Issue #18 | February, 2024
Defaults in our clouds
As Alice in Supply Chains finally enters 2024 – since we’re bringing you stories from January this time – we have, once more, a breach caused by cloud service default security (or lack thereof). This time, it just so happened – again – that the victim was Microsoft.
Nation-state hackers are resourceful and persistent, for sure. Even people who don’t need to memorize a dictionary’s worth of technical jargon to survive their first meeting of the week will probably be empathetic when we say that defending our computers against such attackers is difficult.
But what if we were to tell them that Microsoft got hacked because they didn’t activate two-factor authentication, and that (until just this month!) it wasn’t a default? So, yes, the same feature everyone has been using for years to protect their Instagram profiles or video game libraries is too problematic to be a default for our corporate networks. Perhaps this should tell us something about how much work we have ahead of us.
Thankfully, this issue of Alice in Supply Chains is especially packed with guidance, tips, and ideas for improving our third-party risk management practices. Our usual monthly recaps will also make sure you’re aware of the recent cyberattacks and regulations that are coming up on the horizon for third-party risk management.
That said, do take the opportunity to ponder about the defaults in the systems we use and build, and if they could be more secure.
We hope you enjoy the read!
Hackers obtained admin privileges in Microsoft's corporate network after hitting a test account with a password spray attack
Microsoft revealed they were hit by a cyberattack targeting their corporate network. The intruders managed to successfully compromise a “test” account through a password spray attack.
Although password spray attacks aren’t very difficult to perform – it’s a smarter form of a brute-force attack in which the same password is checked against several known usernames – the attackers avoided drawing attention by employing residential proxies for their login attempts. This made the activity harder to track and block, since each attempt can be made through a different IP address.
Since the compromised account had administrative privileges, it was used to generate OAuth keys to access email inboxes:
The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protocol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.
More specifically, the attackers leveraged application permissions to carry out their operation. We have a detailed post in our blog about how roles and permissions can be manipulated to elevate privileges in Microsoft 365 environments. From what is known, it appears the attackers exploited the AppRoleAssignment.ReadWrite.All permission, which is described under Scenario 1 in our blog (also check Sieira’s comment on LinkedIn).
Midnight Blizzard is a hacking unit believed to be working on behalf of Russia’s Foreign Intelligence Service (SVR). Microsoft previously used the name NOBELIUM for this group, and it’s been given several other names by different companies, as per MITRE’s ATT&CK page. They’re also said to have been responsible for the SolarWinds hack from 2020 — which means they have a history of attacking IT suppliers to reach their final targets.
Microsoft made a couple of posts about how it dealt with the attack, as well as advice for responders that may have to deal with nation-state attackers. The company claimed the attackers only “exfiltrated some emails and attached documents.” As such, no customer data or production systems were compromised – at least according to the evidence they have so far.
Nevertheless, Microsoft was blasted for not implementing good security practices that would have prevented this (such as MFA), lack of clarity and detail in some of their statements, and for using this incident as “an opportunity to upsell customers on their security products.”
There’s no arguing that Microsoft has found itself in unflattering headlines quite often these last few months. While its competitors in the cloud computing space haven’t been drawing the same kind of negative attention, the jury may still be out on whether that’s just a coincidence or if Microsoft is truly lagging behind when it comes to cybersecurity.
The fact that we lack enough transparency from these providers to say this for certain should in itself make us wonder if this situation can be improved – especially when they are so quick to remind us that we could pay more to have the security features we need to protect our environments.
Millions of customers affected after cyberattacks hit lending firms
Several lending and mortgage firms have suffered cyberattacks or data breaches. After Mr. Cooper and First American in December, Fidelity National and loanDepot have come forward to disclose incidents in January.
The most noteworthy among them seems to be the ransomware attack that forced EquiLend to turn its systems offline. EquiLend operates NGT, a securities exchange trading platform that executes over US$ 2.4 trillion in transactions each month. As a result of the shutdown, some firms had “to adjust by moving to manual processes,” according to the reporting done by CNN:
EquiLend, owned by a consortium of Wall Street firms including BlackRock and Bank of America, is a significant player in the securities-lending industry through its NGT trading platform. Hedge funds and other investors rely on securities lending firms to make short bets against the value of securities.
