IT outsourcing companies, information system providers, cloud service providers or external consultants typically have remote and unlimited access to all their customers. Each such provider tends to have tens to thousands of customers. If hackers break-in, they will reach all their customers. Therefore, attacking providers is very beneficial.
Hackers are smart and they have known this for a long time. It is easier for them to hack one provider and thus reach hundreds of their customers rather than hack each customer individually. Hacking a vendor is usually not a hundred times more difficult than hacking a regular business. Sometimes it is paradoxically easier, as saying goes, the blacksmith’s mare walks bare“.
Provider attacks are not new (generally known as “intra-supply chain attacks”), but have gained popularity over the past year. This is probably due to the increasing ransomware “business” and the greater experience of “cybercriminals”.
Provider attacks result in deploying ransomware on their customers’ networks. However, they have interesting and unpleasant specifics in comparison to a common ransomware attack that hits a regular business:
- Hackers attack all vendor customers simultaneously. Providers thus don’t have the capacity to try to rescue all customers at once, and they have to choose which ones to help right away and which ones need to wait.
- They want to negotiate only with the provider (the attacked company, not with their customers). If the provider collapses, the customers will, at the same time, lose their backups and, likely, they will no longer be able to reach the data.
- Even if the provider has all backups of their and customer´s data, it will take weeks for the provider to recover everything. This will cause huge losses to all affected parties (units up to hundreds of millions of crowns). So there is enormous pressure to pay “just” a few million/hundred thousand ransom created. Which, of course, feeds the entire ransomware business.😔
Who is involved in supply chain attacks?
Simply – everyone, as every company has its own IT provider. The most typical example of a company that has access to other companies is IT service providers, such as our PATRON-IT company. We have almost unlimited access to over a hundred of our customers. However, there is a number of other suppliers that impact the safety of customers, for example:
- Information system providers that connect to the customer’s server to manage the provided system.
- Internet service providers through which data flows and allow attackers to intercept data or perform MITM (Man in the middle).
- Program/cloud service developers who distribute automatic desktop/mobile program updates to their customers.
- Accounting companies, that connect to customers to manage their accounts.
- Independent consultants who are outsourced to more customers within a niche (eg networks, backups, web).
If one of them doesn´t take security responsibly, it doesn’t matter whether you spend hundreds of thousands/millions on your security. The question is, therefore: “How well do you know your providers?“
How well do you know your suppliers?
IT is not a certified business. Thus IT (network management, programming, web hosting, security consultations, penetration testing…) can be done by anyone who can make a business card. 🤔 In IT, as well as in other industries, it is often true that the blacksmith’s mare walks barefoot. Many companies advise their customers X and sell Y products without using the same thing themselves.
As customers, we should do at least a little work to get to know our suppliers, especially once choosing them. I know that we are all busy today. We often lack the knowledge to assess the supplier. However, at least for those, we allow unlimited remote access to the network, this should be done.
How to recognize that the provider is not messing around?
I get occasionally asked how a layman can judge that an IT contractor is doing his job properly. The following occurred to me:
- Ask how they manage passwords (their access to customers). Or better yet – let them show it to you (after all – they can say anything!) If they don’t show you a tool that keeps track of and shares passwords, it’s suspicious. We have over 4,000 passwords, we wouldn’t be able to do that without a tool.😊
- Find out if your backups will survive a ransomware/hacker attack and how long will it take to recover your server/service. You will most likely not be able to get a time estimate, as it depends on what and how it gets infected. However, ask them to calculate recovery times for the most common scenarios (eg, one encrypted server, multiple encrypted servers, corrupted HW, failed update). You need to know what you, as managers, can count on in case of a break-in/security incident. You can have the supplied information signed or inserted into a management contract. Depending on how they look, you will see how confident they are about their work.😉
- Let them show you around and look closely:
- no old operating systems (eg Windows 7),
- no desktop full of programs/games (computers that manage customer data should not be used for experimenting/playing),
- they have an antivirus installed on their computers,
- two-factor authentication applications installed on their mobile devices,
- they have an organized server room and use the same products they sell to you.
I think that you, as a customer, are eligible for answers. It is you who entrusts your data to someone else’s care and will be “vulnerable” to your supplier. We would like to show our systems because we are proud of how we do it. Unfortunately, no one has asked us to do so in almost 9 years.😢
I know that the list above is not perfect and is mainly related to IT outsourcing companies (or SMEs) – after all, it is my field and I have the knowledge. If you come up with another way to do that, I´d be happy if you could share it.
