 million, said Fred Dijols, co-founder and CEO of Mixlab.

Dijols and Stella Kim, chief experience officer, co-founded Mixlab in 2017 to provide a better pharmacy experience, with the veterinarian at the center.

Dijols’ background is in medical devices as well as healthcare investment banking, where he became interested in the pharmacy industry, following TruePill and PillPack, which he told TechCrunch were “creating a modern pharmacy model.”

As more pharmacy experiences revolved around at-home delivery, he found the veterinary side of pharmacy was not keeping up. He met Kim, a user experience expert, whose family owns a pharmacy, and wanted to bring technology into the industry.

“The pharmacy industry is changing a lot, and technology allows us to personalize the care and experience for the veterinarian, pet parent and the pet,” Kim said. “Customer service is important in healthcare as is dignity and empathy. We kept that in mind when starting Mixlab. Many companies use technology to remove the human element, but we use it to elevate it.”

Mixlab’s technology includes a digital service for veterinarians to streamline their daily medication workflow and gives them back time to spend with patient care. The platform manages the home delivery of medications across branded, generic and over-the-counter medications, as well as reduces a clinic’s on-site pharmacy inventories. Veterinarians can write prescriptions in seconds and track medication progress and therapy compliance.

The company also operates its own compound pharmacy where it specializes in making medications on-demand that are flavored and dosed.

On the pet parent side, they no longer have to wait up to a week for medications nor have to drive over to the clinic to pick them up. Medications come in a personalized care package that includes a note from the pharmacist, clear and easy-to-read instructions and a new toy.

Over the past year, adoptions of pets spiked as more people were at home, also leading to an increase in vet visits. This also caused the global pet care industry to boom, and it is now projected to reach $343 billion by 2030, when it had been valued at $208 billion in 2020.

Pet parents are also spending more on their pets, and a Morgan Stanley report showed that they see pets as part of their family, and as a result, 37% of people said they would take on debt to pay for a pet’s medical expenses, while 29% would put a pet’s needs before their own.

To meet the increased demand in veterinary care, the company will use the new funding to improve its technology and expand into more locations where it can provide same-day delivery. Currently it is shipping to 47 states and Dijols expects to be completely national by the end of the year. He also expects to hire more people on both the sales team and in executive leadership positions.

The company is already operating in New York and Los Angeles and growing 3x year over year, though Dijols admits operating during the pandemic was a bit challenging due to “a massive surge of orders” that came in as veterinarians had to shut down their offices.

As part of the investment, Keith Levy, operating partner at Sonoma Brands and former president of pet food manufacturer Royal Canin USA, will join Mixlab’s board of directors. Sonoma Brands is focused on growth sectors of the consumer economy, and pets was one of the areas that investors were interested in.

Over time, Sonoma found that within the veterinary community, there was space for a lot of players. However, veterinarians want to home in on one company they trust, and Mixlab fit that description for many because they were getting medication out faster, Levy said.

“What Mixlab is doing isn’t completely unique, but they are doing it better,” he added. “When we looked at their customer service metrics, we saw they had a good reputation and were relentlessly focused on providing a better experience.”