Issue #28 | December, 2024
A wake-up call for systemic risk
When we cover third-party breaches and incidents at vendors, we often include cyberattacks involving critical infrastructure in sectors like telecommunication, energy, and of course, technology.
The cyberattack that hit telecom providers in the United States – eight of them, according to the reports we have available at the time of writing – illustrates why we do it. According to what has been made public, the attackers hit these companies to target specific people: their clients. Most businesses and consumers are not in a position to negotiate their contracts or liabilities with critical infrastructure providers, so they are third parties to all of us.
In this issue of Alice in Supply Chains, we’re bringing you more coverage of this incident, as well as other breaches and attacks that involve third parties. There’s also a report by the EPA about vulnerabilities in water suppliers in the US and other stories about the government and regulators. At the end, we have sections for surveys and guidance.
When we’re back next month, it’ll be 2025. So, Happy New Year, and we hope you enjoy the last issue of 2024!
U.S. government agencies confirm telecom hack (and other updates)
In our previous issue, we mentioned that The Wall Street Journal broke the story that at least three U.S. telecom companies had been infiltrated by Chinese hackers. This number increased to four after T-Mobile was added to the list, alongside AT&T, Lumen (formerly CenturyLink), and Verizon.
Since then, CISA and the FBI released a joint statement confirming the hacks. More recently, White House officials told the press that the number of targets increased to eight and that the intruders haven’t been fully evicted yet:
US officials believe Chinese hackers breached at least eight US telecommunications providers in their quest to spy on top US political figures as part of a hacking campaign that has affected dozens of countries worldwide, a White House official said Wednesday.
“Right now, we do not believe any have fully removed the Chinese actors from these networks … so there is a risk of ongoing compromises to communications,” Anne Neuberger, deputy national security adviser, told reporters.
The FBI/CISA joint statement notes that the attackers were seeking customer records and communications, which is illustrated by another WSJ story on how the hackers obtained phone audio from both Harris and Trump campaigns. CNN says no more than 150 individuals have been notified by the FBI as targets of this campaign.
T-Mobile’s statement reveals that the bad actors used a wireline provider’s network connected to theirs. Moreover, T-Mobile says they responded by severing this connection, believing this provider is compromised — which implies that this could have been a multi-layered third-party breach.
Like in other parts of the world, the United States has a law for wiretaps (CALEA), and telecom companies will usually have lawful intercept systems in place to comply with court orders. There has been some discussion regarding the security of such systems, since they can be leveraged by intruders to target any user of their services. Still, it would be wise to wait until investigators determine exactly how the hackers managed to compromise call records and court requests.
U.S. Senator Mark Warner described the attack as the “worst telecom hack in our nation’s history, by far.” Meanwhile, Senator Richard Blumenthal criticized tech companies for their reliance on China.
The campaign is being attributed to a collective known as Salt Typhoon. Trend Micro published a detailed technical deep dive on this group, which they call “Earth Estries.” According to the writeup, this threat actor is active in 13 countries, including the United States, India, Brazil, and Taiwan, targeting government entities, telecommunications providers, technology companies, and others.
Before we end this section, we’ll share a few more headlines with follow-ups to stories we already covered. First, the MOVEit Transfer hack is back in the news (again) after Amazon and Delta confirmed that employee details had leaked online due to a third-party vendor.
The MOVEit datasets are surfacing on criminal websites dedicated to leaked information, which could explain why these disclosures happened a year after the incident.
Also, after covering how Microsoft lost security logs last month, we should let you know a similar incident happened at Cloudflare.
Finally, speaking of Microsoft, the company announced another delay to Recall, its new approach to desktop searching Windows that takes automatic screenshots and uses AI to record everything into a database.
We already talked about Recall at length in our June issue, covering how it could very easily become a third-party security issue, so check that out if you’d like. It’s not clear that the updates to Recall have addressed the concerns raised by many, such as how the database will keep data that has already been deleted from the system.
Ransomware incident at Blue Yonder disrupts operations at retailers, including Starbucks
Panasonic-owned Blue Yonder, a provider of supply chain software, was hit by a ransomware attack, causing disruptions at retailers and other companies. The company provides a managed environment in a “private cloud” that was compromised by this incident.