What does the provider attack look like
First, hackers need to compromise a provider. Either they pick and hack, or find out that a random business has access to other businesses once they have broken-in. Usually, they know this by the installed SW, saved passwords or domain name.
They firstly “sweep” the hacked provider´s network and see what systems it uses and who its customers are. They primarily look for central systems through which they can easily extend ransomware to all customers. Usually, this is the central antivirus console, automation system, monitoring system, patch management, web server, password/connection manager. Unfortunately, the system that makes work easier for providers will make it easier even for hackers.
If they can not find a way to deploy ransomware centrally to all customers, they proceed manually. They connect to customers just as the vendor does. The same applies if they find that some of the supplier’s customers are targets that deserve more attention.
However, the goal is to deploy ransomware to all customer networks, and ultimately, to the vendor itself. The aim is to paralyze and push customers to pay the ransom. I wrote an article about how hackers can move around the network and what they can do „What Hackers Can Do in Your Network“.
Specific cases of hacker attacks via providers
I picked some specific cases from 2019 for you, when hackers attacked companies just through providers – paradoxically, through the ones that were supposed to defend them from ransomware. These are foreign companies.
- Evelis, one of Spain’s largest SMEs, was attacked in November and its data encrypted. Required ransom 750.000 €. It is speculated that even the largest Spanish radio network Cadena SER has been attacked through them (see Ransomware Attacks Hit Everis and Spain’s Largest Radio Network)
- Another group of hackers exploited vulnerabilities in one monitoring system plugin and hit one SME managing between 1,500-2,000 stations with a ransom of $ 2,600,000 in last July. It was enough for the SME to update the plugin (the bug patch has already existed for 18 months). (see Ransomware Attack Via MSP Locks Customers Out of Systems)
- PM Consultants Inc., a specialist in dental practice, was attacked in July and through it, its customers as well. I have used the past time deliberately because the company has “closed” the shop and left its customers to themselves, and with no data. (see The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once)
- Hackers do not shy away from major companies. In April, it began to be said that the security of the Indian IT services company Wipro, which employs around 170,000 people on 6 continents, was penetrated. The company tried to downplay the attack and the total damage is not known. (see How Not to Acknowledge a Data Breach).
Attacks through providers in the Czech Republic?
I don’t have a Czech example yet (I think it’s a matter of time). HAVIT s.r.o., which develops bespoke applications, was close to being the first one. They wrote about ransomware on their blog „Two ransomware visits (cryptovirus) in HAVIT, how we got it and lessons learned from it all“ (only in Czech). The attackers did not take advantage of the fact that they had broken into the provider´s IT network. Most likely they simply didn’t notice. And fortunately enough, the majority of cases will be the same. However, in the future, as hackers improve, the “luck” of providers diminishes.
From the past, it is worth mentioning the NotPetya ransomware attack. When the attackers attacked M.E. Doc and uploaded an infected update to the accounting system. The infection was then spread to all its customers through automatic updates of the accounting system. Avast had a similar problem with its Ccleaner program (See: „Avast jako kovářova kobyla: V aplikaci CCleaner od výrobce antiviru byl škodlivý software“, only in Czech).
Conclusion
We all have one or more service providers that use remote access to our data or devices. We should try, at least at the beginning of the relationship, to get to know them and verify that they are doing their job as promised. I know we may not have enough time and space. However, it often is cooperation that lasts for years. What are a few hours or a day devoted to knowing your supplier – when his mistake can cost us the whole business.
If you want to read more about ransomware, I’ve already shared a few blog posts:
- Hackers deploy ransomware manually. They can scan the entire network, disable antivirus, delete backups and run ransomware from multiple locations simultaneously (see „What Hackers Can Do in Your Network“).
- Even if victims manage to recover their data from backups, hackers blackmail anyway. They threaten to disclose the stolen data (that they have managed to download themselves during the attack) if they fail to pay, the information about breaking into the business gets published (see „Hackers Came Up With a New Trick. They Learned to Improve Their Blackmailing With Ransomware“).
- We helped the first customers with ransomware in early spring 2017. I wrote 2 articles about it (such mini-stories – what happened, how it happened, and how we solved it). Things have shifted from back then, but I believe that articles can still be interesting:
- Ransomware 1: Data Recovery of a Blessing in Disguise
- Ransomware 2: to Pay the Ransom for Encrypted Data
Let your networks be secure.
Martin