Supply chain attacks can be prevented with Dark Web intelligence, writes Dr Gareth Owenson, CTO and co-founder of Searchlight Security, a dark web threat intelligence product company.
With most businesses heavily reliant on multiple and varied providers, supply chains are a desirable target for cybercriminals looking to multiply the impact of their attacks. This is a concern for enterprises, with more than 50 percent of them reporting that they worry about supply chain risks. And with good reason, as the 2022 Verizon Data Breach Investigations Report showed that vulnerable supply chains played a role in 62 percent of system intrusion incidents in the last year.
Third party organisation’s infrastructure is, by definition, outside of the enterprise’s visibility and control. This is why supply chain exploits continue to be so pervasive – organisations can make as many governance and compliance demands on their suppliers as they like, but they have to trust their providers to actually implement the right security measures.
Dark web intelligence offers an opportunity to change this status quo, by giving organisations a window into the external threat profile of their suppliers without forcing them to hand over access to their environments. Armed with this information, they can take informed action to protect themselves against attacks through the supply chain.
Identifying attacks against the supply chain
Dark web intelligence can help prevent supply chain attacks by identifying how and when a businesses’ third parties are being targeted so that early prevention plans can be put in place before serious harm is done.
Take, for example, the July 2021 attack against Kaseya’s Virtual Systems Administrator (VSA) software. Attackers exploited a zero-day vulnerability that allowed them to bypass authentication and run arbitrary command execution. As a supplier to managed service providers (MSPs) and – in turn – their customers, it is estimated that more than 1,000 companies had their endpoints encrypted through Kaseya. For many of those companies, these attacks will have come out of the blue. However, dark web intelligence shows plenty of warning signs that Kaseya was an active target for cybercriminals.
Firstly, analysis of dark web forums shows that cybercriminals were discussing Kaseya two years before the attack, in 2019. Those discussions suggested an old vulnerability already existed in a Kaseya plug-in and was being actively exploited to deploy Gandcrab ransomware downstream to customers. Secondly, by 2020, there were specific requests to buy access to IT outsourcing companies, with Kaseya being explicitly named as a route of entry. Finally, later in 2020, 21 account credentials for Kaseya were put up for sale in dark web forums. Visibility into any one of these many dark web posts would have alerted Kaseya’s customers to increased risk from using the software provider, allowing them to protect themselves from the possibility of the company being compromised.
The Ultimate Kronos Group
The ransomware attack against the Ultimate Kronos Group’s private cloud platform in 2021 is another example of how defensive action could have been taken, if the many enterprises using it had known it was being targeted in the dark web. The HR service delivery software and workforce management company handled the sensitive data of approximately eight million employees across multiple enterprises – including some of the biggest brands in the world such as Whole Foods, PepsiCo, Honda and Tesla. This, undoubtedly, made it attractive to cybercriminals.
Once again, records on the dark web show that Kronos a potential target for threat actors as far back as 2017. The threat remained dormant (but visible) until 2020, when intelligence shows that an apparent Kronos software exploit that enabled remote privilege escalation was for sale on a dark web market.
By the end of 2021, a threat actor was actively advertising the exfiltrated Kronos records for sale, a pretty much irrefutable sign that the company had been breached and, therefore, its customers were at risk.
Prevention is key
Of course, hindsight is a wonderful thing, but dark web monitoring is not an activity that needs to be done in retrospect. Organisations know who their suppliers are. Armed with that information alone, they can continuously monitor the dark web for the names of the third parties they use, and their products, to be alerted to any indication that they are being targeted by cybercriminals or that their security has been compromised by a vulnerability in the wild.
This intelligence, combined with their existing supply chain governance and their own security solutions, can help to narrow down the possible paths of attack a cybercriminal could take into their business – helping them to prioritise and prevent the most imminent threats.
