Issue #08 - April 14, 2023

Welcome back to Alice in Supply Chains!

It’s a pleasure to have you here once more – or perhaps for the first time – to check out recent stories and news related to third-party risk management. Given the release of the U.S. National Cybersecurity Strategy and the disclosure of many breaches related to third parties, including a mass-ransomware attack, March didn’t give us much time to look away from our news feeds — and Alice in Supply Chains is here to make sure you don’t miss any relevant stories.

Before that, we want to mention that we at Tenchi Security held our second edition of Tenchi Talks – Between Women on March 15. Under the headline “DPO Connection: Building Bridges,” the event brought women leaders together in São Paulo (Brazil), enabling deep conversations on privacy protection and third-party risk management challenges.

We’d also like to bring your attention to MITRE’s new Risk Model Manager prototype (here’s the story, and here’s the link to the tool, which is currently read-only). MITRE is gathering input, so you may be interested in checking it out and participating.

MITRE managed to get a lot of people on board with their ATT&CK framework, so the baseline used by this new prototype – the System of Trust framework – may also catch on (although other things like MITRE’s Common Malware Enumeration didn’t get as much traction).

Such frameworks are a step in the right direction when it comes to recognizing the importance of assessing third-party risk, but scoring, standardization, and non-continuous assessments come with pitfalls that are difficult to overcome (we’ll talk about this in another context later in this issue). It’s noteworthy that customizability is a major part of their design, so we’ll have to wait and see how flexible it becomes and how often the framework will be employed correctly in practice.

With that out of the way, let’s move on to the stories we selected. Enjoy!

U.S. National Cybersecurity strategy takes aim at cloud computing, software liability, and global geopolitical risk

The Biden administration published the U.S. National Cybersecurity Strategy (PDF here), a 39-page document outlining five “pillars” that should underpin ongoing efforts and new regulations related to cybersecurity. Securing global supply chains is also a “strategic objective.” There’s a lengthy piece on the strategy here, while journalist Brian Krebs wrote a summary with the highlights:

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.

Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.

While it doesn’t immediately apply to the market at large, this strategy is expected to guide government actions (such as investment and legislative proposals) for the foreseeable future.

Depending on how they’re put into place, some of these objectives may significantly reshape market forces. Holding software developers liable for issues if they don’t comply with a minimum security baseline is the best example, since it’s common practice for license agreements to exempt software vendors from any such liability (here’s an analysis of this specific point, and some coverage by The Register indicating CISA gave away that this was coming a few days before the strategy was published). It is worth mentioning that Dan Geer has been a long time proponent of this, most notably in his 2014 Black Hat keynote.

Regulation should be coming to cloud providers too (hopefully to better align their incentives with security). The FTC is already seeking comments on security-related business practices of cloud computing providers. Furthermore, some objectives in the strategy could change the way we do security by involving the government in things like digital identity, which remains a major challenge for systems that require authentication. Another issue where Dan Geer has been a leading voice.

The first pillar of the strategy aims to defend critical infrastructure, and the EPA seems to be already acting on it by releasing a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems. Such systems were attacked at least three times in 2021 alone in Florida, Pennsylvania, and California.

China being named as a threat is also noteworthy. Many industries still rely directly or indirectly (via third parties) on Chinese manufacturing; if the current restrictions on semiconductor manufacturing were to be extended to other business sectors, the consequences would easily reach beyond the digital realm. It is another milestone of geopolitical circumstances encroaching on cybersecurity and business risks.

The U.S. was not the only country to shake up the cybersecurity space in March, however. Ukraine approved audits of critical infrastructure, and the U.K. released its Cybersecurity strategy for health and social care: 2023 to 2030 (supply chain security is referenced several times).

Government bans on suppliers also continue. After Australia banned devices from Hikvision and Dahua in February, South Korea is responding to video leaks by banning CCTVs that have not undergone security verification, and Germany may ban Huawei and ZTE from its 5G network (they’ll join the U.S. and the U.K. if they do). Lastly, the Kremlin told officials to stop using iPhones.