The impact on financial market players has been “limited,” a spokesperson for FS-ISAC, a global consortium of financial institutions who share cybersecurity intelligence, told CNN in a statement.
The FS-ISAC spokesperson said the hack impacted specific automated securities lending services, causing firms to adjust by moving to manual processes.
Another ransomware incident hit Gallery Systems, a company that provides software solutions for museums. Hundreds of institutions use their platforms, and some museums found themselves unable to display their collections online or had other issues stemming from the outage.
Several healthcare institutions are reporting data leaks connected to Navvis & Company. One notification came from the Hawaii Medical Service Association, while another was made by SSM Health. As we’ve learned with other incidents we’ve covered here, breaches at business partners or suppliers usually spread to many other companies, and customers are usually surprised by where their data was stored. Navvis is facing a proposed class-action lawsuit for negligence in protecting the patients’ data.
In the UK, an outage at a system used by several cities resulted in tax payment and other online services being unavailable. The incident prompted an investigation by the Information Commissioner’s Office (ICO). The Liverpool City Region Combined Authority also released a statement about services being unavailable after a third-party supplier became a victim of a cyberattack. The incidents don’t appear to be related, at least according to the coverage so far.
Ukrainian hackers linked to a group called “Blackjack” obtained construction plans for over 500 Russian military sites, according to GUR, Ukraine’s military intelligence agency. Newsweek reports that Blackjack could have ties to the Security Service of Ukraine (SBU). Ukraine has been accusing Russia of carrying out hacking operations since before the outbreak of the war, so it isn’t surprising that the country has since organized its own group. The GUR also celebrated an attack that “destroyed the entire IT infrastructure” and deleted 60 terabytes of data belonging to IPL Consulting, which they describe as an IT provider of the Russian military and its defense industry.
Meanwhile, a breach at a telecommunications company in Paraguay could have affected more than 300 local companies that rely on their service. The incident is related to a ransomware attack.
The list of incidents involving computer hardware suppliers has grown again – and due to third-party incidents, too. Laptop manufacturer Framework disclosed a data breach at their accounting firm, while hardware wallet maker Trezor alerted customers to two security issues with their third-party providers: one that hit their support ticket system, and another where a phishing email was sent through their newsletter.
There are two other stories we’re covering here that aren’t quite related to third-party incidents. The first is that Norton LifeLock is alerting customers about a credential stuffing attack that has breached some user accounts. Credential stuffing attacks are mostly due to user error – they’re only possible when a password has been reused in multiple services, and it appears the password leaked from somewhere else – so Norton LifeLock is doing the right thing by advising their customers about what to do. It’s fair to argue they could have enforced two-factor authentication to prevent this from happening, yet being transparent is still better than staying silent.
Finally, researchers from Volexity have detected attacks using a zero-day to target Ivanti Connect Secure VPN appliances. Although we’re yet to see any large organization disclose a data breach resulting from this exploit, we thought it was relevant to bring this to your attention. Since corporate networks are the main target, this vulnerability could lead to cascading incidents similar to those caused by Citrix Bleed or MOVEit Transfer.
Supply chain security regulations: what’s already out there and what may be coming next
We’ve covered many recent developments in the regulatory landscape pertaining to software supply chain and IT services in general. As it may be difficult to keep track of everything, CSO Online has published a helpful roundup of global software supply chain security guidance and regulations. It mentions several rules created in the last two years in the US (such as the FDA requirements for medical devices), the Cyber Resilience Act from the European Union, and others.
The concern is global. Regulations and requirements are evolving around the world as governments look to mitigate risks from software supply chain attacks, and topics such as secure-by-design, secure software development, software liability and self-attestations, and third-party certifications are dominating the dialogue.
Software suppliers will increasingly need to be familiar with the requirements as the landscape evolves. With attackers looking to exploit widely used software suppliers, these requirements are intended to help mitigate the risk to governments and nations around the world from software supply chain attacks.
This is not a static landscape, though, and even more regulations are under discussion. Responding to the recent cyberattacks against hospitals, the Biden administration is looking to introduce new cybersecurity requirements for healthcare providers. These requirements are expected to be tied to funding, drawing criticism from the American Hospital Association.
