Tag Archives: supply chain attacks

I Can’t Seem to Get Away from Supply Chain Attacks

Supply chain attacks are attacks on the software (and hardware) that goes into the software (and hardware) that you buy. We keep seeing attacks that compromise that underlying software. Earlier this year, it was Ripple20 that affected millions of IoT devices. Many of those devices will likely never be patched and will be vulnerable forever. In part, that is because the software that the Ripple20 affected software is integrated into is no longer supported.

This week it is a series of Thales products that were discovered to be buggy. The bugs were found by IBM’s X-Force security team and disclosed to Thales. While Thales has released patches to these bugs, now begins the long hard slog to get vendors who used the Thales software and hardware to release patches. The bugs were actually discovered a year ago. Of course no one knows if or when these bugs were discovered by hackers.

The hardware involved is a series of small computer circuit boards that are integrated into many IoT devices to support communications functions.

In this case, the boards store sensitive information like passwords and encryption keys.

Concerns include the possibility that these devices are used inside of medical equipment and if hacked, could possibly kill patients.

Another potential attack is against connected devices that manage the electric grid. Attackers could accidentally or intentionally take the electric grid down.

Its even possible that hackers could compromise VPN concentrators, stealing encryption keys, certificates and other confidential information.

These are just two examples of supply chain problems.

What needs to happen now is for buyers to understand these issues and demand that vendors have a strong supply chain security program. Part of this is to create and provide buyers with software Bills of Materials.

In this case, the healthcare industry is concerned that connected medical devices, many of which are old and no longer supported, may be affected. In the case of healthcare devices, they also have the challenge of getting FDA approval to patch the devices.

While this article focuses on medical devices, the problem runs across all industries and all electronic devices.

Until buyers start demanding that sellers fix these problems it is unlikely to get any better. Credit: Health IT Security

FBI Warns About Software Supply Chain Attacks Going On Now

While I have reported about software supply chain attacks in the past, they have all been one-off and in some cases highly targeted attacks.

The FBI has issued a warning about ongoing, large scale, software supply chain attacks.  The attackers are using the Kwampirs malware to install a Remote Access Trojan or RAT.

The FBI says that the attacks are targeting the victim’s strategic partners and customers (AKA you).

But since just attacking your suppliers is not enough, they are also directly attacking companies in the healthcare, energy and financial sectors directly.

Symantec reported attacks using Kwampirs in 2018 by a group they called Orangeworm.

Symantec also said that Orangeworm had been around since 2015 targeting mostly healthcare, but they said the group had secondary targets including IT, manufacturing, logistics and agriculture.

Lab52 confirmed Symantec’s finding last year.

The FBI issued this alert after all this time because the malware seems to have evolved and is now attacking industrial control systems, especially in the energy sector. That would likely include electric, natural gas, water and wastewater.

While Kwampirs does not, at the moment, seem to wipe systems it invades, it shares a lot of similarities with the Shamoon malware which did wipe infected systems.

Indicators of compromise are available for organizations that detection systems that can use them.

Source: ZDNet