A ransomware attack on Blue Yonder, one of the world’s largest supply chain software providers, is causing ongoing disruption to operations at a number of major U.S. and U.K. stores and retailers.
Arizona-based Blue Yonder, which was acquired by Panasonic in 2021, said in a statement on its website on Friday that it had experienced disruptions to its managed services hosted environment, “which was determined to be the result of a ransomware incident.”
Additional coverage is available from The Register, which has links to even more coverage from CNN, The Wall Street Journal (paywalled), and The Grocer.
CNN also reported that Starbucks was forced to pay baristas manually, as the company relied on Blue Yonder for tracking and managing their schedule. Morrisons, a retailer with over 500 locations in the UK, was also affected. A spokesperson told The Grocer that “the outage has caused the smooth flow of goods to our stores to be impacted.”
Both TechCrunch and Cyberdaily noted that some Blue Yonder customers were unaffected. It was not immediately clear whether this was because they are hosting the software themselves, using an environment that did not suffer any disruptions, or had some other form of redundancy to mitigate the outage. Regardless, all of those would be plausible explanations.
We’re highlighting this incident as a tangible example of how third-party incidents can impact many businesses and consumers. While organizations must work closely with their critical third parties to respond to incidents like this, they also need to prepare backup systems and contingencies like manual processes for business continuity and resilience.
As noted by the Risky Business podcast, Blue Yonder had a high security "score" from rating services - and relying on that alone did not work. Our cofounder and CTO Alexandre Sieira eira posted a LinkedIn video with few thoughts in these comments.
Businesses rely on third parties because they bring efficiency and innovation at scale to the industries in which they operate, but each organization makes its own decision as to how much any given third party will be trusted and relied upon. The organization’s risk management strategy must see this as a unique risk profile. When something happens, it’s better to not be on the list of affected companies, or at least not be impacted as heavily by the outage.
Better yet, if you’re working together with your third parties, you may help each other with your cybersecurity posture and avoid some incidents entirely.
It’s not yet known if any data was stolen in the incident, as is typically the case on ransomware, which would have potential privacy implications for employees and customers of Blue Yonder's corporate clients. The last reports on the incident suggest the company was on track to a full recovery a little more than a week after the attack was identified.
Finastra breached, Ford blames third-party for data leak: security incidents round-up
Finastra, which provides services to several banks, is investigating a data breach that could affect dozens of their clients:
Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. […]
On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.
The data was posted by a member of BreachForums, who has since disappeared. Finastra already suffered a ransomware attack in 2020, according to Bloomberg (paywall), but the incidents don’t appear to be linked.
Ford also had to investigate the source of a leak posted to BreachForums, finding that it was obtained from a third party. The company said that the data only contains public information regarding Ford dealers.
Meanwhile, many outlets covered a cyberattack on Microlise. The company’s services are used by UK government contractor Serco to monitor prisoners, so the hack disabled tracking devices and panic alarms on prison vans. Employee data may have been affected as well. Additional reporting is available from SecurityWeek, Silicon, and FT.com.
International Game Technology, a gambling tech vendor, also suffered a breach. It is not known if any of their clients were affected. There also isn’t much information available yet about the attack on AEP, a German pharmaceutical distributor.
Insurance administrator Selman & Company disclosed it is impacted by a data breach at PAS Hosting. In this case, the company confirmed that the attackers compromised sensitive customer information. Interbank, a large financial institution from Peru, also confirmed that the customer data posted to the dark web is at least partially genuine.
Financial services also had some issues in Israel, but not due to a data breach. A distributed denial-of-service attack (DDoS) attack disrupted the network of payment gateway Hyp. Without a working connection, credit card readers malfunctioned. The company said the service was quickly reestablished.
Customer data also seems to have been stolen from Waive, a service provider that facilitates compliance with the Australian Securities and Investments Commissions (ASIC). According to Cyberdaily, the company was hit by RansomHub.
We then move to a couple of government-related targets. The U.S. government might be impacted by a breach at space technology company Maxar, as more than half of their employees have U.S. security clearances, as reported by TechCrunch. In Germany, national statistics agency Destatis also confirmed a data breach.