After all that, it’s difficult to argue against the view that every regulator has finally woken up to vendor cybersecurity risk.

GoAnywhere vulnerability leads to Clop ‘mass-ransomware’ attack

Several companies are disclosing attacks or breaches stemming from a vulnerability in GoAnywhere, a data transfer tool. Clop, a ransomware gang believed to be from Russia, claimed to be behind the attacks. TechCrunch has an article with statements from several victims:

The City of Toronto told TechCrunch in a revised statement on March 23: “Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third-party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system.”

Canadian financing giant Investissement Québec confirmed to TechCrunch that “some employee personal information” was recently stolen by a ransomware group that claimed to have breached dozens of other companies. […] Hitachi Energy also confirmed this week that some of its employee data had been stolen in a similar incident involving its GoAnywhere system, but saying the incident happened at Fortra.

If we are to believe Clop themselves, who operate a leak site like other ransomware gangs, the attack hit a total of 130 organizations. Other companies have been identified as victims and added to the leak site, among which are Procter & Gamble, AvidXchange, Onex, and the U.K.’s Pension Protection Fund. Healthcare provider Blue Shield of California filed a data breach disclosure explaining one of its suppliers was breached through the flaw.

TechCrunch has reported that Fortra, the software vendor behind GoAnywhere, told their customers their data was safe even when it wasn’t. Reporters Zack Whittaker and Carly Page mentioned the company has been refusing to make comments on what’s unfolding and hasn’t made their CISO available for an interview.

There are several takeaways from these developments. Given the reporting so far, this incident is a textbook example of how problems at a supplier can spread to many of its clients, and even clients of their clients (as was the case with Blue Shield). It should join incidents like the one that happened at SolarWinds in 2020 as a case study for third-party risk.

We also see once again the importance of working together and communicating. Refusing to be interviewed by media outlets is one thing, but telling customers their data is safe when it isn’t is very different. Since the vendor has neither confirmed nor denied many of the allegations being made in the press, and considering their initial disclosure of the vulnerability wasn’t public, it’s not difficult to see how one could conclude that they are not being as transparent as they should be.

A similar but seemingly unrelated incident was disclosed late in March by 3CX, which revealed its Windows and Mac apps were both compromised by an attacker. Their response includes keeping an updated blog post and a forum thread about the incident. The company said the attack may have been state-sponsored (CrowdStrike attributed it to a North Korea-related actor), and the second-stage victims are believed to have been hand-picked. While this incident also sounds a lot like the one from SolarWinds or Piriform (now Avast) CCleaner, we are not yet done with our coverage of incidents like these.

AT&T, NBA, law firms: more attacks against third-parties

Several other incidents related to third parties were disclosed during March. The most eye-catching one was probably from AT&T, which had to notify millions of customers that their data was stolen:

US mobile phone carrier AT&T is notifying millions of wireless customers that their customer proprietary network information (CPNI) was compromised in a data breach at a third-party vendor.

One of the largest carriers in the US, AT&T has roughly 200 million wireless customers, but only a small percentage of the total has been impacted by the incident.

“Approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed,” AT&T said in an emailed statement.

But AT&T is not alone. NBA also notified fans after a data breach at a third-party vendor.

Much like the incident at 3CX, other disclosed incidents hint at the fact that certain organizations were targeted only so that attackers could reach the data or networks of their clients. eSentire found that six law firms were attacked to be used in watering hole attacks, and Greg Linares posted an interesting thread on Twitter about ransomware attacks against law firms using their clients as leverage to successfully extort the ransom payment.

While we’re on the topic of ransomware, the SEC announced a $3 million settlement with software vendor Blackbaud. The Commission alleged that the company failed to properly disclose the impact of a ransomware attack it had suffered. The LockBit ransomware gang also claimed to have accessed SpaceX data through a contractor.

Fraud prevention company Eye4Fraud had its database stolen. The company confirmed a backup file was accessed, but buried its response in a link titled “statement about recent events.”

