Let the breach teach | BA, BBC, Boots experience supply chain attack
SecOps Cyber News 06-Jun-2023 12:20:44 Max Harper 6 min read
British Airways, the BBC and Boots have payroll data stolen in a supply-chain attack... Here's the breakdown.
What happened?
British Airways, the BBC and Boots are names amongst others that have had their data compromised after cyber criminals exploited a critical vulnerability found in the deployments of a document-transfer app called MOVEit. These companies were not hit directly however, instead - through payroll services provider Zellis who admitted that it's MOVEit installation had been exploited and a "small number of customers" were affected. In a statement posted on their website, Zellis blames the MOVEit vulnerability for the security breach and noted "all Zellis-owned software is unaffected and there are no incidents or compromises to any other part of our IT estate."
What data was stolen?
It is understood that the following PII has been stolen. Which can be particularly valuable to those interested in identify theft.
- Staff ID numbers
- Date of birth
- Home addresses
- National Insurance numbers
How was it stolen?
Cybercriminals had been 'mass exploiting' the SQL-injection vulnerability which has since been patched. A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A succesful SQL injection exploit can read sensitive data from the database, modify database data (insert/update/delete), and execute administration operations on the database.
The bug has since been assigned a CVE and is now traced as CVE-2023-34362. The MOVEit app's developer Progress have since released a patch which can be found here.
Who is behind the attack?
Microsoft believe it is the ransomware group 'Clop' who are behind the attack. "The threat actor has used similar vulnerabilities in the past to steal data & extort victims."
For some background on Clop, Clop are a prolific cyber gang known for operating a ransomware-as-a-service (RaaS) model and one that uses multilevel extortion methods, including publicly leaking data if their ransom demands are not met.
What is a supply chain attack?
In a supply chain attack, rather than infiltrating you directly, attackers instead exploit the access that trusted third party suppliers already have to your systems to gain a foothold in your environment. Once they're in, they can conduct all sorts of malicious activity.
On average, small and mid-sized organisations report having at least three suppliers who can connect to their systems (professional services, finance, IT service providers as examples). Supply chain attacks are notoriously difficult to detect, let alone defend against, as they can come from any part of your supply chain.
Types of supply chain attacks
"Kill two birds, with one stone"
While supply chain attacks differ in terms of how they are delivered, the principles and end game for attackers are often the same - to infiltrate a trusted third-party supplier and abuse the trusted access to implant malware, steal intellectual property or spy on internal communications. Below are a couple of commonly scene attack types:
Phishing Attacks: One of the most common attack vectors utilised by supply chain attacks are phishing emails. Targeting trusted third parties with phishing emails to compromise and gain access to their network and then using them as a springboard to infiltrate client systems.
Compromised Software Update: Hackers will aim to infiltrate the infrastructure of a software company or distributor and insert malicious code into software update packages. The third party then distributes these updates to their clients, unknowingly infecting them in the process.
Best practice to mitigate supply chain risk
1. Take a proactive approach to cybersecurity, instead of reactive.
We've all heard the shift from 'if' we're going to get hit to 'when' but once an attack becomes obvious, it can sometimes be too late, by the time a criminal drops a payload, they may have already stolen the crown jewels and often, have had persistent access to your network for days. Assume you are always compromised and hunt for threats and attacker behaviours before a cybercriminal can achieve their objectives.
2. Monitor for early signs of compromise
Expanding on the taking a proactive approach, insight from our partner Sophos' incident response team shared that two things usually stand out as early indicators of compromise. One, is the use of credentials for remote access and administrative purposes during out of hours. The other, is the abuse of sys admin tools to conduct surveillance and steal data from the network.
The use of legitimate accounts and your own tools to gain and retain persistence is often referred to as Living off the Land (LOL). Detecting these behaviours requires vigilance and skill, but there are tools, people and services that can help alert you, or take action on your behalf before the bulk of the damage has been done.
3. Take an audit of your supply chain
Mapping out a list of all of the organisations you're connected to and identifying who has access to what can be a great place to start. Once identified, you can then assess the type of network access they have and what information could be accessed using those credentials. Typically in organisations, you can expect to be connected to:
IT Service Providers: MSP/MSSP, Cloud Providers
Professional Services: Finance, Legal, Security, Janitorial
Suppliers: Materials, Services, Labor, Logistics
4. Assess the security posture of your suppliers and business partners
Whether it's understanding certifications, or questions for supplier assurance on how they're going to keep your data or access secure, assessing your suppliers and business partners is great practice to ensure they take cybersecurity as seriously as your organisation does.
5. Continuous review of your own internal IT and Security Operations
With all of this talk about your supply chain - it's important not to neglect your own cybersecurity hygiene! Many organisations still ignore it either because they didn't know where to stay or they believed they're not important enough to be targeted through the compromise of a trusted partner... but hacker's don't discriminate, if you have an internet connection and money, you a cyber criminals target.
Here's a few other tips to help get you started
- Enable MFA - The most common way we see orgs fall victim to supply chain attacks is through the use of stolen, but authorised access.
- Review supplier access and application privileges
Only give your supplier what they need access to to perform their service, not everybody needs the keys to the kingdom.
- Proactively monitor your suppliers security bulletins
It will give you a great head start to being able to quickly deploy patches and mitigations as soon as vulnerabilities are discovered.
- Review your cybersecurity insurance (if you have it!)
Check specifically if your coverage protects you against third-party losses and how to engage the policy, if necessary.
Interested to learn how Spear Shield can help?
You can speak to the team at Spear Shield about our FREE vulnerability assessment and details on our Managed Detection Response service today.
01473 948980
About Spear Shield
Here at Spear Shield, we are continuing to invest in our goal to create one of the most cyber-secure client communities in Suffolk, East Anglia and across the UK.
Our approach is to work closely with IT teams and business leaders to help identify cyber risk, understand core business drivers and challenge the conventional approaches to legacy cybersecurity strategies to enable our customers to exceed their cybersecurity goals.
Spear Shield has a portfolio of award-winning cybersecurity solutions and services that we align to enable our customers to be able to solve even the most complex and advanced cybersecurity challenges.
The team at Spear Shield specialises in:
- Mitigating the risk of social engineering attacks and human-activated cyber risk
- Real-time asset discovery, device security and compliance
- 24/7 Managed Threat Hunting and proactive Incident Response
If you would like to learn why organisations are choosing to secure with Spear Shield, please do contact a member of the team to arrange a confidential conversation today.
The team has several year's experience working within both the private and public sector, have a very consultative approach and would welcome the opportunity to learn more about your organisation.
Max Harper
As CEO and Co-Founder, Max is dedicated to Spear Shield’s mission of creating one of the most cyber secure client communities across Suffolk, East Anglia, and the UK. By working closely with business leaders and IT Teams, Max’s approach is to understand core business drivers, challenge the conventional approaches to cybersecurity strategies and enable our customers to articulate risk and exceed their cybersecurity needs.