Finally, we have a few incidents and vulnerabilities that are interesting because they involve tech vendors. Microsoft fixed a vulnerability on its Partner Network website that was already being exploited — probably to attack customers, but we don’t know who — and AI coding platform Replit sent a notification to customers warning them that employees potentially had access to plaintext passwords.
Recommended by LinkedIn
EPA report finds U.S. water systems are exposed to ‘high-risk’ vulnerabilities
A review of the Environmental Protection Agency’s cybersecurity initiatives found that water systems in the United States have cybersecurity vulnerabilities “that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information.” From The Record:
The watchdog assessed 1,062 drinking water systems that serve more than 193 million people. Among those, 97 systems had “either critical or high-risk cybersecurity vulnerabilities” as of October 8. Those systems serve 26.6 million people. […]
“Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low [risk] by having externally visible open portals.”
In August, the U.S. Government Accountability Office (GAO) urged the EPA to “conduct a water sector risk assessment, considering physical security and cybersecurity threats.” The review, carried out by the agency’s Inspector General, follows that recommendation. The agency now has to see that the vulnerabilities are addressed, since the effort to create a cybersecurity “task force” for the sector is still ongoing.
The UK is also putting pressure on the management of water suppliers, although not specifically for cybersecurity concerns (yet, perhaps).
This review isn’t the only news we have concerning the United States, though. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that, sadly but predictably, director Jen Easterly will leave after January 20 along with everyone else that was appointed by the Biden Administration.
NIST updated its guideline for Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, which was first published in May 2022. The changes are outlined in Appendix K and include a new exclusive definition for supply chain risk assessment and a definition for vulnerability reports.
The US Transportation Security Administration proposed a rule that would require the establishment of pipeline and railroad cyber risk management programs. In the U.S. Congress, the Federal Acquisition Security Council (FASC) Improvement Act of 2024 is gaining traction; it would allow the government to restrict the acquisition of products or services considered dangerous, such as those controlled by a “foreign adversary.”
Another bill in the US Senate seeks to strengthen cybersecurity protections in health care. Although the text doesn’t focus on third-party or supply chain security, it seems like the bill (PDF) would allow the Department of Health and Human Services (HHS) to enact such regulations — and TPCRM has been the subject of the HHS’s technical guidelines recently. Statements from the lawmakers are available here.
Microsoft is facing an antitrust probe by the US Federal Trade Commission. While cybersecurity and AI efforts will be in scope, this appears to be another chapter in the battle between Microsoft and other large cloud providers, as the FTC will examine allegations related to vendor lock-in through licensing (which we discussed last month when Microsoft criticized Google for what it called “shadow campaigns”).
Federal prosecutors unsealed criminal charges against five men who are accused of involvement with Scattered Spider, who is probably better remembered as the threat actor behind the MGM casino hack from 2023. Two other men were arrested for their alleged roles in the Snowflake incidents earlier this year (Intel471 recently published a technical deep dive on their tactics).
Now, let’s end this section by quickly going over other government news around the world:
UK: The Financial Conduct Authority (FCA) released third-party guidance based on the CrowdStrike outage (additional analysis from Cyber Magazine)
EU: ENISA is asking for feedback on its technical guidance for the cybersecurity measures of the NIS2 Implementing Act.
Australia: The Australian Parliament approved a package of cybersecurity regulations to bolster cyber resilience, giving the government powers to force companies to improve their security and enable their “whole-of-economy approach to cyber security.”
Research: Cyberattacks have cost UK businesses £44 billion in the last five years
Insurance group Howden published the results of a survey which found that cyberattacks cost UK businesses £44 billion in the last five years.
Businesses with an annual revenue of over £100m were the most targeted group, with 74% of those surveyed having suffered a cyber attack over the past five years. However, threat levels are elevated across all businesses, with half (49%) of SMEs with a revenue of £2m to £50m also experiencing a cyber attack over the same period.