Law firm Katten Muchin Rosenman LLP published an analysis of a new proposal from the US Commodity Futures Trading Commission (CFTC) that would apply to swap dealers and futures commission merchants. While the proposed “operational resilience framework” (ORF) has several elements, the article notes that the guidance related to risk management of third-party relationships is “prescriptive.” It would mandate that covered entities assess the risk management practices of their third parties, including risk management practices related to subcontractors.
Italy’s data protection authority Garante told OpenAI that ChatGPT breaches data protection rules. Garante already forced OpenAI to address some issues last year after it banned the chatbot. OpenAI has 30 days to prepare a response.
Recommended by LinkedIn
It’s worth mentioning here that ChatGPT suffered a “mysterious” incident which resulted in chats that mentioned unpublished papers and private data. OpenAI blamed the issue on account takeovers, which would mean they were not at fault for any leaks (unlike last time).
The ICO, which is the data protection authority in the United Kingdom, published an article containing its current thinking on the issue of data processing for AI. It appears that regulation for AI will soon be a reality in Europe, even outside the European Union (which is currently discussing the Artificial Intelligence Act).
We hope you still remember the SEC Cybersecurity Rule from last year, as the first disclosures filed to comply with that requirement are now public. Earl Crane from CISOWise put together an overview of the different disclosures that are available. Three companies have filed disclosures relating to their cyber risk management programs. It’s excellent for transparency, and worth a look to get an insight into how companies like Lockheed Martin are already disclosing their processes to the SEC and investors.
There’s a new development on the recent concerns raised by American authorities regarding drones manufactured in China, too – DJI came forward with a rebuttal. While the issue probably won’t be settled by this, it’s clear companies won’t keep quiet when governments accuse them of wrongdoing. The reactions from consumers have the potential to turn geopolitical tensions and global supply chain concerns into domestic political issues.
“Smart vendor security is key to avoiding a data breach in 2024”
Forbes published an opinion piece arguing that smart vendor security is key to avoiding a data breach in 2024. The article ends with a guidance section containing “4 Steps to Smart Vendor Security Management.”
Almost every company out there uses third-party tools and software. Mistaken assumptions about vendor security are rife, namely that vendors have the proper security controls in place and that default settings are secure. As a result, organizations neglect to thoroughly vet their vendors or reconfigure the settings of their tools and software—a common vendor security misstep. Finally, some companies make security exceptions for vendors they want to do business with, ignoring red flags for the sake of convenience.
The Federal Reserve Bank of Atlanta prepared a blog post collecting guidance and data to help credit unions manage third-party risk. The outage at 60 credit unions mentioned by the article was one of our headlines here in Alice in Supply Chains last month, so this is a good time as any to check the recommended guidance and reports, especially if you work in financial services.
The Department of Health and Human Services in the United States released voluntary performance goals for the sector. It includes a virtual “tour” explaining all their goals and a list referencing the previous guidance published by the government that should help institutions achieve each goal.
ESET’s blog We Live Security also chimed in with a post on assessing and mitigating supply chain cybersecurity risks. It’s not a very long article, but it has links to examples of each of the supply chain issues mentioned.
Bloomberg Law produced a checklist for managing privacy and cybersecurity law risks in vendor contracts. Technical solutions are essential to help companies maintain visibility over their entire ecosystem – third parties included – but contacts and agreements can also provide value and set proper expectations for the partnership. One interesting item from the Bloomberg checklist is the suggestion that the contract can require the vendor to notify the company when they hire a new contractor (i.e., a fourth party).
The European Supervisory Authorities (ESAs) have published the final draft of the document that will set the rules for IT standards under the Digital Operational Resilience Act (DORA). While it’s still a draft and may be changed by the Commission in the review process, it’s probably a good idea to look into it if your organization is among those impacted by the DORA.
Are supply chain attacks a new strategy for cybercriminals?
We have a few more articles for you with thoughts and ideas on third-party risk management in a more generalized sense. These might not be as specific as the previous ones, as they focus on more high-level trends.
The first one here comes from Help Net Security. It points out how cybercriminals embrace smarter strategies to reduce the effort required to compromise their targets. Supply chain attacks are one such strategy:
There’s no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict attacks on systems four, five or six degrees from the source as vendors outsource data and technology solutions who outsource to another expert and so on.