Finally, there are a couple more interesting breaches that can have significant consequences for third-party risk management. The first comes from a report by security vendor ESET, which revealed that a Data Loss Prevention (DLP) vendor in East Asia was compromised by the Tick APT group. As DLP solutions by their very design need to be given access to potentially sensitive data at rest and in transit, attackers could gain considerable advantage by compromising such a vendor.

The second is that hardware vendor Acer suffered a breach and 100GB of data was stolen. The company also suffered a breach in 2021, and although there are no reports that their apps were compromised (something that happened to Asus in 2019), it’s nonetheless something to keep an eye on. We can't do computing without hardware, so it's important to keep an eye on new risks that can develop from such incidents.

Google warns of attacks on smartphones and vulnerabilities in Samsung components

Google found and disclosed vulnerabilities in the Samsung Exynos chips used by several smartphone makers, including Google itself. Google researchers say the exploit can work at the baseband level, requiring only the victim’s phone number:

Google’s Project Zero head Tim Willis said the in-house security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four top-severity flaws that could compromise affected devices “silently and remotely” over the cellular network.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” Willis said.

While the initial reporting suggested that patches weren’t made available even 90 days after Google reported the issues to Samsung, later reports corrected that information, as five of the vulnerabilities were already fixed in March. While another patch in April has fixed a sixth vulnerability, the remaining 12 flaws appear to not have been addressed.

Google also published a blog post detailing three exploit chains used against both Android and iOS smartphones. All of them included at least one exploit that was zero-day at the time the chain was being used to attack users. While the other vulnerabilities were patched, attackers could rely on the time gap between their release and their deployment on end-user devices to still attempt a successful attack.

According to Google, the exploits were used to deploy commercial spyware tools. While victims weren’t named, Google did thank the Amnesty Security Lab, from Amnesty International, for helping discover one of the chains. Amnesty International members have been targeted by surveillance tools in the past.

Although incidents like these are an ongoing concern for activists and journalists, it’s not difficult to see how similar vulnerabilities could be used to launch supply chain attacks against commercial organizations as well — especially when it’s being suggested that state-sponsored threat actors are already involved in such actions.

Are risk ratings the answer to supply chain security?

Global Cybersecurity Outlook report, this time focusing on the role of cyber risk ratings in improving cyber reliance:

In response [to cybersecurity risks], policymakers across the globe are looking at how regulation can strengthen an economy’s cyber posture, whether that be the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament, which also makes financial groups accountable for the security of tech vendors they use, or The Network and Information Security Directive (NIS2), which provides legal measures to boost the overall level of cybersecurity in the EU.

In France, policymakers are taking the lead globally by looking to mandate the use of cyber risk ratings. The French Cyberscore Law, enacted on March 3, 2022, creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on October 1, 2023.

The French Cyberscore Law mentioned above will force certain service providers to display a color-coded security rating obtained from a third-party auditor certified by the government. The article then suggests the French law can work as a model for cyber risk ratings across the European Union, but we think we need some time to reflect on this and even wait and see how the French experience this in practice.

Unlike a credit score, which attempts to predict the risk that a company or individual won’t make good on their debt, cybersecurity has many dimensions and distinct sets of risks. It’s usually impossible to know what someone is doing right or wrong by looking at a single number representing their entire security posture. 

Is this over-simplified metric taking all relevant security practices into account, or are we falling into the Streetlight Effect again as we often do in our market? What kind of measurement or collection errors are in place? If based on sampling, is this sampling representative and robust to manipulation by the third party being measured? Are we sure we understand that these are posture scores and not risk scores, since asset valuations are typically not involved? 

The way we see scores being generated and used today, we feel they can be very often accurately described as a perverse metric.

A simple scoring system may be able to help consumers at large become more informed about security and get people used to thinking about security in their purchasing decisions. For companies looking to create a more robust third-party risk management strategy, however, they can do more harm than good – there are too many things that we need to be on the lookout for.

As cybersecurity becomes an integral part of the business, cyber risk is business risk. And the idea that business risks are very complex needs no explanation.

