Site icon Martin Haller, A blog about corporate IT protection and management

How Hackers Attack Companies Through Their IT Providers

hacker attacks through providers

hacker attacks through providers

IT outsourcing companies, information system providers, cloud service providers or external consultants typically have remote and unlimited access to all their customers. Each such provider tends to have tens to thousands of customers. If hackers break-in, they will reach all their customers. Therefore, attacking providers is very beneficial.

Hackers are smart and they have known this for a long time. It is easier for them to hack one provider and thus reach hundreds of their customers rather than hack each customer individually. Hacking a vendor is usually not a hundred times more difficult than hacking a regular business. Sometimes it is paradoxically easier, as saying goes, the blacksmith’s mare walks bare“.

Provider attacks are not new (generally known as “intra-supply chain attacks”), but have gained popularity over the past year. This is probably due to the increasing ransomware “business” and the greater experience of “cybercriminals”.

Provider attacks result in deploying ransomware on their customers’ networks. However, they have interesting and unpleasant specifics in comparison to a common ransomware attack that hits a regular business:

Who is involved in supply chain attacks?

Simply – everyone, as every company has its own IT provider. The most typical example of a company that has access to other companies is IT service providers, such as our PATRON-IT company. We have almost unlimited access to over a hundred of our customers. However, there is a number of other suppliers that impact the safety of customers, for example:

If one of them doesn´t take security responsibly, it doesn’t matter whether you spend hundreds of thousands/millions on your security. The question is, therefore: “How well do you know your providers?“

How well do you know your suppliers?

IT is not a certified business. Thus IT (network management, programming, web hosting, security consultations, penetration testing…) can be done by anyone who can make a business card. 🤔 In IT, as well as in other industries, it is often true that the blacksmith’s mare walks barefoot. Many companies advise their customers X and sell Y products without using the same thing themselves.

As customers, we should do at least a little work to get to know our suppliers, especially once choosing them. I know that we are all busy today. We often lack the knowledge to assess the supplier. However, at least for those, we allow unlimited remote access to the network, this should be done.

How to recognize that the provider is not messing around?

I get occasionally asked how a layman can judge that an IT contractor is doing his job properly. The following occurred to me:

I think that you, as a customer, are eligible for answers. It is you who entrusts your data to someone else’s care and will be “vulnerable” to your supplier. We would like to show our systems because we are proud of how we do it. Unfortunately, no one has asked us to do so in almost 9 years.😢

I know that the list above is not perfect and is mainly related to IT outsourcing companies (or SMEs) – after all, it is my field and I have the knowledge. If you come up with another way to do that, I´d be happy if you could share it.

What does the provider attack look like

First, hackers need to compromise a provider. Either they pick and hack, or find out that a random business has access to other businesses once they have broken-in. Usually, they know this by the installed SW, saved passwords or domain name.

They firstly “sweep” the hacked provider´s network and see what systems it uses and who its customers are. They primarily look for central systems through which they can easily extend ransomware to all customers. Usually, this is the central antivirus console, automation system, monitoring system, patch management, web server, password/connection manager. Unfortunately, the system that makes work easier for providers will make it easier even for hackers.

If they can not find a way to deploy ransomware centrally to all customers, they proceed manually. They connect to customers just as the vendor does. The same applies if they find that some of the supplier’s customers are targets that deserve more attention.

However, the goal is to deploy ransomware to all customer networks, and ultimately, to the vendor itself. The aim is to paralyze and push customers to pay the ransom. I wrote an article about how hackers can move around the network and what they can do „What Hackers Can Do in Your Network“.

Specific cases of hacker attacks via providers

I picked some specific cases from 2019 for you, when hackers attacked companies just through providers – paradoxically, through the ones that were supposed to defend them from ransomware. These are foreign companies.

Attacks through providers in the Czech Republic?

I don’t have a Czech example yet (I think it’s a matter of time). HAVIT s.r.o., which develops bespoke applications, was close to being the first one. They wrote about ransomware on their blog „Two ransomware visits (cryptovirus) in HAVIT, how we got it and lessons learned from it all“ (only in Czech). The attackers did not take advantage of the fact that they had broken into the provider´s IT network. Most likely they simply didn’t notice. And fortunately enough, the majority of cases will be the same. However, in the future, as hackers improve, the “luck” of providers diminishes.

From the past, it is worth mentioning the NotPetya ransomware attack. When the attackers attacked M.E. Doc and uploaded an infected update to the accounting system. The infection was then spread to all its customers through automatic updates of the accounting system. Avast had a similar problem with its Ccleaner program (See: „Avast jako kovářova kobyla: V aplikaci CCleaner od výrobce antiviru byl škodlivý software“, only in Czech).

Conclusion

We all have one or more service providers that use remote access to our data or devices. We should try, at least at the beginning of the relationship, to get to know them and verify that they are doing their job as promised. I know we may not have enough time and space. However, it often is cooperation that lasts for years. What are a few hours or a day devoted to knowing your supplier – when his mistake can cost us the whole business.

If you want to read more about ransomware, I’ve already shared a few blog posts:

Let your networks be secure.

Martin

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Exit mobile version