Digital transformation is expanding threat surfaces. SaaS platforms and public cloud infrastructures are pushing the perimeter out into the internet itself—putting users at greater risk.
The Armed Forces Communications & Electronics Association International (AFCEA) published a series of articles on supply chain security from a very broad perspective (including physical and cyber risk). “Emerging Technologies To Secure the Supply Chain” discusses current trends and best practices in cybersecurity specifically (such as Zero Trust and the NIST AI Framework). It’s an interesting read for those who are interested in national security issues, the defense industry, or critical infrastructure.
“Learning from 2023’s high-profile cyber events to prepare for 2024” only briefly talks about major cyber incidents from 2023 – and that’s not at all a bad thing, as they’re only there to strengthen the argument that cyber insurers should work to proactively notify policyholders of vulnerabilities. This is certainly interesting – insurers have a direct financial motivation to help policyholders, so it may be the case that cyber insurance will become a driving force for better security practices, especially as incidents become too expensive for businesses to bear on their own.
54% of organizations have insufficient visibility into the vulnerabilities of their supply chain
The World Economic Forum released its “Global Cybersecurity Outlook” report for 2024 (PDF). The report includes a lengthy survey with a lot of interesting data, including the key finding that 54% of organizations have insufficient visibility into the vulnerabilities of their supply chain.
Our CTO Alexandre Sieira already made some comments on LinkedIn:
54% of organizations have insufficient visibility of the vulnerabilities of their supply chains, including 64% of executives who believe their own organizations meet their minimum resilience requirements.
To me this clearly shows just how big of a blind spot TPCRM still is for most companies. After all only companies that don’t outsource any critical functions and don’t give any third parties access to critical data could simultaneously believe that a) they meet their resilience requirements and b) they don’t understand their third parties’ vulnerabilities... and how many of those are out there? I have personally never bumped into any companies this vertically integrated, even in regulated markets.
Meanwhile, the Identity Theft Resource Center (ITRC) recorded the highest number of data breaches for a year in 2023. The annual data breach report (PDF, or here for the download form) notes that the number of data compromises jumped 78% over 2022.
The ITRC report highlighted two concerning trends, both of which have to do with supply chain attacks. First, not only did the number of attacks more than double from 2022 to 2023, but the average number of entities affected by each incident is a staggering 11.4.
The second issue is that data breaches at third parties may potentially be underreported. The ITRC argues that there’s a significant underlying flaw in notification laws: they are not always clear on who bears responsibility when information is stolen from a company that does not expressly own that data – and that’s exactly what happens when third parties are compromised.
Cybersecurity company Armis also published a report in January with the conclusion that cybersecurity attack attempts more than doubled in 2023. It found several vulnerabilities linked to the use of legacy or unpatched systems.
Our last story here doesn’t contain any data, but you may still find it interesting. A study (PDF, 112 pages) commissioned by the Air Force Research Laboratory found that cyber risks are “substantially worse” than other concerns for the supply chain. One interesting take from the report is that “cybersecurity and supply chain risk management are in many instances at odds with each other.” This is because conventional supply chain risk management approaches don’t always consider the cyber risk of onboarding a vendor.
We have two bonus links for you below. See you next month!
SonicWall next-generation firewall (NGFW) series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities with the potential for remote code execution. […] Using BinaryEdge source data, we scanned SonicWall firewalls with management interfaces exposed to the internet and found that 76% (178,637 of 233,984) are vulnerable to one or both issues.
How I pwned half of America’s fast food chains, simultaneously | How we owned almost all of America’s fast food chains
This is about how a vulnerability in a common service provider could have led to a major data leak. The issue was found by researchers, so there’s no evidence of any actual leak in this case.
If you grab the list of admin users from /orgs/0/users, you can splice a new entry into it giving you full access to their Administrator dashboard. […] We soon realised from this admin dashboard, we could view conversations of candidates, phone numbers, profile pictures and more very powerful stuff from this admin panel, but while looking around on their app I randomly went to their actual user interface where I discovered something very interesting — there was a “ghost” mode where superadmins could access someone else’s account and fully control them.