Despite the growing threat posed by cyber attacks, take up of even the most basic cyber security measures remains low, highlighting a critical cybersecurity knowledge gap within UK businesses. At present, 61% of businesses are actively using antivirus software and only 55% are employing network firewalls. Organisations cite a number of obstacles to improving their cyber security, including cost (26%), insufficient knowledge (26%) and lack of internal IT resources (22%).
Howden’s numbers are based on a survey of 905 “senior IT decision makers.” Perhaps that explains why a Gartner survey found that “improving third-party risk management” is among the top three priorities for legal, compliance, and privacy leaders (but you can compare these findings with Forrester's research from May - the outlook varies a lot depending on who you ask).
Although 2024 is almost over, CISA recently published a list of the Top Routinely Exploited Vulnerabilities of 2023 (PDF), finding that zero-days in security and network products were among the most exploited vulnerabilities. The late publish date may be warranted, as the data is based on numbers from five countries (USA, Australia, Canada, New Zealand, and the UK). On a related note, Cybersecurity Dive also reports that hackers are exploiting a vulnerability in Palo Alto Networks Expedition.
Another survey by law firm Jones Walker finds that community and mid-size banks in the US need to improve third-party risk management. According to them, the banks do a good enough job with their internal security, but are not as strict as regulations state they should be with third-party vendors. Our blog post on third-party risk management in the financial and banking sector from September explains this in more detail.
The Business Continuity Institute published its Crisis Management Report 2024, revealing that third-party failures are the second most common reason why companies have to engage a crisis management plan (losing only to “extreme weather,” and followed by “cyberattacks”). The report can be downloaded with a free account on their website, and some findings are mentioned in their review of the CrowdStrike incident.
Third-party breaches were one of the major issues listed in an article at The Conversion written by Australian researchers who interviewed 50 cybersecurity professionals. Lastly, a joint report by Deloitte India and the Data Security Council of India (DSCI) found that 89% of hospitals in the country have implemented some form of third-party risk management system.
Guidance: “As supply chains go digital, cybersecurity must be [the] strongest link”
In the wake of the Blue Yonder incident, PYMNTS ran an article stating that “as supply chains go digital, cybersecurity must be [the] strongest link.” It’s essentially a collection of quotes from industry experts on the issue:
The Blue Yonder news was no isolated incident. It comes just barely two weeks after grocery giant Ahold Delhaize said a number of its pharmacies and eCommerce operations were affected by a cybersecurity issue within its U.S. network.
The attack surface for cybercriminals expands dramatically with every new digital touchpoint. Hackers exploit vulnerabilities in IoT sensors, third-party vendors and software integrations to infiltrate networks, as evidenced by recent ransomware attacks that have paralyzed global operations of critical sectors.
GovInfoSecurity has a similar article focused on the financial sector, as third-party vendor threats were a topic of discussion at the Information Security Media Group financial services summit. Meanwhile, Infosecurity Magazine interviewed Megan Poortman, Head of Cyber Security at London Gatwick Airport, to talk about supply chain security.
Supply Chain Digital published a rather lengthy article on improving OT (operational technology) security, and it has a subsection about third-party risk. If one subsection isn’t enough, “How to build an effective third-party risk assessment framework” at TechTarget is fully dedicated to the subject.
TechTarget and Infosecurity Magazine also published articles dedicated to supply chain security in healthcare: “Mitigating risk as healthcare supply chain attacks prevail” was written by TechTarget, while “Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks” was penned by Errol Weiss, Chief Security Officer at Health-ISAC.
There’s even more at Chief Healthcare Executive, where Adam Zoller, global chief information security officer for the Providence health system, says that “third-party risk is really the biggest risk domain pertaining to cybersecurity that we face as a healthcare system.”
But that is all we got for this issue of Alice in Supply Chains – aside from two bonus links below. See you again next month!
An Okta login bug bypassed checking passwords on some long usernames
Also see: Okta advisory
The vulnerability is fixed now, but Okta said that for three months it could’ve been used to access accounts with usernames stretching at least 52 characters long.
We decided to not include this in the breaches section because Nokia has so far denied that a well-known hacker stole information from them, and it appears that the data was sourced from a third party instead. In a way, this would mean that both sides are telling the truth. (Also in The Register)
Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.
Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia’s online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.