We have a couple more links with guidance and thoughts on third-party risk:

• The FBI released a PSA about Business Email Compromise attacks impersonating companies to forge acquisitions of goods like construction materials, agricultural supplies, computer hardware, and solar energy products. This is a twist on the normal BEC tactic of obtaining payment; this time, they’re obtaining credit payment terms and keeping the products without money ever changing hands. The victim here is the vendor, not the buyer.
• The Australian government published a document containing guidance on outsourcing and procurement.
• The European Central Bank (ECB) has a speech from Fabio Panetta, a member of the Executive Board of the ECB, on building up cyber resilience in the financial sector, and he talks about supply chain attacks and ransomware, among other things.

Research: more secrets found on GitHub, but software supply chain security is slowly maturing

Before we move into the data mentioned in the headline above, let’s take a look at the Navigating Cyber 2023 report by the Financial Services Information Sharing and Analysis Center. It’s a global study based on intelligence sourced from thousands of firms in 75 countries, so it’s worth your time. You can download it here. Here are some excerpts:

• Supply chain threats impacted a more digitized business environment. Open banking and APIs, mobile banking apps, and exposure to partner breaches contributed to making financial services organizations vulnerable to hackers via third-parties. In 2022, the most prevalent supply chain attacks reported by members were the hijacking of software updates, fraudulent code signing, and the compromise of open-source code. […]
• Some supply chain incidents are not easily mitigated. A notable incident occurred in July 2022 when Rogers, a major ISP in Canada, suffered prolonged outage that caused disruption throughout the financial sector impacting corporate operations (including remote work), online banking services, payments, and ATMs of multiple FS-ISAC members in the region. With telecom providers in particular, it is often not practical or possible to switch providers quickly and easily even when there are contracted backups. In today’s world of remote working, cloud-based services, and internet customer-facing services, telecom outages may be especially destructive. [….]
• Cyber insurance will undergo an identity crisis. Following substantial year-on-year premium increases coupled with more and more exclusions and growing requests to establish minimum security standards and practices (e.g. the engagement of specialist ransom negotiators on retainer), some financial sector firms are beginning to reconsider cyber insurance. In some cases, premiums rise so high that firms are considering ring-fencing capital equivalent to the estimated premiums as an alternative to purchasing insurance coverage altogether. Although unclear in what direction the field of cyber insurance will evolve as it matures, drastic changes seem likely. As cyber regulation increases, regulators may contemplate alternatives to cyber insurance for individual firms to ensure the continued security of the financial sector and other elements of critical infrastructure.

It’s interesting that they suggest alternatives to cyber insurance. The U.S. strategy covered above does have the creation of a “federal cyber insurance backstop” to “support the existing cyber insurance market” as one of its objectives, so this change is already underway.

Here’s a breakdown of other interesting surveys released in March:

• In New Zealand, Perceptive and Kordia found that “28% of businesses impacted by a cyber-attack in the past 12 months cited that the attack came through a third party, second only to phishing.”
• GitGuardian’s State of Secrets Sprawl 2023 report says the company found 10 million secrets on GitHub in 2022, a 67% increase from 2021. One out of ten code authors exposed a secret at any point, in 5.5 out of 1,000 commits.
• It’s not all bad news in the software supply chain, though. A survey of 167 professionals made by the Eclipse Foundation, the Rust Foundation, OpenSSF, and Chainguard found that, while there’s room for improvement, many supply chain security practices in software development have been widely adopted. We do note that the software supply chain is a small part of the problem here. You can check out our October 2022 issue for more commentary on this topic.

This was a long edition, but there was a lot to cover, and we didn’t want to leave anything important out. Still, we do have a couple more bonus links if you want to keep reading (or listening, as the second one is a podcast):

What GoDaddy’s Years-Long Breach Means for Millions of Clients

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It’s worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but more notably, the breaches have led to data compromises for more than 1 million of the company’s users.

Third-Party Risk vs. Third-Party Trust (podcast)

Businesses grow based on trust, but they have to operate in a world of risk. Even cybersecurity operates this way, but when it comes to third-party analysis, what if we leaned on trust more than trying to calculate risk?